Installing the Cisco Prime NSC and Cisco VSG-Quick Start

This chapter contains the following sections:

Information About Installing Cisco Prime NSC and Cisco VSG

This chapter describes how to install and set up a basic working configuration of Cisco Prime Network Services Controller (Cisco Prime NSC) and Cisco Virtual Security Gateway (Cisco VSG). The example in this chapter uses the ISO files of the software for installation. The steps assume that Cisco Nexus 1000V Series switch is operational, and endpoint VMs are already installed.

Cisco VSG and Cisco Prime NSC Installation Planning Checklists

Planning the arrangement and architecture of your network and equipment is essential for a successful operation of Cisco Prime NSC and Cisco VSG.

Basic Hardware and Software Requirements

The following table lists the basic hardware and software requirements for Cisco VSG and Cisco Prime NSC installation.

Requirement Description

Virtual CPUs

  • Cisco VSG: 1 (1.5 GHz)
  • Cisco Prime NSC: 4 (1.8 GHz each)

Memory

  • Cisco VSG: 2GB RAM
  • Cisco Prime NSC: 4GB RAM

Disk Space

Cisco VSG: 3 GB

Cisco Prime NSC: Without InterCloud functionality, 40 GB on shared NFS or SAN, and configured on two disks as follows:

  • Disk 1: 20 GB
  • Disk 2: 20 GB

Processor

x86 Intel or AMD server with a 64-bit processor.

Network Interfaces

  • Cisco VSG: 3
  • Cisco Prime NSC: 1

Microsoft SCVMM

SCVMM 2012 SP1 or SCVMM 2012 R2

Browser

Any of the following browsers:

  • Internet Explorer 9.0 or higher
  • Mozilla Firefox 23.0 or higher
  • Google Chrome 29.0 or higher
Note   

If you are running Firefox or IE and do not have Flash, or you have a version of Flash that is older than 11.2, a message displays asking you to install Flash and provides a link to the Adobe website.

Note   

Before using Google Chrome with Cisco Prime NSC, you must disable the Adobe Flash Players that are installed by default with Chrome. For more information, see Configuring Chrome for Use with Cisco Prime NSC.

Ports

Access to the Cisco Prime NSC application using a web browser and the following ports (if the deployment uses a firewall, make sure to permit the following ports):

  • 443 (HTTPS)
  • 80 (HTTP/TCP)
  • 843 (Adobe Flash)

Flash Player

Adobe Flash Player plugin 11.2 or higher


Note


The Cisco VSG software is available for download at http:/​/​www.cisco.com/​en/​US/​products/​ps13095/​index.html and the Cisco Prime NSC software is available for download at http:/​/​www.cisco.com/​en/​US/​products/​ps13213/​index.html.


License Requirements

Cisco VSG license is integrated with the Nexus1000V Multi-Hypervisor License. You need to install the Nexus1000V Multi-Hypervisor License for Cisco VSG for Microsoft Hyper-V. The Cisco N1kv VSM is available in two modes: essential and advanced. VSG functionality is available only in the advanced mode. You need to install the Nexus1000V Multi-Hypervisor License and change the VSM mode to advanced mode. When the Nexus1000V Multi-Hypervisor License is installed, the license for Cisco VSG is automatically included.

Note


If you try to access VSG services with VSM in essential mode, an error message is generated on VSM console indicating that the Nexus1000V Multi-Hypervisor License is required for VSG.
The Nexus1000V Multi-Hypervisor License in the Release 5.2(1)SM1(5.2) is available in three different types:
  • Default: The Nexus 1000v switch may be configured in Essential or Advanced mode.
    • Essential Mode: Not Supported.
    • Advanced Mode: After upgrade to Software Release 5.2(1)SM(5.2) - Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires in 60 days.

    Note


    You must install either the evaluation or the permanent (MSFT PKG) license prior to upgrading to the Software Release 5.2(1)SM(5.2).
  • Evaluation: The Nexus 1000V switch should be in Advanced mode. After upgrading to Software Release 5.2(1)SM (5.2) - Nexus1000V Multi-Hypervisor License is available with1024 Socket Count and expires in 60 days.
  • Permanent: The Nexus 1000V switch should be in Advanced mode. After upgrading to Software Release 5.2(1)SM(5.2) - Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires in 60 days.

Note


You have to request for an evaluation or permanent Nexus1000V Multi-Hypervisor License.

For more information about the Cisco Nexus 1000V for Microsoft Hyper-V licenses, see the Cisco Nexus 1000V for Microsoft Hyper-V License Configuration Guide.

VLAN Configuration Requirements for VSG

You must have two port-profiles configured on two different VLANs in the VSM:
  • Service interface VLAN
  • HA interface VLAN

Required Cisco Prime NSC and Cisco VSG Information

The following information can be used during the Cisco Prime NSC and Cisco VSG installation.

Type Your Information

Cisco VSG name—Unique within the inventory folder and up to 80 characters

 

Hostname—Where the Cisco VSG will be installed in the inventory folder

 

ISOs—Managed within SCVMM library, if stored at C:\ProgramData\Virtual Machine Manager Library Files\ISO to manage. Refresh the SCVMM library after saving the ISO file to the specified location.

 

Cisco VSG management IP address

 

VSM management IP address

 

Cisco Prime NSC instance IP address

 

Mode for installing the Cisco VSG

  • Standalone
  • HA primary
  • HA secondary

Cisco VSG VLAN number

  • Service (1)
  • Management (2)
  • High availability (HA) (3)
 

Cisco VSG port profile name

  • Data (1)
  • Management (2)
  • High availability (HA) (3)
Note   

The numbers indicate the Cisco VSG port profile that must be associated with the Cisco VSG VLAN number.

