Installing the Cisco Virtual Security Gateway on a Cisco Nexus 1010 Virtual Services Appliance
This chapter describes how to install the Cisco Virtual Security Gateway (VSG) on a Cisco Nexus 1010 Virtual Services Appliance.
This chapter includes the following sections:
•Information About Installing the Cisco VSG on the Cisco N1010
•Prerequisites
•Guidelines and Limitations
•Installing a Cisco VSG on a Cisco Nexus 1010
Information About Installing the Cisco VSG on the Cisco N1010
The Cisco VSG software is provided along with the other virtual service blade (VSB) software in the Cisco Nexus 1010 bootflash: repository directory. As shown in Figure 6-1, the Cisco Nexus 1010 has up to six virtual service blades (VSBs) on which you can choose to place a Cisco VSG, VSM, or Network Analysis Module (NAM).
Figure 6-1 Cisco Nexus 1010 Architecture Showing Virtual Service Blades Usage
Prerequisites
Installing the Cisco VSG on a Cisco Nexus 1010 has the following prerequisites:
•You must first install the Cisco Nexus 1010 Virtual Services Appliance and connect it to the network. For procedures on installing the hardware, see the Cisco Nexus 1010 Virtual Services Appliance Hardware Installation Guide.
•After you install the hardware appliance and connect it to the network, you can configure the Cisco Nexus 1010 management software, migrate existing VSMs residing on a VM to the Cisco Nexus 1010 as virtual service blades (VSBs), and create and configure new VSBs that may host the Cisco VSG. For procedures on configuring the software see the Cisco Nexus 1010 Software Configuration Guide, Release 4.2(1)SP1(3).
Guidelines and Limitations
Installing the Cisco VSG on a Cisco Nexus 1010 as a virtual service blade (VSB) has the following guidelines and limitations:
•The Cisco Nexus 1010 appliance and its hosted Cisco VSG VSBs must share the same management VLAN.
•Unlike the data and high availability (HA) VLANs that are set when a Cisco VSG VSB is created, a Cisco VSG VSB inherits its management VLAN from the Cisco Nexus 1010.
Caution
Do not change the management VLAN on a VSB. Because the management VLAN is inherited from the Cisco Nexus 1010, any changes to the management VLAN are applied to both the Cisco Nexus 1010 and all of its hosted VSBs.
Installing a Cisco VSG on a Cisco Nexus 1010
You can install the Cisco VSG on a Cisco Nexus 1010 as a virtual service blade (VSB).
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You know the name of the Cisco VSG VSB that you want to create.
•Whether you are using a new ISO file from the bootflash repository folder or from an existing VSB, do one of the following.
–If you are using a new ISO file in the bootflash repository, you know the filename.
Cisco VSG: nexus-1000v.VSG1.2.iso
–If you are using an ISO file from an existing VSB, you must know the name of the VSB type. This procedure includes information about identifying this name.
•You know the following properties for the Cisco VSG VSB:
–HA ID
–Management IP address
–Management subnet mask length
–Default gateway IPV4 address
–Cisco VSG name
–Administrator password
–Data and HA VLAN IDs
•This procedure shows you how to identify and assign data and HA VLANs for the Cisco VSG VSB. Do not assign a management VLAN because the management VLAN is inherited from the Cisco Nexus 1010.
SUMMARY STEPS
1. configure
2. virtual-service-blade name
3. (Optional) show virtual-service-blade-type summary
4. virtual-service-blade-type [name name | new iso file name]
5. (Optional) description description
6. (Optional) show virtual-service-blade name name
7. interface name vlan vlanid
8. Repeat Step 7 to apply additional interfaces.
9. enable [primary | secondary]
10. (Optional) show virtual-service-blade name name
11. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
configure Example: N1010# configure N1010(config)# |
Places you in the global configuration mode. |
Step 2 |
virtual-service-blade name Example: N1010(config)# virtual-service-blade vsg-1 N1010(config-vsb-config)# |
Creates the named VSB and places you into configuration mode for that service. The name can be an alphanumeric string of up to 80 characters. |
Step 3 |
show virtual-service-blade-type summary |
(Optional) Displays a summary of all VSB configurations by type name, such as Cisco VSG, VSM, or NAM. You use this type name (in this case, the name for the Cisco VSG) in the next step. |
|
Example:
N1010(config-vsb-config)# show virtual-service-blade-type summary
-------------------------------------------------------------------------------
Virtual-Service-Blade-Type Virtual-Service-Blade
-------------------------------------------------------------------------------
switch(config-vsb-config)# |
Step 4 |
virtual-service-blade-type [name name | new iso file name] Example: N1010(config-vsb-config)# virtual-service-blade-type new nexus-1000v.VSG1.2.iso N1010(config-vsb-config)# Example: N1010(config-vsb-config)# virtual-service-blade-type name VSG-1 N1010(config-vsb-config)# |
Specifies the type and name of the software image file to add to this Cisco VSG VSB. •Use the new keyword to specify the name of the new Cisco VSG ISO software image file in the bootflash repository folder. •Use the name keyword to specify the name of the existing Cisco VSG VSB type. Enter the name of an existing type found in the command output. |
Step 5 |
description description Example: N1010(config-vsb-config)# description vsg-1 for Tenant1 N1010(config-vsb-config)# |
(Optional) Adds a description to the Cisco VSG VSB. The description is an alphanumeric string of up to 80 characters. |
Step 6 |
show virtual-service-blade name name Example: N1010(config-vsb-config)# show virtual-service-blade name vsg-1 virtual-service-blade vsm2 Description: Slot id: 2 Host Name: Management IP: VSB Type Name : VSG-1.0 Interface: ha vlan: 0 Interface: management vlan: 231 Interface: data vlan: 0 Interface: internal vlan: NA Ramsize: 2048 Disksize: 3 Heartbeat: 0 HA Admin role: Primary HA Oper role: NONE Status: VSB NOT PRESENT Location: PRIMARY SW version: HA Admin role: Secondary HA Oper role: NONE Status: VSB NOT PRESENT Location: SECONDARY SW version: VSB Info: switch(config-vsb-config)# |
Displays the Cisco VSG VSB that you have just created including the interface names that you configure in the next step. |
Step 7 |
interface name vlan vlanid Example: N1010(config-vsb-config)# interface data vlan 1044 N1010(config-vsb-config)# Example: N1010(config-vsb-config)# interface ha vlan 1045 N1010(config-vsb-config)# |
Applies the interface and VLAN ID to this Cisco VSG. Use the interface names from command output. Note If you try to apply an interface that is not present, the following error is displayed:
ERROR: Interface name not found in the associated virtual-service-blade type.
