The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Information About the Cisco Virtual Security Gateway
The Cisco Virtual Security Gateway (VSG) is a virtual firewall appliance that provides trusted access to virtual data center and cloud environments. The Cisco VSG enables a broad set of multitenant workloads that have varied security profiles to share a common compute infrastructure in a virtual data center private cloud or in a public cloud. By associating one or more virtual machines (VMs) into distinct trust zones, the Cisco VSG ensures that access to trust zones is controlled and monitored through established security policies.
The Cisco VSG is available in three different models (small, medium, and large) based on the memory, number of virtual CPUs, and CPU speed. Currently, only the small model type is supported on Microsoft Hyper-V. The following table lists the available Cisco VSG models:
VSG Models |
Memory |
CPU Speed |
Number of Virtual CPUs |
Network Adapters |
---|---|---|---|---|
Small |
2 GB |
1.0 GHz |
1 |
3 |
The Cisco VSG operates with the Cisco Nexus 1000V in the Microsoft Hyper-V, and the Cisco VSG leverages the virtual network service datapath (vPath) that is embedded in the Cisco Nexus 1000V Virtual Ethernet Module (VEM).
When a VEM sees a packet for a protected VM for the first time, the VEM redirects the packet to the Cisco VSG to determine what action needs to be taken (for example, permit, drop, or reset). After the decision is made, both the Cisco VSG and VEM save the connection information and the action for a period of time. During this time, packets for this connection follow the same action without any extra policy lookup. This connection is a connection in a fast path mode. Depending on the traffic and the action, the amount of time that a connection stays in the fast path mode varies. The following table provides the timeout details for the connections in the fast path mode.
Protocol |
Connection State |
Time Out |
---|---|---|
TCP |
Close with FIN and ACKACK |
VEM—4 secs |
VSG—4 secs |
||
Close with RST |
VEM—4 secs |
|
VSG—4 secs |
||
Action drop |
VEM—4 secs |
|
VSG—4 secs |
||
Action reset |
VEM—4 secs |
|
VSG—4 secs |
||
Idle |
VEM—36–60 secs |
|
VSG—630–930 secs |
||
UDP |
Action drop |
VEM—4 secs |
VSG—4 secs |
||
Action reset |
VEM—4 secs |
|
VSG—4 secs |
||
Idle |
VEM—8–12 secs |
|
VSG—240–360 secs |
||
Destination Unreachable |
VEM—4 secs |
|
VSG—4 secs |
||
L3/ICMP |
Action drop |
VEM—2 secs |
VSG—2 secs |
||
Action reset |
VEM—2 secs |
|
VSG—2 secs |
||
Idle |
VEM—8–12 secs |
|
VSG—16–24 secs |
You can transparently insert a Cisco VSG into the Microsoft Hyper-V environment where the Cisco Nexus 1000V distributed virtual switch is deployed. One or more instances of the Cisco VSG is deployed on a per-tenant basis, which allows a high scale-out deployment across many tenants. Tenants are isolated from each other, so no traffic can cross tenant boundaries. You can deploy the Cisco VSG at the tenant level, at the virtual data center level, and at the vApp level.
As VMs are instantiated for a given tenant, their association to security profiles and zone membership occurs immediately through binding with the Cisco Nexus 1000V port profile. Each VM is placed upon instantiation into a logical trust zone. Security profiles contain context-aware rule sets that specify access policies for traffic that enters and exits each zone. In addition to VM and network contexts, security administrators can also use custom attributes to define zones directly through security profiles. Controls are applied to zone-to-zone traffic as well as to external-to-zone (and zone-to-external) traffic. Zone-based enforcement can also occur within a VLAN, as a VLAN often identifies a tenant boundary. The Cisco VSG evaluates access control rules and then, if configured, off-loads enforcement to the Cisco Nexus 1000V VEM vPath module. The Cisco VSG can permit or deny access and optional access logs can be generated. The Cisco VSG also provides a policy-based traffic monitoring capability with access logs.
A Cisco VSG tenant can protect its VMs that span multiple hypervisors. Each tenant can also be assigned with an overlapping (private) IP address space, which is important in multitenant cloud environments.
A virtualization environment is dynamic, where frequent additions, deletions, and changes occur across tenants and across VMs. Additionally, live migration of VMs can occur due to manual or programmatic VM motion events. The following figure shows how a structured environment can change over time due to this dynamic VM environment.