 

HA pair ID (HA domain ID)

 

Cisco VSG admin password

 

Cisco Prime NSC admin password

 

Cisco VSM admin password

 

Shared secret password (Cisco Prime NSC, Cisco VSG policy agent, Cisco VSM policy agent)

 
NSC DNS IP address
NSC NTP IP address

Tasks and Prerequisites Checklist

Tasks

Prerequisites
   
Task 1: Installing the Cisco VNMC from an ISO image.
Make sure that you know the following:
  • Verified that the Hyper-V host on which to deploy Cisco Prime NSC VM is available in SCVMM.
  • Copied the Cisco Prime NSC 3.2 ISO image to the SCVMM library location on the file system. To make this image available in SCVMM, choose Library > Library Servers, right-click the library location, and then refresh.
  • NTP server information.
Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent
Make sure that you know the following:
  • Cisco Prime NSC policy-agent image on the VSM (for example, vsmhv-pa.3.2.1c.bin)
    Note   

    The string vsmhv-pa must appear in the image name as highlighted.

  • The IP address of Cisco Prime NSC
  • The shared secret password you defined during Cisco Prime NSC installation
  • IP connectivity between the VSM and Cisco Prime NSC is working
    Note   

    If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image. This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.

Task 3: On the VSM, Preparing Cisco VSG Port Profiles
Make sure that you know the following:
  • Logical Switch name (Network Uplink port-profile name).
  • VLAN ID for the Cisco VSG data interface (for example,100).
  • VLAN ID for the Cisco VSG-ha interface (for example, 200).
  • Management VLAN (management).
    Note   

    None of these VLANs need to be system VLANs.

Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts
Make sure that you know the following:
  • Cisco VSG port-profile configured on VSM.
Task 5: Installing Cisco VSG from an ISO Image
Make sure that you know the following:
  • Installed Microsoft SCVMM SP1 or SCVMM R2.
  • Downloaded the Cisco VSG ISO image and uploaded it to the server (C:\ProgramData\Virtual Machine Manager Library Files\ISO). Refresh the library server under the Library tab.
  • Cisco VSG-Data port profile: VSG-Data.
  • Cisco VSG-ha port profile: VSG-ha.
  • HA ID.
  • IP/subnet mask/gateway information for Cisco VSG
  • Administrator password
  • Minimum of 2 GB RAM and 2 GB hard disk space, recommended space is 4 GB RAM and 4 GB hard disk.
  • Cisco Prime NSC IP address.
  • The shared secret password.
  • IP connectivity between Cisco VSG and Cisco Prime NSC is okay.
  • Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin) is available.
Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent
Make sure that you know the following:
  • The Cisco Prime NSC policy-agent image on Cisco VSG (for example, vsghv-pa.2.1.1e.bin).
    Note   

    The string vsghv-pa must appear in the image name as highlighted.

  • IP address of the Cisco Prime NSC.
  • Shared secret password you defined during the Cisco Prime NSC installation.
  • IP connectivity between the VSG and the Cisco Prime NSC.
    Note   

    If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image. This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.

Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status
Task 8: On Cisco Prime NSC, Configuring a Tenant, Security Profile, Compute Firewall, and Assigning Cisco VSG to the Compute Firewall
Make sure that you know the following:
  • Adobe Flash Player (version 11.2 or later) has been installed
  • The IP address of the Cisco Prime NSC
  • The admin user password
Task 13: Installing Microsoft Service Provider Foundation
Task 9: On Cisco Prime NSC, Assigning Cisco VSG to the Compute Firewall
Task 9: On the Prime NSC, Configuring a Permit-All Rule
Task 10: On Cisco VSG, Verifying the Permit-All Rule
Task 11: Enabling Logging
Task 12: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG
Make sure that you know the following:
  • The server VM that runs with an access port profile (for example, web server)
  • The Cisco VSG data IP address (for example, 10.10.10.200) and VLAN ID (for example, 100)
  • The security profile name (for example, sp-web)
  • The organization (Org) name (for example, root/Tenant-A)
  • The port profile that you would like to edit to enable firewall protection
  • That one active port in the port-profile with Cisco vPath configuration has been set up
Task 14: Sending Traffic Flow and on Cisco VSG Verifying Statistics and Logs

Host Requirements

  • Microsoft SCVMM SP1 or SCVMM R2
  • Microsoft Windows Server 2012 or Windows Server 2012 R2
  • 6 GB RAM

Obtaining Cisco Prime NSC and Cisco VSG Software

Cisco VSG software is available for download at the following URL:

http:/​/​software.cisco.com/​download/​navigator.html

Cisco Prime NSC software is available for download at the following URL:

http:/​/​software.cisco.com/​download/​navigator.html

Task 1: Installing the Cisco Prime NSC from an ISO Image

Before You Begin

Ensure that you have:

  • Verified that the Hyper-V host on which to deploy Cisco Prime NSC VM is available in SCVMM.
  • Copied the Cisco Prime NSC 3.2 ISO image to the SCVMM library location on the file system. To make this image available in SCVMM, choose Library > Library Servers, right-click the library location, and then refresh.
  • NTP server information.

