PDF(154.8 KB) View with Adobe Reader on a variety of devices
ePub(85.4 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(89.8 KB) View on Kindle device or Kindle app on multiple devices
Updated:October 22, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Virtual Security Gateway for Microsoft Hyper-V Release Notes, Release 5.2(1)VSG2(1.3)
First Published: 2015-10-22
Last Updated: 2015-10-22
This document describes the features, limitations, and caveats for the Cisco Virtual Security Gateway and Cisco Virtual Network Management Center software. Use this document in combination with documents listed in the “Related Documentation” section. The following is the change history for this document.
October 22, 2015
Updated VSG compatibility matrix, open caveats, and resolved caveats.
The Cisco Virtual Security Gateway (VSG) for Microsoft Hyper-V platform is a virtual firewall appliance that provides trusted access to virtual data center and cloud environments with dynamic policy-driven operation, mobility-transparent enforcement, and scale-out deployment for dense multitenancy. The Cisco VSG enables a broad set of multitenant workloads that have varied security profiles to share a common compute infrastructure. By associating one or more virtual machines into distinct trust zones, the Cisco VSG ensures that access to trust zones is controlled and monitored through established security policies.
Together, the Cisco VSG and Cisco Nexus 1000V Virtual Ethernet Module (VEM) provide the following benefits:
Efficient deployment—Each Cisco VSG can protect virtual machines across multiple physical servers, which eliminates the need to deploy one virtual appliance per physical server.
Performance optimization—By offloading Fast-Path to one or more Cisco Nexus 1000V VEM vPath modules, the Cisco VSG boosts its performance through distributed vPath-based enforcement.
Operational simplicity—You can insert a Cisco VSG in one-arm mode without creating multiple switches or temporarily migrating VMs to different switches or servers. Zone scaling is based on security profile, not on vNICs that are limited for virtual appliances.
High availability—For each tenant, you can deploy a Cisco VSG in active-standby mode to ensure a highly available operating environment with vPath redirecting packets to the standby Cisco VSG when the primary Cisco VSG is unavailable.
Independent capacity planning—You can place a Cisco VSG on a dedicated server, controlled by the security operations team so that maximum compute capacity can be allocated to application workloads. Capacity planning can occur independently across server and security teams, and operational segregation across security, network, and server teams can be maintained.
The servers that run the Cisco Nexus 1000V Virtual Supervisor Module (VSM) and VEM must be in the Microsoft Server Hardware Compatibility list, which is a requirement for running the Microsoft Hyper-V software.
For additional compatibility information, see the Cisco Nexus 1000V Compatibility Information.
Cisco VSG License
The Cisco VSG license is integrated with the Cisco Nexus 1000V Multi-Hypervisor License (Universal License). You need to install the Cisco Nexus 1000V Multi-Hypervisor License for Cisco VSG for Microsoft Hyper-V. When the Cisco Nexus 1000V Multi-Hypervisor License is installed, the license for Cisco VSG is automatically included.
The Cisco Nexus 1000V VSM is available in two modes: essential and advanced. Cisco VSG functionality is available only in the advanced mode. You must install the Cisco Nexus 1000V Multi-Hypervisor License and change the VSM mode to advanced mode.
Note If you try to access Cisco VSG services with VSM in essential mode, an error message indicates that the Cisco Nexus 1000V Multi-Hypervisor License is required for Cisco VSG.
For more information about the Cisco Nexus 1000V for Microsoft Hyper-V license, see the Cisco Nexus 1000V for Microsoft Hyper-V License Configuration Guide.
This section provides the following information about this release:
The Cisco VSG operates with the Cisco Nexus 1000V distributed virtual switch in the Microsoft Hyper-V. The Cisco VSG leverages the virtual network service data path (vPath) that is embedded in the Cisco Nexus 1000V VEM. vPath steers traffic, whether external-to-VM or VM-to-VM, to the Cisco VSG of a tenant. A split-processing model is applied where initial packet processing occurs in the Cisco VSG for policy evaluation and enforcement. After the policy decision is made, the Cisco VSG offloads policy enforcement of remaining packets to vPath.
vPath supports the following features:
Intelligent interception and redirection—Tenant-aware flow classification and subsequent redirection to a designated Cisco VSG tenant.
Fast-Path offload—Per-tenant policy enforcement of flows offloaded by the Cisco VSG to vPath.
Trusted Multitenant Access
You can transparently insert a Cisco VSG into the Microsoft Hyper-V environment where the Cisco Nexus 1000V distributed virtual switch is deployed. Upon insertion, one or more instances of the Cisco VSG is deployed on a per-tenant basis, which allows a highly scaled-out deployment across many tenants. Because tenants are isolated from each other, no traffic can cross tenant boundaries. Depending on the use case, you can deploy the Cisco VSG at the tenant level, at the virtual data center (vDC) level, or at the vApp level.
Note The Cisco VSG is not inherently multitenant. It must be explicit within each tenant.
As VMs are instantiated for a given tenant, association to security profiles and zone membership occurs immediately through binding with the Cisco Nexus 1000V port profile. Upon instantation, each VM is placed into a logical trust zone. Security profiles contain context-aware rule sets that specify access policies for traffic that enters and exits each zone. The profiles are applied to zone-to-zone traffic and external-to-zone/zone-to-external traffic. This enforcement occurs within a VLAN because a VLAN often identifies a tenant boundary.
The Cisco VSG evaluates access control rules and then offloads enforcement to the Cisco Nexus 1000V VEM vPath module for performance optimization. Access is permitted or denied based on policies. The Cisco VSG provides policy-based traffic monitoring and generates access logs.