The Cisco VSG operating with the Cisco Nexus 1000V (and vPath) supports a dynamic VM environment. Typically, when you create a tenant on the Cisco Prime Network Services Controller (Prime NSC) with the Cisco VSG (standalone or active-standby pair), associated security profiles are defined that include trust zone definitions and access control rules. Each security profile is bound to a Cisco Nexus 1000V port profile (authored on the Cisco Nexus 1000V Virtual Supervisor Module [VSM] and published to the Microsoft SCVMM). When a new VM is instantiated, the server administrator assigns port profiles to the virtual Ethernet port of the VM. Because the port profile uniquely refers to a security profile and VM zone membership, security controls are immediately applied. A VM can be repurposed by assigning a different port profile or security profile.
As VM motion events are triggered, VMs move across physical servers. Because the Cisco Nexus 1000V ensures that port profile policies follow the VMs, associated security profiles also follow these moving VMs, and security enforcement and monitoring remain transparent to VM motion events.
The Cisco Virtual Security Gateway (VSG) can be hosted on a Cisco Cloud Service Platform Virtual Services Appliance. The Cisco Cloud Service Platform hosts up to six virtual service blades (VSBs) that can be configured as a Cisco Network Analysis Module (NAM), a Virtual Supervisor Module (VSM), or a Cisco VSG. VSMs that had been hosted on Microsoft Hyper-V virtual machines can be hosted on the Cisco Service Platform.
Software for the Cisco VSG comes bundled with the other software for the Cisco Cloud Service Platform, which includes the kickstart image and a hypervisor. The software for implementing the Cisco VSG on the Cisco Cloud Service Platform is included with the software for creating the VSB and is stored in the bootflash repository.
The following figure compares running the VSM and Cisco VSG on a Cisco Cloud Service Platform with running the VSM and Cisco VSG on a VM.
The following figure shows the Cisco Cloud Service Platform software components and how they relate to the Cisco VSG.
For more information about the Cisco Cloud Service Platform, see the Cisco Cloud Service Platform Software Configuration Guide.
The current release supports the Cisco VSG deployment in the Layer 3 mode. The VEM and the Cisco VSG communicate with each other through a special virtual network interface called the Virtual Network Adapter. This Virtual Network Adapter is created by an administrator.
When a VEM has a VM that is protected by the Cisco VSG in the Layer 3 mode, the VEM requires at least one IP/MAC pair to terminate the Cisco VSG packets in the Layer 3 mode. The VEM acts as an IP host (not a router) and supports only the IPv4 addresses.
Similar to how VEM Layer 3 Control is configured, the IP address to use for communication with the Cisco VSG in the Layer 3 mode is configured by assigning a port profile to a Virtual Network Adapter that has the capability l3-vservice command in it. For more details, see the Cisco Nexus 1000V System Management Configuration Guide.
To configure the Virtual Network Adapter interface that the VEM uses, you can assign a port profile by using the capability l3-vservice command in the port-profile configuration.
To carry the Cisco VSG in the Layer 3 mode traffic over multiple uplinks (or subgroups) in server configurations where vPC-HM MAC-pinning is required, you can configure up to four Virtual Network Adapters. We recommend that you assign all the Virtual Network Adapters in the Layer 3 mode within the same Microsoft Server host to the same port profile by using the capability l3-vservice command.
The traffic in the Layer 3 mode that is sourced by local vEthernet interfaces and needs to be redirected to the Cisco VSG is distributed between these Virtual Network Adapters based on the source MAC addresses in their frames. The VEM automatically pins the multiple Virtual Network Adapters in the Layer 3 mode to separate uplinks. If an uplink fails, the VEM automatically repins the Virtual Network Adapters to a working uplink.
When encapsulated traffic that is destined to a Cisco VSG is connected to a different subnet other than the Virtual Network Adapter subnet, the VEM does not use the Hyper-V host routing table. Instead, the Virtual Network Adapter initiates an ARP for the remote Cisco VSG IP addresses. You must configure the upstream router to respond to a VSG IP address ARP request by using the Proxy ARP feature.
vPath is embedded in the Cisco Nexus 1000V Series switch VEM. It intercepts the VM to VM traffic and then redirects the traffic to the appropriate virtual service node. For details, see the Cisco vPath and vServices Reference Guide for Microsoft Hyper-V.
The Cisco network virtual service (vservice) is supported by the Cisco Nexus 1000V using the vPath. It provides trusted multitenant access and supports the VM mobility across physical servers for workload balancing, availability, or scalability. For details, see the Cisco vPath and vServices Reference Guide for Microsoft Hyper-V.
Cisco Virtual Security Gateway Configuration for the Network
When you install a Cisco VSG on a virtualized data center network, you must change the configuration of the Cisco Nexus 1000V Series switch VSM and the Cisco VSG.
