Overview
Cisco Virtual Network Management Center (VNMC) is a virtual appliance, based on Red Hat Enterprise Linux, that provides centralized device and security policy management of Cisco virtual services. Designed for multi-tenant operation, VNMC provides seamless, scalable, and automation-centric management for virtualized data center and cloud environments. With both a built-in GUI and an XML API, VNMC enables centralized management of Cisco virtual services by an administrator or programmatically.
VNMC is built on an information model-driven architecture in which each managed device is represented by its subcomponents (or objects), which are parametrically defined. This model-centric approach enables VNMC to provide a secure, multi-tenant virtualized infrastructure with Cisco Adaptive Security Appliance 1000V (ASA 1000V) and Cisco Virtual Security Gateway (VSG) virtual services.
The following table describes the primary features of
VNMC.
Table 1 VNMC 2.0 Features
Feature |
Description |
Multiple-Device Management |
All ASA 1000Vs and VSGs are centrally managed, thereby simplifying provisioning and troubleshooting in a scaled-out data center. By using device profiles with their specified device configuration policies, you can deploy consistent policies to one or more profile-managed resources. |
Security Profiles |
Security profiles enable you to represent a security policy configuration in a profile that:
-
Simplifies provisioning
-
Reduces administrative errors during security policy changes
-
Reduces audit complexities
-
Enables a highly scaled-out data center environment
|
Stateless Device Provisioning |
The management agents in VSG and ASA 1000V are stateless, receiving information from VNMC and thereby enhancing scalability. |
Security Policy Management |
Security policies are authored, edited, and provisioned for all VSGs and ASA 1000Vs in a data center, which simplifies the operation and management of security policies, and ensures that the required security is accurately represented in the associated security policies. |
Context-Aware Security Policies |
VNMC interacts with VMware vCenter to create virtual machine (VM) contexts that enable you to institute highly specific policy controls across the entire virtual infrastructure. |
Dynamic Security Policy and Zone Provisioning |
VNMC interacts with the Cisco Nexus 1000V Virtual Supervisor Module (VSM) to bind the security profile with the corresponding Cisco Nexus 1000V Series switch port profile. When VMs are dynamically instantiated and applied to appropriate port profiles, their association to trust zones is also established. |
Multi-Tenant Management |
VNMC can manage compute and edge firewall security policies in a dense multi-tenant environment, so that you can rapidly add or delete tenants, and update tenant-specific configurations and security policies. This feature significantly reduces administrative errors, ensures segregation of duties within the administrative team, and simplifies audit procedures. |
Role-Based Access Control |
Role-Based Access Control (RBAC) simplifies operational tasks across different types of administrators, while allowing subject-matter experts to continue with their normal procedures. This support reduces administrative errors, enables detailed control of user privileges, and simplifies auditing requirements. |
XML-Based API |
The VNMC XML application programming interface (API) allows external system management and orchestration tools to programmatically provision VSGs and ASA 1000Vs, and provides transparent and scalable operation management. |
The following figure illustrates how VNMC relates to other components in a multi-tenant environment, including virtual machines, virtual services, and user and programmatic interfaces.
Figure 1. VNMC in a Multi-Tenant Environment
VNMC provides centralized device and policy management of VSGs and ASA 1000Vs in multi-tenant virtual data centers and private or public clouds.
VNMC uses security profiles for template-based configuration of security policies. A security profile is a collection of security policies that can be predefined and applied on an on-demand basis at the time of VM instantiation. This profile-based approach significantly simplifies authoring, deployment, and management of security policies in a dense multi-tenant environment while enhancing deployment agility and scaling. Security profiles also help reduce administrative errors and simplify audits.
The VNMC XML API facilitates coordination with third-party provisioning tools for programmatic provisioning and management of VSGs and ASA 1000Vs.
By providing visual and programmatic controls,
VNMC enables the security operations team to author and manage security policies for the virtualized infrastructure, and enhances collaboration with server and network operations teams. This administration model helps ensure the administrative segregation of duties to minimize administrative errors and to simplify regulatory compliance and auditing. For example, by using
VNMC with the Cisco Nexus 1000V series VSM in your environment, your staff could align operations and responsibilities as follows:
-
Security administrators—Author and manage security profiles, and manage VSG and ASA 1000V instances.
-
Network administrators—Author and manage port profiles and manage Cisco Nexus 1000V Series switches. Port profiles with referenced security profiles are available in VMware vCenter through the Nexus 1000V VSM's programmatic interface with VMware vCenter.
-
Server administrators—Select the appropriate port profile in VMware vCenter when instantiating a virtual machine.
VNMC implements an information model-driven architecture in which each managed device, such as an
ASA 1000V or
VSG, is represented by the object-information model of the device. Specifically, this model-driven architecture helps enable the use of:
-
Stateless managed devices—Security policies and object configurations are abstracted into a centralized repository.
-
Dynamic device allocation—A centralized resource management function manages pools of devices that are commissioned and a pool of devices that are available for commissioning. This approach simplifies large-scale deployments because managed devices can be preinstantiated and then configured on demand. In addition, devices can be allocated and deallocated dynamically across commissioned and noncommissioned pools.
-
Scalable management—A distributed management-plane function is implemented by using an embedded management agent on each managed device, thereby enabling greater scalability.