    Step 1   Launch the SCVMM.
    Figure 1. Create Virtual Machine Wizard - Select Source



    Step 2   In the VMs and Services pane, choose the Hyper-V host on which to deploy the Cisco Prime NSC VM.
    Step 3   Right-click the Hyper-V host and choose Create Virtual Machine.
    Step 4   In the Create Virtual Machine wizard, from the Select Source screen, choose the Create the new virtual machine with a blank virtual hard disk radio button, and then click Next.
    Step 5   In the Specify Virtual Machine Identity screen, Specify the name and description for the virtual machine, and then click Next.
    Step 6   In the Configure Hardware screen, do the following:
    1. From General, do the following:
      • Choose Processor and set the number of processors.
      • Choose Memory and choose the required memory value. You will need a minimum 4 GB of memory.
    2. From Bus Configuration > IDE Devices, do the following:
      • Choose the hard disk with the virtual machine name you specified and enter the required size of the hard disk. You will need at least 20 GB.
      • Click New > Disk to add a new hard disk, enter hard disk name in the File Name field, set the hard disk size to 20 GB and click Ok.
      • Choose Virtual DVD Drive, choose the Existing ISO image file radio button, and browse to select the Cisco Prime NSC 3.2 ISO image file from the library in the Select ISO dialog box.
    3. Choose Network Adapters > Network Adapter 1, select the Connect to a VM Network radio button, and browse to select a VM Network.
    4. Click Next.
    Step 7   In the Select Destination screen, do the following:
    1. Choose the Place the virtual machine on a host radio button.
    2. Ffrom the Destination drop-down list, choose All hosts.
    3. Click Next.
    Step 8   In the Select Host screen, choose the destination, and then click Next.
    Step 9   In the Configure Settings screen, click Browse and navigate to the storage location of virtual machine file, and then click Next.
    Step 10   In the Add properties screen, choose the Red Hat Enterprise Linux 5 (64 bit) operating system, and then click Next.
    Step 11   In the Summary screen, do the following:
    1. Verify the settings.
    2. Check the Start the virtual machine after deploying it check box.
    3. Click Create.
      Figure 2. Create Virtual Machine Wizard - Summary



      The job Create VM starts. You can see the status of this job in the Recent Jobs window. Ensure that the job completes without any errors.

    Step 12   After the VM is successfully created, right-click the new Virtual Machine and choose Connect or View > Connect Via Console.
    Step 13   Launch the console and install Cisco Prime NSC.
    Note   

    Before the final Cisco Prime NSC installation step, before you reboot, launch SCVMM again, and right-click the Virtual machine and choose Properties > Hardware Configuration > Bus Configuration > Virtual DVD Drive > no media, so that Cisco Prime NSC does not use the ISO image at boot time.

    Step 14   After Cisco Prime NSC is successfully deployed, click Close and power on the Cisco Prime NSC VM.

    Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent

    Once Cisco Prime NSC is installed, you must register the VSM with Cisco Prime NSC.

    Before You Begin

    Ensure that you have:

    • Cisco Prime NSC policy-agent image on the VSM (for example, vsmhv-pa.3.2.1c.bin)

      Note


      The string vsmhv-pa must appear in the image name as highlighted.


    • The IP address of Cisco Prime NSC
    • The shared secret password you defined during Cisco Prime NSC installation
    • IP connectivity between the VSM and Cisco Prime NSC is working

      Note


      If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image. This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.



    Note


    VSM clock should be synchronized with Cisco Prime NSC clock.


    SUMMARY STEPS

      1.    On the VSM, enter the following commands:

      2.    Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:


    DETAILED STEPS
      Step 1   On the VSM, enter the following commands:
      vsm# configure terminal
      vsm(config)# nsc-policy-agent
      vsm(config-nsc-policy-agent)# registration-ip 10.193.75.95
      vsm(config-nsc-policy-agent)# shared-secret Example_Secret123
      vsm(config-nsc-policy-agent)# policy-agent-image vsmhv-pa.3.2.1c.bin
      vsm(config-nsc-policy-agent)# exit
      vsm(config)# copy running-config startup-config
      vsm(config)# exit
      Step 2   Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:
      vsm# show nsc-pa status
      NSC Policy-Agent status is - Installed Successfully. Version 3.2(1)-vsm
      vsm

      The VSM is now registered with Cisco Prime NSC.


      This example shows that Cisco Prime NSC is unreachable or an incorrect IP is configured:

      vsm# show nsc-pa status
      nsc Policy-Agent status is - Installation Failure
      Cisco Prime NSC not reachable.
      vsm# 
      

      This example shows that the NSC policy-agent is not configured or installed:

      vsm# show nsc-pa status
      NSC Policy-Agent status is - Not Installed

      Task 3: On the VSM, Preparing Cisco VSG Port Profiles

      To prepare Cisco VSG port profiles, you must create the VLANs and use the VLANs in Cisco VSG data port profile and the Cisco VSG-ha port profile.

      Before You Begin

      Ensure that you have:

      • Logical Switch name (Network Uplink port-profile name).
      • VLAN ID for the Cisco VSG data interface (for example,100).
      • VLAN ID for the Cisco VSG-ha interface (for example, 200).
      • Management VLAN (management).

        Note


        None of these VLANs need to be system VLANs.


      SUMMARY STEPS

        1.    Create a Cisco VSG data port profile and a Cisco VSG-ha port profile by first enabling the Cisco VSG data port-profile configuration mode. Cisco VSG data interface should be in the system VLAN. To configure VSG data interface in the system VLAN, you need a system network segment, a system port-profile, and an uplink configured as a system uplink. Use the configure command to enter global configuration mode.

        2.    Create Network Uplink port-profile and use it in the Logical Switch.

        3.    Create the network segment and port-profile for the Data VLAN.

        4.    Create the network segment and port-profile for the HA VLAN.


      DETAILED STEPS
        Step 1   Create a Cisco VSG data port profile and a Cisco VSG-ha port profile by first enabling the Cisco VSG data port-profile configuration mode. Cisco VSG data interface should be in the system VLAN. To configure VSG data interface in the system VLAN, you need a system network segment, a system port-profile, and an uplink configured as a system uplink. Use the configure command to enter global configuration mode.
        Important: Ensure that all the critical VMs are configured in the system VLANs.
        vsm# configure
        Step 2   Create Network Uplink port-profile and use it in the Logical Switch.
        vsm(config)# nsm  logical network vsm_LogicalNet
        vsm(config-logical-net)# exit 
        
        vsm(config)# nsm network segment pool vsm_NetworkSite
        vsm(config-net-seg-pool)# member-of logical network vsm_LogicalNet
        vsm(config-net-seg-pool)# exit
        
        vsm(config)# nsm ip pool template VM_IP_Pool
        vsm(config-ip-pool-template)# ip address 10.0.0.2 10.0.0.255
        vsm(config-ip-pool-template)# network 255.255.255.0 10.0.0.1
        vsm(config-ip-pool-template)# exit
        
        vsm(config)#port-profile type ethernet sys-uplink
        vsm(config-port-prof)#channel-group auto
        vsm(config-port-prof)#no shutdown
        vsm(config-port-prof)#system port-profile
        vsm(config-port-prof)#state enabled
        vsm(config-port-prof)#exit
        
        vsm(config)# nsm network uplink vsm_Uplink
        vsm(config-uplink-net)# allow network segment pool vsm_NetworkSite
        vsm(config-uplink-net)# import port-profile sys_Uplink
        vsm(config-uplink-net)# system network uplink
        vsm(config-uplink-net)# publish uplink-network
        vsm(config-uplink-net)# exit
        
        
        Step 3   Create the network segment and port-profile for the Data VLAN.
        vsm(config)# nsm network segment VMAccess_502
        vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite
        vsm(config-net-seg)# system network segment
        vsm(config-net-seg)# switchport access vlan 502
        vsm(config-net-seg)# ip pool import template VM_IP_Pool
        vsm(config-net-seg)# publish network-segment
        vsm(config-net-seg)# exit
        vsm(config)# port-profile type vethernet VSG_Data
        vsm(config-port-prof)# no shutdown
        vsm(config-port-prof)# state enabled
        vsm(config-port-prof)# system port-profile
        vsm(config-port-prof)# publish port-profile
        vsm(config-port-prof)# exit
        Step 4   Create the network segment and port-profile for the HA VLAN.
        vsm(config)# nsm network segment VMAccess_503
        vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite
        vsm(config-net-seg)# switchport access vlan 503
        vsm(config-net-seg)# ip pool import template VM_IP_Pool
        vsm(config-net-seg)# publish network-segment
        vsm(config-net-seg)# exit
        vsm(config)# port-profile type vethernet VSG_HA
        vsm(config-port-prof)# no shutdown
        vsm(config-port-prof)# state enabled
        vsm(config-port-prof)# publish port-profile
        vsm(config-port-prof)# exit

        Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts

        Now that you have prepared Cisco VSG port profiles on VSM, you should configure virtual network adapters on the hosts.

        This task includes the following subtasks:

        Before You Begin

        Ensure that you have:

        • Cisco VSG port-profile configured on VSM.

        Create Port-profile for the Virtual Network Adapter

        You need to log in to VSM to create port-profile for the virtual network adapter.

        SUMMARY STEPS

          1.    Create port-profile for the virtual network adapter in VSM.


        DETAILED STEPS
        Create port-profile for the virtual network adapter in VSM.

        Example:
        vsm#configure terminal
        vsm(config)#port-profile type vethernet Virtual-Net-PP
        vsm(config-port-prof)#capability l3-vservice
        vsm(config-port-prof)#no shutdown
        vsm(config-port-prof)#state enabled
        vsm(config-port-prof)#publish port-profile
        vsm(config-port-prof)#exit
        vsm#copy running-config startup-config

        Creating Virtual Network Adapter

        Before You Begin

        Make sure that you know the following:

        • Port-profile for virtual network adapter is created.

          Step 1   Launch SCVMM.
          Step 2   In the VMs and Services tab, click All Hosts.
          Step 3   Choose the host on which you want to add the virtual network adapter.
          Step 4   Right-click the host and choose Properties from the pop-up menu.
          Step 5   In the Properties window, click Virtual Switches.
          Step 6   On the Virtual Switches tab, click New Virtual Network Adapter.
          Step 7   In the Name field, enter name of virtual network adapter.
          Step 8   Under the Connectivity, in the VM Network field, choose an appropriate VM network.
          Step 9   Under Port profile, select L3 service enabled port-profile that you created from the Classification drop-down list.
          Step 10   Under IP address configuration, check Static radio-button and do the following:
          1. Choose IP-pool for virtual network adapter from the IPv4 pool drop-down list.
          2. In the IPv4 address field, enter IP address for virtual network adapter.
          Step 11   Click Ok.
          Step 12   The VM manager warning message appears, click Ok.

          What to Do Next

          Add a physical router between VSG and virtual network adapter.

          Task 5: Installing Cisco VSG from an ISO Image


          Note


          Cisco VSG is supported as VSB on Nexus Cloud Services platform only.


          Before You Begin

          Ensure that you have:

          • Installed Microsoft SCVMM SP1 or SCVMM R2.
          • Downloaded the Cisco VSG ISO image and uploaded it to the server (C:\ProgramData\Virtual Machine Manager Library Files\ISO). Refresh the library server under the Library tab.
          • Cisco VSG-Data port profile: VSG-Data.
          • Cisco VSG-ha port profile: VSG-ha.
          • HA ID.
          • IP/subnet mask/gateway information for Cisco VSG
          • Administrator password
          • Minimum of 2 GB RAM and 2 GB hard disk space, recommended space is 4 GB RAM and 4 GB hard disk.
          • Cisco Prime NSC IP address.
          • The shared secret password.
          • IP connectivity between Cisco VSG and Cisco Prime NSC is okay.
          • Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin) is available.