Caution
Do not assign a management VLAN. Unlike data and HA VLANs, the management VLAN is inherited from the Cisco Nexus 1010.
Caution
To prevent loss of connectivity, you must configure the same data and HA VLANs on the hosted Cisco VSGs.
|
Step 8 |
Repeat Step 7 to apply additional interfaces. |
Step 9 |
enable [primary | secondary] Example: N1010(config-vsb-config)# enable Enter domain id[1-4095]: 1054 Enter Management IP address: 10.78.108.40 Enter Management subnet mask length 28 IPv4 address of the default gateway: 10.78.108.117 Enter Switchname: VSG-1 Enter the password for 'admin': Hello_123 N1010(config-vsb-config)# |
Initiates the configuration of the VSB and then enables it. If you enter the enable command without the optional primary or secondary keywords, it enables both. If you are deploying a redundant pair, you don't need to specify primary or secondary. If you are enabling a nonredundant VSB, you can specify its HA role as follows: •Use the primary keyword to designate the VSB in a primary role. •Use the secondary keyword to designate the VSB in a secondary role. The Cisco Nexus 1010 prompts you for the following: •HA ID •Management IP address •Management subnet mask length •Default gateway IPV4 address •Cisco VSG name •Administrator password |
Step 10 |
show virtual-service-blade name name Example: N1010(config-vsb-config)# show virtual-service-blade name vsg-1 virtual-service-blade vsg-1 Description: Slot id: 1 SW version: 4.0(4)SV1(3) Host Name: vsg-1 Management IP: 10.78.108.40 VSB Type Name : VSG-1.1 Interface: ha vlan: 1044 Interface: management vlan: 1032 Interface: data vlan: 1045 Interface: internal vlan: NA Ramsize: 2048 Disksize: 3 Heartbeat: 1156 HA Admin role: Primary HA Oper role: STANDBY Status: VB POWERED ON Location: PRIMARY HA Admin role: Secondary HA Oper role: ACTIVE Status: VB POWERED ON Location: SECONDARY VB Info: Domain ID : 1054 switch(config-vsb-config)# |
(Optional) Displays the new VSB for verification. While the Nexus 1010 management software is configuring the Cisco VSG, the output for this command progresses from in progress to powered on. |
Step 11 |
copy running-config startup-config Example: N1010(config-vsb-config)# copy running-config startup-config |
Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
EXAMPLES
This example shows how to display the contents of the bootflash: repository directory:
N1010# dir bootflash:repository
159250432 May 11 06:35:04 2011 nam-app-x86_64.4-2-1n.iso
183412736 May 10 23:03:23 2011 nam-app-x86_64.5-1-1.iso
255090688 May 03 17:45:25 2011 nexus-1010.4.2.1.SP1.2.15.iso
109043712 May 12 21:51:15 2011 nexus-1000v.VSG1.2.iso
Usage for bootflash://sup-local
This example shows how to configure a Nexus 1010 appliance VSB as a Cisco VSG:
Enter configuration commands, one per line. End with CNTL/Z.
N1010(config)# virtual-service-blade vsg1
N1010(config-vsb-config)# virtual-service-blade-type new nexus-1000v.VSG1.2.iso
N1010(config-vsb-config)# interface data vlan 72
N1010(config-vsb-config)# interface ha vlan 72
N1010(config-vsb-config)# enable
Enter vsb image: [nexus-1000v.VSG1.2.iso]
Enter HA id[1-4095]: 1233
Management IP version [V4/V6]: [V4]
Enter Management IP address: 10.193.73.42
Enter Management subnet mask: 255.255.248.0
IPv4 address of the default gateway: 10.193.72.1
Enter the password for 'admin': Hello_123
N1010(config-vsb-config)#
N1010(config-vsb-config)# end
This example shows how to display a virtual service blade summary on the Cisco Nexus 1010:
N1010# show virtual-service-blade summary
-------------------------------------------------------------------------------
Name Role State Nexus1010-Module
-------------------------------------------------------------------------------
vsg-1 PRIMARY VSB POWERED ON Nexus1010-PRIMARY
vsg-1 SECONDARY VSB POWERED OFF Nexus1010-SECONDARY
vsg9 PRIMARY VSB NOT PRESENT Nexus1010-PRIMARY
vsg9 SECONDARY VSB DEPLOY IN PROGRESS Nexus1010-SECONDARY
nam_1 PRIMARY VSB POWERED OFF Nexus1010-PRIMARY
nam_1 SECONDARY VSB NOT PRESENT Nexus1010-SECONDARY
vsgc1 PRIMARY VSB POWERED ON Nexus1010-PRIMARY
vsgc1 SECONDARY VSB POWERED ON Nexus1010-SECONDARY
nam_2 PRIMARY VSB POWERED OFF Nexus1010-PRIMARY
nam_2 SECONDARY VSB NOT PRESENT Nexus1010-SECONDARY