Dynamic (Virtualization-Aware) Operation
A virtualization environment is dynamic, where frequent additions, deletions, and changes occur across tenants and especially across VMs. Live migration of VMs can occur due to manual or programmatic VM motion events.
A Cisco VSG operates with the Cisco Nexus 1000V (and vPath), which supports a dynamic VM environment. Typically, a tenant is created with the Cisco VSG (standalone or active-standby pair) and on the Cisco Prime Network Services Controller (PNSC). Associated security profiles are defined that include trust zone definitions and access control rules.
Each security profile is bound to a Cisco Nexus 1000V port profile (authored on the Cisco Nexus 1000V VSM and published to the Microsoft SCVMM). When a new VM is instantiated, you can assign appropriate port profiles to the virtual Ethernet port of the VM. Because the port profile uniquely refers to a security profile and VM zone membership, security controls are immediately applied. A VM can be repurposed by assigning a different port profile or security profile.
As VM motion events occur, VMs move across physical servers. The Cisco Nexus 1000V ensures that port profile policies and associated security profiles follow the VMs. Security enforcement and monitoring remain transparent to VM motion events.
Setting Up Cisco VSG and VLAN Usages
A Cisco VSG is set up in an overlay fashion so that VMs can reach a Cisco VSG regardless of its location. The vPath component in the Cisco Nexus 1000V VEM intercepts the packets from the VM and sends them to the Cisco VSG for further processing.
A Cisco VSG is configured with three vNICS that are each connected to one of the VLANs. The VLAN functions are as follows:
The Management VLAN connects management platforms such as the Microsoft SCVMM, Cisco Virtual Network Management Center, Cisco Nexus 1000V VSM, and the managed Cisco VSGs.
The Service VLAN provides communications between the Cisco Nexus 1000V VEM and Cisco VSGs. All Cisco VSGs are part of the Service VLAN.
The HA VLAN identifies the active and standby relationship.
You can allocate one or more VM Data VLAN(s) for VM-to-VM communications. In a multitenant environment, the Management VLAN is shared among all tenants. The Service VLAN, HA VLAN, and VM Data VLAN are allocated on a per-tenant basis. When VLAN resources are scarce, you can use a single VLAN for Service and HA functions.
New Features in Cisco VSG Release 5.2(1)VSG2(1.3)
There are no new features introduced in Cisco VSG Release 5.2(1)VSG2(1.3).
Limitations and Restrictions
The Cisco VSG has the following limitations and restrictions:
If the VSM is down when the Cisco VSG is powered on, the Cisco VSG continuously tries to reboot.
Workaround: To prevent this situation, configure the Service VLAN and the HA VLAN used by the Cisco VSG as system vlan vlan_number in the uplink port profile.
Layer 3 mode:
– When the VEM communicates with the Cisco VSG in the Layer 3 mode, an additional header with 82 bytes is added to the original packet. The VEM does not support fragmentation in Layer 3 mode and the ports/network elements (which carry vPath encapsulated packets) must be configured in such a way that the vPath overhead is accommodated. For example, if MTU values of client and server VMs and uplink are all 1500 bytes, set the uplink MTU to 1582 bytes.
– When encapsulated traffic that is destined to a Cisco VSG is connected to a different subnet other than the virtual network adapter subnet, the VEM does not use the Hyper-V host routing table. Instead, the virtual network adapter initiates an ARP for the remote Cisco VSG IP addresses. You must configure the upstream router to respond by using the proxy ARP feature.
– The VEM does not support a routing functionality and it is assumed that the upstream switch/router is configured with the proxy-ARP configuration.
Configuring a rule with a reset action:
Configuring a rule with a reset action for the non-TCP/UDP protocol causes dropped traffic. However, the syslog generated for this traffic shows that the action performed for the traffic is reset as shown below:
The following table lists the Cisco VSG and Cisco Nexus 1000V software compatibility matrix.
Cisco VSG Release
Cisco Nexus 1000V Release
Cisco VSG Release 5.2(1)VSG1(4.1)
Cisco VSG Release 5.2(1)VSG2(1.1x)
Cisco VSG Release 5.2(1)VSG2(1.2x)
Cisco VSG Release 5.2(1)VSG2(1.3)
Cisco Nexus 1000V 5.2(1)SM3(1.1a)
Cisco Nexus 1000V 5.2(1)SM3(1.1)
Cisco Nexus 1000V 5.2(1)SM1(5.2a)
Cisco Nexus 1000V 5.2(1)SM1(5.2)
Cisco Nexus 1000V 5.2(1)SM1(5.1)
Cisco VSG Scalability Matrix
The following table lists the Cisco VSG scalability matrix.
Number of VSGs
New connections per second
Number of hosts/VEMs
Number of protected ports/VSG
(on the same host or across multiple hosts)
If Cisco VSG Release 5.2(1)VSG2(1.3) is used with Cisco Nexus 1000V Release 5.2.(1)SV3(1.5b), the maximum limits for the Cisco Nexus 1000V are reduced to the following:
250 host per DVS.
10,000 vEth ports with up to 6000 vEth ports protected by Cisco VSG.
512 protected ports per host.
Cisco VSG vPath Scale Limits
The following table lists Cisco VSG vPath implementation scale limits.
VMs/tenant or VSG
Bugs are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Internet Protocol (IP) addresses used in this document are for illustration only. Examples, command display output, and figures are for illustration only. If an actual IP address appears in this document, it is coincidental.