            Step 1   Launch SCVMM.
            Step 2   On the VMs and Services tab, click Create Virtual Machine.
            Step 3   In the Create Virtual Machine Wizard, in the Select Source screen, check the Create the new virtual machine with a blank virtual hard disk radio button, and click Next.
            Step 4   In the Specify Virtual Machine Identity screen, enter the name for the Cisco VSG in the Virtual machine name field and click Next.
            Figure 3. Create Virtual Machine Wizard - Specify Virtual Machine Identity

            Step 5   In the Configure Hardware section, do the following:
            1. Under General, choose Memory, choose the Static option, and enter 2048 MB in the Virtual machine memory field.
            2. Under Bus Configuration, choose the primary disk and enter 2 in the Size (GB) field.
            3. Choose the virtual DVD Drive, select the Existing ISO image file radio button and browse for the VSG ISO within the SCVMM Library.
            4. Click New > Network Adapter to create a total of three new Network Adapters.
              • Under the Network Adapters section, choose Network Adapter 1, and then choose Connected to a VM network and browse for the appropriate network that corresponds to the network segment for the VSG's data interface.
                Note   

                Network Adapter 1 is Service/Data network, use it to connect to the Data network.

                Note   

                Network Adapter 2 is the management network, connect it to the management network for the VSG.

                Note   

                Network Adapter 3 is the HA network, connect it to the HA network.

                Figure 4. Create Virtual Machine Wizard - Configure Hardware

              • From the Classification drop-down list, choose the port-profile corresponding to the VSG's data interface.
              Note   

              Repeat Step d to create network adapters for management and HA.

            Step 6   In the Select Destination section, choose Place the virtual machine in a host, choose the host group on which you want to store the VSG from the drop-down list, and click Next.
            Step 7   In the Select Host section, choose the host that you want to place the VSG on and click Next.
            Step 8   In the Configure Settings section, review the virtual machine settings to ensure they are correct, and click Next.
            Step 9   (Optional) In the Add Properties section, choose the Other Linux (64-bit) from the Operating System from the drop-down list, and then click Next.
            Step 10   In the Summary section, click Create.
            Step 11   Once the VSG is successfully installed, choose the VSG on the VMs and Services tab, and click Power On.
            Step 12   Connect to the VSG using Connect or View > Connect via Console.

            Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent

            Once Cisco Prime NSC is installed, you must register Cisco VSG with Cisco Prime NSC.

            Before You Begin

            Ensure that you have:

            • The Cisco Prime NSC policy-agent image on Cisco VSG (for example, vsghv-pa.2.1.1e.bin).

              Note


              The string vsghv-pa must appear in the image name as highlighted.


            • IP address of the Cisco Prime NSC.
            • Shared secret password you defined during the Cisco Prime NSC installation.
            • IP connectivity between the VSG and the Cisco Prime NSC.

              Note


              If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image. This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.



            Note


            VSG clock should be synchronized with Cisco Prime NSC clock.


            SUMMARY STEPS

              1.    On Cisco VSG, configure the NSC policy agent:

              2.    Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:


            DETAILED STEPS
              Step 1   On Cisco VSG, configure the NSC policy agent:
              VSG-Firewall# configure
              Enter configuration commands, one per line.  End with CNTL/Z.
              VSG-Firewall(config)# nsc-policy-agent
              VSG-Firewall(config-nsc-policy-agent)# registration-ip 10.193.72.242
              VSG-Firewall(config-nsc-policy-agent)# shared-secret Sgate123
              VSG-Firewall(config-nsc-policy-agent)# policy-agent-image vnmc-vsgpa.2.1.1b.bin
              VSG-Firewall(config-nsc-policy-agent)# copy running-config startup-config
              [########################################] 100%
              Copy complete, now saving to disk (please wait)...
              VSG-Firewall(config-nsc-policy-agent)# exit
              Step 2   Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:
              VSG-Firewall(config)# show nsc-pa status
              NSC Policy-Agent status is - Installed Successfully. Version 2.1(1b)-vsg
              Cisco VSG is now registered with Cisco Prime NSC.

              This example shows that Cisco Prime NSC is unreachable or an incorrect IP is configured:

              vsg# show nsc-pa status
              NSC Policy-Agent status is - Installation Failure
              Cisco Prime NSC not reachable.
              vsg# 
              

              This example shows that the NSC policy-agent is not configured or installed:

              vsg# show nsc-pa status
              NSC Policy-Agent status is - Not Installed

              Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status

              You can use the show nsc-pa status command to verify the nsc policy-agent status on Cisco VSG, Cisco VSM, and Cisco Prime NSC (which can indicate that you have installed the policy-agent successfully).

              SUMMARY STEPS

                1.    Log in to the Cisco VSG.

                2.    Check the status of NSC-PA configuration by entering the following command:

                3.    Log in to the Cisco VSM.

                4.    Check the status of NSC-PA configuration by entering the following command:

                5.    Log in to Cisco Prime NSC.

                6.    Click Resource Management and then click Resources.

                7.    In the navigation pane, click VSMs and verify the VSM information in the VSMs pane.

                8.    In the navigation pane, click VSGs and verify the VSG information in the VSGs pane.


              DETAILED STEPS
                Step 1   Log in to the Cisco VSG.
                Step 2   Check the status of NSC-PA configuration by entering the following command:
                vsg# show nsc-pa status
                NSC Policy-Agent status is - Installed Successfully. Version 2.0(1a)-vsg
                vsg#
                Step 3   Log in to the Cisco VSM.
                Step 4   Check the status of NSC-PA configuration by entering the following command:
                VSM# show nsc-pa status
                NSC Policy-Agent status is - Installed Successfully. Version 2.0(0.22)-vsm
                VSM#
                Step 5   Log in to Cisco Prime NSC.
                Step 6   Click Resource Management and then click Resources.
                Step 7   In the navigation pane, click VSMs and verify the VSM information in the VSMs pane.
                Step 8   In the navigation pane, click VSGs and verify the VSG information in the VSGs pane.

