- Index
- New and Changed Information
- Preface
- Cisco Virtual Security Gateway Overview
- Cisco Virtual Security Gateway Command-Line Interface
- Configuring the Cisco Virtual Security Gateway
- Cisco Virtual Security Gateway System Management
- Cisco Virtual Security Gateway High Availability
- Cisco Virtual Security Gateway Firewall Profiles and Policy Objects
Configuring the Cisco Virtual Security Gateway
This chapter describes how to configure the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch and the Cisco Nexus 1010 Virtual Services Appliance.
This chapter includes the following sections:
•Configuring the Cisco VSG Port Profile on the VSM
•Configuring the Cisco VSG Through the vsn type Command
•Configuring TCP State-Checks for All Cisco VSG VSNs in vPath
•Verifying the Cisco VSG Configuration
For additional details about the Cisco Nexus 1000V Series switch port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(4a).
Configuring the Cisco VSG Port Profile on the VSM
You can configure the vn-service parameter in the port profile on the Virtual Supervisor Module (VSM).
BEFORE YOU BEGIN
You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.
You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of Virtual Ethernet Modules (VEMs) you want to protect.
The data IP address and management IP addresses should be configured. To configure the data IP address, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.
You have completed creating the Cisco VSG port profiles for the service and high-availability (HA) interface.
You are logged in to the switch CLI in EXEC mode.
SUMMARY STEPS
1. configure
2. port-profile port-profile-name
3. org org-name
4. vn-service ip-address ip-address vlan vlan-id [fail {open | close}] [security-profile name]
5. (Optional) copy running-config startup-config
6. exit
DETAILED STEPS
Configuring the Cisco VSG Through the vsn type Command
The Cisco VSG is a virtual service node (VSN). To configure the VSN for Cisco VSG functionality, use the vsn type vsg global command to enter the global configuration mode for the Cisco VSG.
BEFORE YOU BEGIN
You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Rel. 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Rel. 1.2 Installation and Upgrade Guide.
You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of VEMs you want to protect.
The data IP address and management IP addresses must be configured. To configure the data IP address, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.
You have completed creating the Cisco VSG port profiles for the service and HA interface.
You are logged in to the switch CLI in EXEC mode.
SUMMARY STEPS
1. configure
2. vsn type vsg global
DETAILED STEPS
Configuring TCP State-Checks for All Cisco VSG VSNs in vPath
Although the TCP state-checks for Cisco VSGs on a vPath feature is enabled by default, there may be times when you want to disable this feature, such as when you do not want the information generated by this feature to hide other information in which you are specifically interested.
BEFORE YOU BEGIN
You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.
You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of VEMs you want to protect.
The data IP address and management IP addresses must be configured. To configure the data IP address, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.
You have completed creating the Cisco VSG port profiles for the service and HA interface.
You are logged in to the switch CLI in EXEC mode.
SUMMARY STEPS
1. configure
2. vsn type vsg global
3. tcp state-checks
4. no tcp state-checks
5. exit
6. exit
DETAILED STEPS
Verifying the Cisco VSG Configuration
To display information related to a Cisco VSG, perform one of the following tasks on the switch CLI:
Show Commands
For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.2(1)SV1(4a).
vPath Ping Command
To verify various connection and reachability attributes of the VSG VSN, you can use the vPath ping command.
The vPath ping command has the following syntax:
ping vsn {all | {ip ip-addr [vlan vlan-num]}} src-module {all | vpath-all | module-num} [timeout secs] [count {count | unlimited}]
Examples
The following example shows how to see the VSN connections and if they are reachable:
VSM-1# ping vsn all src-module all
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
module(usec) : 3(156) 5(160)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
module(usec) : 3(230) 5(151)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
module(usec) : 3(239) 5(131)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
module(usec) : 3(248) 5(153)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
module(usec) : 3(259) 5(126)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
This example shows how VSN ping options are displayed:
VSM-1# ping vsn ?
all All VSNs associated to VMs
ip IP Address
vlan VLAN Number
This example shows how VSN ping options are displayed for all source modules:
VSM-1# ping vsn all src-module ?
<3-66> Module number
all All modules in VSM
vpath-all All modules having VMs associated to VSNs
This example shows how to set up a ping for all source modules froma specified IP address:
VSM-1# ping vsn ip 10.1.1.60 src-module all
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=0 timeout=1-sec
module(usec) : 4(301) 5(236)
module(failed) : 7(VSN ARP not resolved)
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=1 timeout=1-sec
module(usec) : 4(241) 5(138) 7(270)
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=2 timeout=1-sec
module(usec) : 4(230) 5(155) 7(256)
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=3 timeout=1-sec
module(usec) : 4(250) 5(154) 7(284)
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=4 timeout=1-sec
module(usec) : 4(231) 5(170) 7(193)
This example shows to set up a ping for all vpath source modules for a specified IP address:
VSM-1# ping vsn ip 10.1.1.60 src-module vpath-all
ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=0 timeout=1-sec
module(usec) : 4(223) 5(247)
ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=1 timeout=1-sec
module(usec) : 4(206) 5(167)
ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=2 timeout=1-sec
module(usec) : 4(241) 5(169)
This example shows how to set up a ping for all source modules of a specified IP address with a time-out and a count:
VSM-1# ping vsn ip 10.1.1.60 src-module all timeout 2 count 3
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=0 timeout=2-sec
module(usec) : 4(444) 5(238) 7(394)
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=1 timeout=2-sec
module(usec) : 4(259) 5(154) 7(225)
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=2 timeout=2-sec
module(usec) : 4(227) 5(184) 7(216)
Where to Go Next
After you have completed configuring the Cisco VSG port profile on the switch for protection, proceed to assign port profiles to your VMs for Cisco VSG firewall protection on the vCenter.