Information About Installing the Cisco PNSC and the Cisco VSG
You must install the Cisco Prime Network Services Controller (Cisco PNSC) and the Cisco Virtual Security Gateway (Cisco VSG) in a particular sequence on the Cisco Nexus 1000VE switch in order to have a functioning virtual system. For the critical sequence information that you need for a successful installation on the Cisco Nexus 1000VE switch, see Chapter 2, Installing the Cisco VSG and the Cisco PNSC Quick Start. .
Information About Cisco VSG
The Cisco VSG is a virtual firewall appliance that provides trusted access to virtual data center with dynamic policy-driven operation, mobility-transparent enforcement, and scale-out deployment for dense multitenancy. By associating one or more virtual machines (VMs) into distinct trust zones, the Cisco VSG ensures that access to trust zones is controlled and monitored through established security policies. The following figure shows the trusted zone-based access control that is used in per-tenant enforcement with the Cisco VSG.
Cisco PNSC and Cisco VSG Architecture
The Cisco VSG operates with the Cisco Nexus 1000VE Series switch in the VMware vSphere Hypervisor and the Cisco VSG leverages the virtual network service data path (Cisco vPath). Cisco vPath steers traffic, whether external-to-VM or VM-to-VM, to the Cisco VSG of a tenant. Initial packet processing occurs in the Cisco VSG for policy evaluation and enforcement. After the policy decision is made, the Cisco VSG offloads policy enforcement of the remaining packets to vPath.
Cisco vPath supports the following features:
Tenant-aware flow classification and subsequent redirection to a designated Cisco VSG tenant
Per-tenant policy enforcement of flows offloaded by the Cisco VSG to Cisco vPath
The Cisco VSG and the VSE provide the following benefits:
Each Cisco VSG can provide protection across multiple physical servers, which eliminates the need for you to deploy a virtual appliance per physical server.
By offloading the fast-path to one or more vPath Virtual Service Engine(VSEs), the Cisco VSG enhances security performance through distributed vPath-based enforcement.
You can use the Cisco VSG without creating multiple switches or temporarily migrating VMs to different switches or servers. Zone scaling, which is based on security profiles, simplifies physical server upgrades without compromising security or incurring application outages.
For each tenant, you can deploy the Cisco VSG in an active-standby mode to ensure that Cisco vPath redirects packets to the standby Cisco VSG when the primary Cisco VSG is unavailable.
You can place the Cisco VSG on a dedicated server so that you can allocate the maximum compute capacity to application workloads. This feature enables capacity planning to occur independently and allows for operational segregation across security, network, and server groups.
Trusted Multitenant Access
You can transparently insert a Cisco VSG into the VMware vSphere environment where the Cisco Nexus 1000VE is deployed. One or more instances of the Cisco VSG is deployed on a per-tenant basis, which allows a highly scale-out deployment across many tenants. Tenants are isolated from each other, so no traffic can cross tenant boundaries. You can deploy a Cisco VSG at the tenant level, at the virtual data center (vDC) level, or at the vApp level.
As you instantiate VMs for a given tenant, their association to security profiles (or zone membership) occurs immediately through binding with the Cisco Nexus 1000VE protected port profile. Each VM is placed upon instantiation into a logical trust zone. Security profiles contain context-aware rule sets that specify access policies for traffic that enters and exits each zone. In addition to VM and network contexts, security administrators can also leverage custom attributes that define zones directly through security profiles. You can apply controls to zone-to-zone traffic and to external-to-zone (and zone-to-external) traffic. Zone-based enforcement occurs within a VLAN because a VLAN often identifies a tenant boundary. The Cisco VSG evaluates access control rules and then offloads enforcement to the Cisco Nexus 1000VE VSE vPath module. Upon enforcement, the Cisco Nexus 1000VE can permit or deny access and can generate optional access logs. The Cisco VSG also provides policy-based traffic monitoring capability with access logs.
Dynamic Virtualization-Aware Operation
A virtualization environment is dynamic, where frequent additions, deletions, and changes occur across tenants and across VMs. Live migration of VMs can occur due to manual or programmatic VMotion events. The following figure shows how the structured environment can change over time due to dynamic VMs.
The Cisco VSG operating with the Cisco Nexus 1000VE (and vPath) supports a dynamic VM environment. When you create a tenant with the Cisco VSG (standalone or active-standby pair) on the Cisco PNSC, associated security profiles are defined that include trust zone definitions and access control rules. Each security profile is bound to a Cisco Nexus 1000VE port profile (authored on the Cisco Nexus 1000VE Virtual Supervisor Module (VSM) and published to the VMware vCenter.
When a new VM is instantiated, the server administrator assigns appropriate port profiles to the virtual Ethernet port of the VM. Because the port profile uniquely refers to a security profile and VM zone membership, the Cisco VSG immediately applies the security controls. You can repurpose a VM by assigning it to a different port profile or security profile.
As VMotion events are triggered, VMs move across physical servers. Because the Cisco Nexus 1000VE ensures that port profile policies follow the VMs, associated security profiles also follow these moving VMs, and security enforcement and monitoring remain transparent to VMotion events.
Setting Up the Cisco VSG and VLAN
You can set up a Cisco VSG in an overlay fashion so that VMs can reach a Cisco VSG irrespective of its location. The vPath component in the Cisco Nexus 1000VE VSE intercepts the packets from the VM and sends them to the Cisco VSG for further processing.
In the following figure, the Cisco VSG connects to three different VLANs (service VLAN, management VLAN, and HA VLAN). A Cisco VSG is configured with three vNICS—data vNIC (1), management vNIC (2), and HA vNIC (3)—with each of the vNICs connected to one of the VLANs through a port profile.
The VLAN functions are as follows:
The service VLAN provides communications between the Cisco Nexus 1000VE VSE and Cisco VSG. All the Cisco VSG data interfaces are part of the service VLAN and the VSE uses this VLAN for its interaction with Cisco VSG.
The management VLAN connects the management platforms such as the VMware vCenter, the Cisco PNSC, the Cisco Nexus 1000VE VSM, and the managed Cisco VSGs. The Cisco VSG management vNIC is part of the management VLAN.
The HA VLAN provides the heartbeat mechanism and identifies the active and standby relationship between the Cisco VSGs. The Cisco VSG vNICs are part of the HA VLAN.
You can allocate one or more VM data VLANs for VM-to-VM communications. In a typical multitenant environment, the management VLAN is shared among all the tenants and the service VLAN, HA VLAN, and the VM data. VLANs are allocated on a per-tenant basis. However, when VLAN resources become scarce, you might decide to use a single VLAN for service and HA functions.