                Task 8: On Cisco Prime NSC, Configuring a Tenant, Security Profile, Compute Firewall, and Assigning Cisco VSG to the Compute Firewall

                Now that you have Cisco Prime NSC and Cisco VSG successfully installed with the basic configurations, you should configure the basic security profiles and policies.

                This task includes the following subtasks:

                What to Do Next

                Go to Configuring a Tenant on Cisco Prime NSC

                Configuring a Tenant on Cisco Prime NSC

                Tenants are entities (businesses, agencies, institutions, and so on) whose data and processes are hosted on VMs on the virtual data center. To provide firewall security for each tenant, the tenant must first be configured in Cisco Prime NSC.

                SUMMARY STEPS

                  1.    From the Cisco Prime NSC toolbar, click the Tenant Management tab.

                  2.    In the Navigation pane directory tree, right-click root, and from the drop-down list, choose Create Tenant.

                  3.    In the Create Tenant dialog box, do the following:

                  4.    Click OK.


                DETAILED STEPS
                  Step 1   From the Cisco Prime NSC toolbar, click the Tenant Management tab.
                  Step 2   In the Navigation pane directory tree, right-click root, and from the drop-down list, choose Create Tenant.
                  Step 3   In the Create Tenant dialog box, do the following:
                  1. In the Name field, enter the tenant name; for example, Tenant-A.
                  2. In the Description field, enter a description for that tenant.
                  Step 4   Click OK.

                  Notice that the tenant that you have just created is listed in the left-side pane under root.


                  What to Do Next

                  See Configuring a Security Profile on the Cisco Prime NSC

                  Configuring a Security Profile on the Cisco Prime NSC

                  You can configure a security profile on Cisco Prime NSC.


                    Step 1   In the Cisco Prime NSC toolbar, click the Policy Management>Service Profiles.
                    Step 2   In the Root navigation window, from the directory path, choose Tenant > Compute Firewall > Compute Security Profile.
                    Step 3   Right-click Compute Security Profile and choose Add Compute Security Profile.

                    The Add Compute Security Profile dialog box opens.

                    Step 4   In the Add Compute Security Profile dialog box, do the following:
                    1. In the Name field, enter a name for the security profile; for example, sp-web.
                    2. In the Description field, enter a brief description of this security profile.
                    Step 5   Click OK

                    What to Do Next

                    See Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC

                    Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC

                    The compute firewall is a logical virtual entity that contains the device profile that you can bind (assign) to Cisco VSG VM. The device policy in the device profile is then pushed from Cisco Prime NSC to Cisco VSG. Once this is complete, the compute firewall is in the applied configuration state on Cisco Prime NSC.


                      Step 1   From Cisco Prime NSC, choose Resource Management > Managed Resources.
                      Step 2   On the left-pane directory tree, navigate to choose a tenant.
                      Step 3   Click the Action drop-down list, choose Add Compute Firewall. The Add Compute Firewall dialog box opens.
                      Step 4   In the Add Compute Firewall dialog box, do the following:
                      1. In the Name field, enter a name for the compute firewall.
                      2. In the Description field, enter a brief description of the compute firewall.
                      3. In the Host Name field, enter the name for your Cisco VSG.
                      Step 5   Click Next.

                      The new Compute Firewall pane displays with the information that you provided.

                      Step 6   In the Select Service Devices pane, choose Assign VSG radio button, from the VSG Devices drop-down, choose a VSG. then and click Next.
                      Step 7   In the Interface tab, Configure Data Interface pane, enter data interface (data0) IP address and subnet mask, and click Next.
                      Step 8   Verify the configuration in Summary tab and click Finish.
                      Step 9   Click Root > Tenant > Network Services and verify the status of the firewall.

                      Task 9: On the Prime NSC, Configuring a Permit-All Rule

                      You can configure a permit-all rule in the Cisco Prime NSC.


                        Step 1   Log in to the Cisco Prime NSC.
                        Step 2   Choose Policy Management > Service Profiles.
                        Step 3   Choose Root > Tenant > Compute Firewall > Compute Security Profile, and then select a security profile.
                        Step 4   In the right pane, click Add ACL Policy Set.
                        Step 5   In the Add ACL Policy dialog box, do the following:
                        1. In the Name field, enter the ACL Policy Set name.
                        2. In the Description field, enter a brief description of the ACL Policy Set.
                        3. Click Add ACL Policy.
                        Step 6   In the Add ACL Policy dialog-box, enter the policy name, enter policy description, and then click Add Rule.
                        Step 7   In the Add Rule dialog box, do the following:
                        1. In the Name field, enter the rule name.
                        2. For the Action radio button, choose the matching condition (for example, Permit-All to permit all the traffic).
                        3. On the Condition Match Criteria field, choose the required condition.
                        4. On the Source - Destination - Service tab, click Add to add source/destination conditions or service.
                        5. On the Protocol tab, uncheck Any to choose specific protocols. Do not uncheck Any if you wish to match all the protocols.
                        6. On the Ether-Type tab, click Add to specify an Ether type for the rule.
                        7. On the Time Range tab, keep the default option to leave the rule enabled.
                        8. On the Advanced tab, click Add to add checks for source ports.
                        9. Click Ok.
                        Step 8   In the Add Policy dialog box, click OK.

                        The newly created policy is displayed in the Assigned field.

                        Step 9   In the Add Policy Set dialog box, click OK.
                        Step 10   In the Service Profile window, click Save.

                        Task 10: On Cisco VSG, Verifying the Permit-All Rule

                        You can verify the rule presence in Cisco VSG, by using the Cisco VSG CLI and the show commands.