Note | For information about how to configure the Cisco VSG for the Cisco Nexus 1000V Series switch and the Cisco Cloud Service Platform Virtual Services Appliance, see the Cisco vPath and vServices Reference Guide for Microsoft Hyper-V. |
The VSM controls multiple VEMs as one logical modular switch. Instead of physical line cards, the VSM supports VEMs that run in software inside servers. Configurations are performed through the VSM and are automatically propagated to the VEMs. Instead of configuring soft switches inside the hypervisor on one host at a time, you can define configurations for immediate use on all VEMs that are managed by the VSM.
In the Cisco Nexus 1000V Series switch, you use port profiles to configure interfaces. Through a management interface on the VSM, you can assign a port profile to multiple interfaces, which provides all of them with the same configuration. Changes to the port profile can be propagated automatically to the configuration of any interface assigned to it.
Port profiles that are not configured as uplinks can be assigned to a VM virtual port. When binding with a security profile and a Cisco VSG IP address, a VM port profile can be used to provision security services (such as for VM segmentation) provided by a Cisco VSG.
The Cisco VSG for the Cisco Nexus 1000V Series switch is a virtual firewall appliance that provides trusted access to the virtual data center and cloud environments. Administrators can install a Cisco VSG on a host as a service VM and configure it with security profiles and firewall policies to provide VM segmentation and other firewall functions to protect the access to VMs.
The Cisco Nexus 1000V Series switch port profile dynamically provisions network parameters for each VM. The same policy provisioning carries the network service configuration information so that each VM is dynamically provisioned with the network service policies when the VM is attached to the port profile. This process is similar to associating access control list (ACL) or quality of service (QoS) policies in the port profile. The information related to the network service configuration is created in an independent profile called the security profile and is attached to the port profile. The security administrator creates the security profile in the Cisco Prime NSC, and the network administrator associates it to an appropriate port profile in the VSM.
The security profile defines custom attributes that can be used to write policies. All the VMs tagged with a given port profile inherit the firewall policies and custom attributes defined in the security profile associated with that port profile. Each custom attribute is configured as a name value pair, such as state = CA. The network administrator also binds the associated Cisco VSG for a given port profile. The Cisco VSG associated with the port profile enforces firewall policies for the network traffic of the application VMs that are bound to that port profile. The same Cisco VSG is used irrespective of the location of the application VM. As a result, the policy is consistently enforced even during the VM motion procedures. You can also bind a specific policy to a service profile so that if any traffic is bound to a service profile, the policy associated with that service profile is executed. Both the service plane and the management plane support multi-tenancy requirements. Different tenants can have their own Cisco VSG (or set of Cisco VSGs), which enforce the policy defined by them. The vPath in each Hyper-V host can intelligently redirect tenant traffic to the appropriate Cisco VSG.
You can use a firewall policy to enforce network traffic on a Cisco VSG. A key component of the Cisco VSG is the policy engine. The policy engine uses the policy as a configuration that filters the network traffic that is received on the Cisco VSG.
A policy is bound to a Cisco VSG by using a set of indirect associations. The security administrator can configure a security profile and then refer to a policy name within the security profile. The security profile is associated with a port profile that has a reference to a Cisco VSG.
An object group is a set of conditions relevant to an attribute. Because object groups and zones can be shared between various rules with different directions, the attributes used in an object group condition should not have a directional sense and must be neutral. An object group is a secondary policy object that assists in writing firewall rules. A rule condition can refer to an object group by using an operator.
Firewall rules can consist of multiple conditions and actions. Rules can be defined in a policy as a condition for filtering the traffic. The policy engine uses the policy as a configuration that filters the network traffic that is received on the Cisco VSG. The policy engine uses two types of condition matching models for filtering the network traffic:
AND Model: A rule is set to matched when all the attributes in a rule match.
A policy is bound to a Cisco VSG by using a set of indirect associations. The security administrator can configure a security profile and then refer to a policy name within the security profile. The security profile is associated with a port profile that has a reference to a Cisco VSG.
The service firewall log is a tool to test and debug the policy. During a policy evaluation, the policy engine displays the policy results of a policy evaluation. Both the users and the policy writer benefit from this tool when troubleshooting a policy.
Beginning with Release 5.2(1)VSG2(1.1a), jumbo frames (MTU size 9000) are supported for Cisco VSG instances deployed on N1010. If Cisco VSG is deployed on Microsoft Hyper-V, jumbo frames are not supported.
Note |
Before configuring a Cisco VSG in Layer 3 mode, create a Layer 3 Virtual Network Adapter
This section is an overview of the sequences that you, as an administrator, must follow when configuring a Cisco VSG in Layer 3 mode: