Configuring the Cisco Virtual Security Gateway Port Profile on the Cisco Nexus 1000V Series Switch

This chapter describes the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch licensing and configuration requirements on the Cisco Nexus 1000V Series switch and includes the following section:

For additional details about the Cisco Nexus 1000V Series switch port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(4) .

Configuring the Cisco VSG Port Profile on the Cisco Nexus 1000V Series Switch VSM for Protection from Service Loss

You can configure the vn-service parameter in the port profile on the Virtual Supervisor Module (VSM) for protection from service loss.

BEFORE YOU BEGIN

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the Cisco Nexus 1000V Series switch. Ensure that you have enough licenses to cover the number of ESX hosts (VEMs) you want to protect.

The data IP address and management IP addresses should be configured. To configure the data IP address, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide .

You have completed creating the Cisco VSG port profiles for the service and HA interface.

You are logged in to the Cisco Nexus 1000V Series switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. port-profile port-profile-name

3. switchport mode access

4. switchport access vlan vlan-id

5. no shutdown

6. vn-service ip-address ip-address vlan vlan-id mgmt-ip-address ip-address [fail {open | close}] [security- profile name ]

7. vmware port-group

8. state enabled

9. (Optional) copy running-config startup-config

10. exit

DETAILED STEPS

 

Command
Purpose

Step 1

configure

 

Example:

n1000v# configure

n1000v(config)#

Places you in global configuration mode.

Step 2

port-profile port-profile-name

 

Example:

n1000v(config-port-prof)# port-profile host-profile

n1000v(config-port-prof)#

Enters the port profile configuration mode for the named port profile. If the port profile does not exist, it is created using the following characteristics:

port-profile-name —The port profile name can be up to 80 alphanumeric characters and must be unique for each port profile on the Cisco VSG.

Step 3

switchport mode access

 

Example:

n1000v(config-port-prof)# switchport mode access

n1000v(config-port-prof)#

Designates that the new port profile is used as an access port.

Step 4

switchport access vlan vlan-id

 

Example:

n1000v(config-port-prof)# switchport access vlan 2000

n1000v(config-port-prof)#

Specifies the access VLAN for the new port profile.

vlan-id—The VLAN ID is a unique identifier from 0 through 4096.

Step 5

no shutdown

 

Example:

n1000v(config-port-prof)# no shutdown

n1000v(config-port-prof)#

Enables all ports in the new port profile.

Step 6

vn-service ip-address ip-address vlan vlan-id mgmt-ip-address ip-address [fail {open | close}] [ security-profile name ]

 

Example:

n1000v(config-port-prof)# vn-service ip 100.1.1.100 vlan 1000 mgmt-ip 10.10.10.11 profile vnsp-1

n1000v(config-port-prof)#

Configures the IP, VLAN, management IP, and profile for the Cisco VSG, and optionally allows a fail safe configuration.

Note If you do not pick a security profile name, the default name is assumed. The security profile name must match the security profile created on the Cisco VSG.

Note The IP address must match the data interface (data0) IP address on the Cisco VSG.

Note The management IP address must match the management IP address that you entered when installing or configuring your Cisco VSG settings.

Step 7

vmware port-group

 

Example:

n1000v(config-port-prof)# vmware port-group

n1000v(config-port-prof)#

Designates the port profile as a VMware port group.

Step 8

state enabled

 

Example:

n1000v(config-port-prof)# state enabled

n1000v(config-port-prof)#

Sets the port profile state to enabled.

Step 9

copy running-config startup-config

 

Example:

n1000v(config-port-prof)# copy running-config startup-config

n1000v(config-port-prof)#

(Optional) Saves configuration changes.

Step 10

exit

 

Example:

n1000v(config-port-prof)# exit

n1000v(config)#

Exits the configuration mode.

Verifying the Cisco VSG Configuration

To display information related to a Cisco VSG, perform one of the following tasks on the Cisco Nexus 1000V Series switch CLI:

 

Command
Purpose

show license usage

 

Example:

vsg# show license usage

Displays a table with the Cisco VSG license usage information for the Cisco Nexus 1000V Series switch.

show license usage NEXUS_VSG_SERVICES_PKG

 

Example:

vsg# show license usage NEXUS_VSG_SERVICES_PKG

Displays the usage information for the license package NEXUS_VSG_SERVICES_PKG.

show vsnstate {statistics | brief | {detail [{{vlan vlan-num [ip ip-addr]} | module module-num}]}}

 

Example:

vsg# show vsnstate statistics detail vlan 1

Displays configuration information, MAC address, state of associated Cisco VSG and Virtual Ethernet Module (VEM), Veths to which Cisco VSGs are bound, and Virtual Service Node (VSN) statistics for all VEM modules associated with Cisco VSGs.

For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.2(1)SV1(4) .

Where to Go Next

After you have completed configuring the Cisco VSG port profile on the Cisco Nexus 1000V Series switch for protection, you may proceed to assign port profiles to your VMs for Cisco VSG firewall protection on the vCenter.