                        vsg# show running-config rule
                        rule POL-DEMO/R-DEMO@root/Tenant/VDC 
                        cond-match-criteria: match-allaction permit
                        rule POL1/R1@root/Tenant/VDC 
                        cond-match-criteria: match-allaction permit
                        rule default/default-rule@root 
                        cond-match-criteria: match-allaction drop
                        vsg#
                        

                        Task 11: Enabling Logging

                        To enable logging follow these procedures:

                        Enabling Logging level 6 for Policy-Engine Logging

                        Logging enables you to see what traffic is going through your monitored virtual machine. This logging is helpful for verifying that you have a proper configuration and to help in troubleshooting. You can enable Logging Level 6 for policy-engine logging in a monitor session.


                          Step 1   Log in to Cisco Prime NSC.
                          Step 2   Choose Policy Management > Device Configurations.
                          Step 3   In the Navigation pane, choose root > Policies > Syslog > Default, and then click Edit.
                          Step 4   In the Edit Syslog dialog box, do the following:
                          1. Click the Servers tab.
                          2. In the Server Type column, choose the primary server type from the displayed list.
                          3. From the pane toolbar, click Edit.
                          Figure 5. Edit Syslog Dialog Box



                          Step 5   In the Edit Syslog Client dialog box, do the following:
                          1. In the Hostname/IP address field, enter the syslog server IP address.
                          2. From the Severity drop-down list, choose Information(6).
                          3. From the Admin State drop-down list, check Enabled radio button.
                          4. Click OK.
                          Step 6   Click OK.

                          What to Do Next

                          See Enabling Global Policy-Engine Logging.

                          Enabling Global Policy-Engine Logging

                          Logging enables you to see what traffic is going through your monitored VM. This logging is helpful for verifying that you have a proper configuration and to help in troubleshooting.


                            Step 1   Log in to Cisco Prime NSC.
                            Step 2   In the Cisco Prime NSC window, choose Policy Management > Device Configurations > root > Device Profiles > default. The default Device Profile window opens.
                            Step 3   In the default pane, do the following:
                            1. In the Work pane, click the Policies.
                            2. In the Policy Engine Logging field, check the Enabled radio button.
                            Step 4   Click Save.

                            Task 12: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG

                            This section includes the following topics:
                            Before You Begin

                            Ensure that you have:

                            • Server VM that runs with an access port profile (for example, web server)
                            • Cisco VSG data IP address (for example, 10.10.10.200) and VLAN ID (for example, 100)
                            • Set up the Virtual Network Adapter
                            • Security profile name (for example, sp-web)
                            • Organization (Org) name (for example, root/Tenant-A)
                            • Port profile that you would like to edit to enable firewall protection

                            Enabling Traffic VM Port-Profile for Firewall Protection

                            You can enable a traffic VM port profile for traffic protection.

                            SUMMARY STEPS

                              1.    Create VSG node.

                              2.    Create the network segment and Traffic VM Port-Profile for Firewall Protection.


                            DETAILED STEPS
                              Step 1   Create VSG node.
                              vsm#configure terminal
                              vsm (config)# vservice node VSG type vsg
                              vsm (config-vservice-node)# ip address 10.10.10.200
                              vsm (config-vservice-node)# adjacency l3
                              vsm (config-vservice-node)# exit
                              vsm (config)# copy running-config startup-config
                              Step 2   Create the network segment and Traffic VM Port-Profile for Firewall Protection.
                              vsm(config)# nsm network segment VMAccess_400
                              vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite
                              vsm(config-net-seg)# switchport access vlan 400
                              vsm(config-net-seg)# ip pool import template VM_IP_Pool
                              vsm(config-net-seg)# publish network-segment 
                              vsm(config-net-seg)# exit
                              
                              vsm(config)# port-profile type vethernet pp-webserver
                              vsm(config-port-prof)# org root/Tenant-A
                              vsm(config-port-prof)# vservice node VSG profile sp-web
                              vsm(config-port-prof)# no shutdown
                              vsm(config-port-prof)# state enabled
                              vsm(config-port-prof)# publish port-profile
                              vsm(config-port-prof)# exit
                              vsm(config)# show port-profile name pp-webserver

                              What to Do Next

                              See Verifying the VSM or VEM for Cisco VSG Reachability.

                              Verifying the VSM or VEM for Cisco VSG Reachability

                              Ensure that you have assigned the traffic VM port profile with firewall protection to the traffic VM.

                              Figure 6. Virtual Machine Properties Window



                              This example shows how to verify the communication between the VEM and the VSG:

                              VSM# show vservice brief
                              --------------------------------------------------------------------------------
                                                                 Node Information
                              --------------------------------------------------------------------------------
                               ID Name                     Type   IP-Address      Mode   State   Module
                                1 VSG-1                    vsg    192.161.0.85    l3     Alive   3,4,
                              
                              --------------------------------------------------------------------------------
                                                                 Path Information
                              --------------------------------------------------------------------------------
                              --------------------------------------------------------------------------------
                                                                 Port Information
                              --------------------------------------------------------------------------------
                              PortProfile:PP-VSERVICE
                              Org:root/Tenant1
                              Node:VSG-1(192.161.0.85)                      Profile(Id):SP1(6)
                              Veth Mod VM-Name                              vNIC IP-Address
                                 4   4 traffic-vm-win-22                         192.163.0.53,
                                 8   3 traffic-vm-win-12                         192.163.0.76 
                                10   3 traffic-vm-ubuntu-61                      192.163.0.80,
                                11   3 traffic-vm-ubuntu-52                      192.163.0.52,
                              

                              A display showing the IP-ADDR Listing and Alive state verifies that the VEM can communicate with the Cisco VSG.

