The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
This section describes how to install and complete the basic configuration of the Cisco VSG for Cisco Nexus 1000v Series switch software.
The Cisco VSG has the following requirements:
The following table lists the terminology is used in the Cisco VSG implementation.
Term |
Description |
---|---|
Logical Switch |
Logical switch that spans one or more servers. It is controlled by one VSM instance. |
NIC |
Network interface card. |
Server hosting SCVMM |
Service that acts as a central administrator for Microsoft Hyper-V hosts that are connected on a network. The server directs actions on the VMs and the VM hosts . |
Virtual Ethernet Module (VEM) |
Part of the Cisco Nexus 1000V Series switch that switches data traffic. It runs on a Microsoft Hyper-V host. Up to 64 VEMs are controlled by one VSM. All the VEMs that form a switch domain should be in the same virtual data center as defined by the Hyper-V Server. |
Virtual Machine (VM) |
Virtualized x86 PC environment in which a guest operating system and associated application software can run. Multiple VMs can operate on the same host system concurrently. |
vPath |
Component in the Cisco Nexus 1000V Series switch with a VEM that directs the appropriate traffic to the Cisco VSG for policy evaluation. It also acts as fast path and can short circuit part of the traffic without sending it to the Cisco VSG. |
Virtual Security Gateway (VSG) |
Cisco software that secures virtual networks and provides firewall functions in virtual environments using the Cisco Nexus 1000V Series switch by providing network segmentation. |
Virtual Supervisor Module (VSM) |
Control software for the Cisco Nexus 1000V Series distributed virtual device that runs on a virtual machine (VM) and is based on Cisco NX-OS. |
SCVMM |
System Center Virtual Machine Manager Connect remotely to Hyper-V server. It is the primary interface for creating, managing, and monitoring VMs, their resources, and their hosts. It also provides console access to VMs. |
The following components must be installed and configured:
Details about configuring VLANs and port profiles on the Cisco Nexus 1000V Series switch are available in the Cisco Nexus 1000V Series switch documentation.
You can obtain the Cisco VSG software files at this URL:
http://www.cisco.com/en/US/products/ps11208/index.htmlYou can install the Cisco VSG software on a VM by using an ISO image file from the CD.
Make sure that you know the following:
This section describes how to configure the initial settings on the Cisco VSG and configure a standby Cisco VSG with its initial settings. For configuring a standby Cisco VSG, see Configuring Initial Settings on a Secondary Cisco VSG section.
You can connect to a VSG VM console through the SCVMM user interface by right-clicking a VM instance and connecting to it.
Once the Cisco VNMC is installed, you must register the VSG with the Cisco VNMC.
Note |
Cisco VSG is supported as VSB on Nexus Cloud Services platform only. |
Make sure that you know the following:
Note |
The string vsghv-pa must appear in the image name as highlighted. |
Note |
If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image. This image is available in the Cisco VNMC image bundle to boot from a flash drive and to complete registration with the Cisco VNMC. |
Note |
VSG clock should be synchronized with the VNMC clock. |
Step 1 |
On the VSG, enter the following commands: vsg# configure terminal vsg(config)# vnm-policy-agent vsg(config-vnm-policy-agent)# registration-ip 10.193.75.95 vsg(config-vnm-policy-agent)# shared-secret Example_Secret123 vsg(config-vnm-policy-agent)# policy-agent-image vsghv-pa.2.1.1a.bin vsg(config-vnm-policy-agent)# exit vsg(config)# copy running-config startup-config vsg(config)# exit |
Step 2 |
Check the status of the VNM policy agent configuration to verify that you have installed the Cisco VNMC correctly and it is reachable by entering the show vnm-pa status command. This example shows that the Cisco VNMC is reachable and the installation is correct: vsg# show vnm-pa status VNM Policy-Agent status is - Installed Successfully. Version 2.1(1a)-vsg vsg# The VSG is now registered with the Cisco VNMC. |
This example shows that the Cisco VNMC is unreachable or an incorrect IP is configured:
vsg# show vnm-pa status VNM Policy-Agent status is - Installation Failure VNMC not reachable. vsg#
This example shows that the VNM policy-agent is not configured or installed:
vsg# show vnm-pa status VNM Policy-Agent status is - Not Installed
You can configure a standby Cisco VSG by logging in to the Cisco VSG you have identified as secondary and using the following procedure to configure a secondary Cisco VSG with its initial settings.
Step 1 |
Navigate to the Console tab in the VM. Cisco Nexus 1000V Series switch opens the Console window and boots the Cisco VSG software. |
||
Step 2 | At the Enter the password for "admin" prompt, enter the password for the admin account and press Enter. | ||
Step 3 | At the prompt, confirm the admin password and press Enter. | ||
Step 4 | At the Enter HA role[standalone/primary/secondary] prompt, enter the secondary HA role and press Enter. | ||
Step 5 |
At the Enter the ha id(1-1024) prompt, enter 25 for the HA pair id and press Enter.
|
||
Step 6 |
At the VSG login prompt, enter the name of the admin account you want to use and press Enter. The default account name is admin. |
||
Step 7 |
At the Password prompt, enter the name of the password for the admin account and press Enter. You are now at the Cisco VSG node. |
To display the Cisco VSG configuration, perform one of the tasks:
Command |
Purpose |
---|---|
show interface brief |
Displays brief status and interface information. |
This example shows how to verify the Cisco VSG configurations:
vsg# show interface brief -------------------------------------------------------------------------------- Port VRF Status IP Address Speed MTU -------------------------------------------------------------------------------- mgmt0 -- up 10.193.77.217 1000 1500
After installing and completing the initial configuration of the Cisco VSG, you can configure firewall policies on the Cisco VSG through the Cisco VNMC.