                              Checking the VM Virtual Ethernet Port for Firewall Protection

                              This example shows how to verify the VM Virtual Ethernet port for firewall protection:

                              VSM(config)# show vservice port brief port-profile VSGDemo-WEB-FW
                              --------------------------------------------------------------------------------
                                                                 Port Information
                              --------------------------------------------------------------------------------
                              PortProfile:VSGDemo-WEB-FW
                              Org:root/Demo
                              Node:VSG(153.1.1.13)                          Profile(Id):Demo-Default-Security-Profile(6)
                              Veth Mod VM-Name                              vNIC IP-Address
                                 1   3 web-server1                               152.1.1.11,
                              

                              Note


                              Make sure that your VNSP ID value is greater than 1.


                              Task 13: Installing Microsoft Service Provider Foundation

                              After installing Cisco Prime NSC, you need to enable communication between the Prime NSC and Microsoft SCVMM. This is required for virtual machine attribute based policies to work on VSG. Microsoft Service Provider Foundation (SPF) is a plugin that enables communication between Microsoft SCVMM and Cisco Prime NSC. The following table lists the SPF versions compatible with Cisco Prime NSC 3.2:
                              Table 1 SPF versions compatible with Cisco Prime NSC 3.2
                              SCVMM Version SPF Version

                              System Center 2012 Service Pack 1

                              7.1.3117.0

                              System Center 2012 R2

                              7.2.379.0

                              This task includes the following subtasks:

                              What to Do Next

                              See Installing Service Provider Foundation

                              Installing Service Provider Foundation

                              For detailed information about installing Service Provider Foundation, see How to Install Service Provider Foundation for System Center 2012 R2 available at: http:/​/​technet.microsoft.com/​en-us/​library/​dn266007.aspx

                              Before You Begin

                              Ensure that you have:

                              • Downloaded install system center 2012 R2 orchestrator.
                              • Verified the system requirements for Service Provider Foundation (SPF). For information on system requirements, refer to System Requirements for Service Provider Foundation for System Center 2012 SP1, available at: http:/​/​technet.microsoft.com/​en-us/​library/​jj642899.aspx.
                              • NTP server information.

                              Configuring Service Provider Foundation

                              After the Service Provider Foundation (SPF) is successfully installed, you need to a create stamp ID (stampId) and associate it with the Microsoft SCVMM server. For more information about configuring SPF, see http:/​/​technet.microsoft.com/​en-us/​library/​jj613915.aspx.

                              What to Do Next

                              See Verifying Service Provider Foundation Installation

                              Verifying Service Provider Foundation Installation

                              To check if the SPF installation is successful and functional, launch the following VMM REST interface web link:

                              https://<spf_host>:8090/SC2012R2/VMM/Microsoft.Management.Odata.Svc

                              where <spf_host> is the IP address for the Microsoft SCVMM VM.

                              Use the following link to launch the Virtual Machines REST URL:

                              https://<spf_host>:8090/SC2012R2/VMM/Microsoft.Management.Odata.Svc/VirtualMachines

                              where <spf_host> is the IP address for the SCVMM VM.

                              Creating VM Manager on Cisco Prime NSC

                              You need to create a VM manager to enable Prime NSC to retrieve VM information from Microsoft SCVMM.


                                Step 1   Launch Cisco Prime NSC.
                                Step 2   Choose Resource Management > VM Manager > Add VM Manager.
                                Step 3   In the Add VM Manager dialog box, enter the following:
                                1. Name for VM manager.
                                2. Description for the VM manager
                                3. Hostname/IP address of SCVMM.
                                4. Domain-Name/User-name.
                                5. Password SCVMM host.
                                6. Keep the default Port Number.
                                7. Click OK.

                                Task 14: Sending Traffic Flow and on Cisco VSG Verifying Statistics and Logs

                                This section includes the following topics:

                                Sending Traffic Flow

                                You can send traffic flow through the Cisco VSG to ensure that it is functioning properly.


                                  Step 1   Ensure that you have the VM (Server-VM) that is using the port profile (pp-webserver) configured for firewall protection.
                                  Figure 7. Virtual Machine Properties Window

                                  Step 2   Log in to any of your client virtual machine (Client-VM).
                                  Step 3   Send traffic (for example, HTTP) to your Server-VM.
                                  [root@]# wget http://172.31.2.92/
                                  --2010-11-28 13:38:40--  http://172.31.2.92/
                                  Connecting to 172.31.2.92:80... connected.
                                  HTTP request sent, awaiting response... 200 OK
                                  Length: 258 [text/html]
                                  Saving to: `index.html'
                                  
                                  100%[=======================================================================>] 258         --.-K/s   in 0s      
                                  
                                  2010-11-28 13:38:40 (16.4 MB/s) - `index.html' saved [258/258]
                                  
                                  [root]#
                                  
                                  
                                  Step 4   Check the policy-engine statistics and log in to Cisco VSG.

                                  What to Do Next

                                  See Verifying Policy-Engine Statistics and Logs on Cisco VSG.

                                  Verifying Policy-Engine Statistics and Logs on Cisco VSG

                                  Log in to Cisco VSG and check the policy-engine statistics and logs.

                                  This example shows how to check the policy-engine statistics and logs:

                                  vsg# show policy-engine stats
                                  Policy Match Stats: 
                                  default@root                 :         0
                                    default/default-rule@root  :         0 (Drop)
                                    NOT_APPLICABLE             :         0 (Drop)
                                  
                                  PS_web@root/Tenant-A :         1
                                    pol_web/permit-all@root/Tenant-A :         1 (Log, Permit)
                                    NOT_APPLICABLE                :         0 (Drop)
                                  
                                  vsg# terminal monitor
                                  vsg# 2010 Nov 28 05:41:27 firewall %POLICY_ENGINE-6-POLICY_LOOKUP_EVENT: policy=PS_web@root/Tenant-A rule=pol_web/permit-all@root/Tenant-A action=Permit direction=egress src.net.ip-address=172.31.2.91 src.net.port=48278 dst.net.ip-address=172.31.2.92 dst.net.port=80 net.protocol=6 net.ethertype=800