Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Available Languages

Download Options

Book Title

Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)

Chapter Title

Configuring the Cisco Virtual Security Gateway

PDF - Complete Book (2.22 MB) PDF - This Chapter (138.0 KB)
View with Adobe Reader on a variety of devices

Results

Updated:: November 17, 2013

Chapter: Configuring the Cisco Virtual Security Gateway

Configuring the Cisco VSG Port Profile on the VSM
Configuring the Cisco VSG Through the vsn type Command
Configuring TCP State-Checks for All Cisco VSG VSNs in vPath
Verifying the Cisco VSG Configuration
- Show Commands
- vPath Ping Command
Where to Go Next

Configuring the Cisco Virtual Security Gateway

This chapter describes how to configure the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch and the Cisco Nexus 1010 Virtual Services Appliance.

This chapter includes the following sections:

•Configuring the Cisco VSG Port Profile on the VSM

•Configuring the Cisco VSG Through the vsn type Command

•Configuring TCP State-Checks for All Cisco VSG VSNs in vPath

•Verifying the Cisco VSG Configuration

•Where to Go Next

For additional details about the Cisco Nexus 1000V Series switch port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(4a).

Configuring the Cisco VSG Port Profile on the VSM

You can configure the vn-service parameter in the port profile on the Virtual Supervisor Module (VSM).

BEFORE YOU BEGIN

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of Virtual Ethernet Modules (VEMs) you want to protect.

The data IP address and management IP addresses should be configured. To configure the data IP address, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.

You have completed creating the Cisco VSG port profiles for the service and high-availability (HA) interface.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. port-profile port-profile-name

3. org org-name

4. vn-service ip-address ip-address vlan vlan-id [fail {open | close}] [security-profile name]

5. (Optional) copy running-config startup-config

6. exit

DETAILED STEPS


	Command	Purpose
Step 1	configure Example: n1000v# configure n1000v(config)#	Places you in global configuration mode.
Step 2	port-profile port-profile-name Example: n1000v(config-port-prof)# port-profile host-profile n1000v(config-port-prof)#	Enters the port profile configuration mode for the named port profile. If the port profile does not exist, it is created using the following characteristics: port-profile-name—The port profile name can be up to 80 alphanumeric characters and must be unique for each port profile on the Cisco VSG.
Step 3	org org-name Example: n1000v(config-port-prof)# org root/Tenant-A n1000v(config-port-prof)#	Designates an organization name for the Cisco VSG port profile.
Step 4	vn-service ip-address ip-address vlan vlan-id [fail {open \| close}] [security-profile name] Example: n1000v(config-port-prof)# vn-service ip 100.1.1.100 vlan 1000 profile vnsp-1 n1000v(config-port-prof)#	Configures the IP address, VLAN ID, and profile for the Cisco VSG, and optionally allows a fail-safe configuration. Note The IP address must match the data interface (data0) IP address on the Cisco VSG. Note If you do not pick a security profile name, the default name is assumed. The security profile name must match the security profile created on the Cisco VSG.
Step 5	copy running-config startup-config Example: n1000v(config-port-prof)# copy running-config startup-config n1000v(config-port-prof)#	(Optional) Saves configuration changes.
Step 6	exit Example: n1000v(config-port-prof)# exit n1000v(config)#	Exits the configuration mode and returns you to the global configuration mode.

Configuring the Cisco VSG Through the vsn type Command

The Cisco VSG is a virtual service node (VSN). To configure the VSN for Cisco VSG functionality, use the vsn type vsg global command to enter the global configuration mode for the Cisco VSG.

BEFORE YOU BEGIN

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Rel. 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Rel. 1.2 Installation and Upgrade Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of VEMs you want to protect.

The data IP address and management IP addresses must be configured. To configure the data IP address, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation Guide.

You have completed creating the Cisco VSG port profiles for the service and HA interface.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. vsn type vsg global

DETAILED STEPS


	Command	Purpose
Step 1	configure Example: vsm# configure vsm(config)#	Places you in global configuration mode.
Step 2	vsn type vsg global Example: vsm(config)# vsn type vsg global vsm(config-vsn)#	Enters VSN configuration mode.

Configuring TCP State-Checks for All Cisco VSG VSNs in vPath

Although the TCP state-checks for Cisco VSGs on a vPath feature is enabled by default, there may be times when you want to disable this feature, such as when you do not want the information generated by this feature to hide other information in which you are specifically interested.

BEFORE YOU BEGIN

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of VEMs you want to protect.

You have completed creating the Cisco VSG port profiles for the service and HA interface.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. vsn type vsg global

3. tcp state-checks

4. no tcp state-checks

5. exit

6. exit

DETAILED STEPS


	Command	Purpose
Step 1	configure Example: vsm# configure vsm(config)#	Places you in global configuration mode.
Step 2	vsn type vsg global Example: vsm(config)# vsn type vsg global vsm(config-vsn)#	Enters VSN configuration mode.
Step 3	tcp state-checks Example: vsm(config-vsn)# tcp state-checks vsm(config-vsn)#	Enables TCP state checks for all Cisco VSG VSNs in the vPath. (This is the default status.)
Step 4	no tcp state-checks Example: vsm(config-vsn)# no tcp state-checks vsm(config-vsn)#	Disables the TCP state-checks feature.
Step 5	exit Example: vsm(config-vsn)# exit vsm(config)#	Exits the VSN configuration mode and returns you to the global configuration mode.
Step 6	exit Example: vsm(config)# exit vsm#	Exits the global configuration mode and returns you to EXEC mode.

Verifying the Cisco VSG Configuration

To display information related to a Cisco VSG, perform one of the following tasks on the switch CLI:


Command	Purpose
show license usage Example: vsm# show license usage	Displays a table with the Cisco VSG license usage information for the Cisco Nexus 1000V Series switch.
show license usage NEXUS_VSG_SERVICES_PKG Example: vsm# show license usage NEXUS_VSG_SERVICES_PKG	Displays the usage information for the license package NEXUS_VSG_SERVICES_PKG.
show vsn {statistics \| brief \| {detail [{{vlan vlan-num [ip ip-addr]} \| module module-num}]}} Example: vsm# show vsn statistics detail vlan 1	Displays information about the configuration, MAC address, state of associated Cisco VSG and Virtual Ethernet Module (VEM), Veths to which Cisco VSGs are bound, and Virtual Service Node (VSN) statistics for all VEM modules associated with Cisco VSGs.

Show Commands

For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.2(1)SV1(4a).

vPath Ping Command

To verify various connection and reachability attributes of the VSG VSN, you can use the vPath ping command.

The vPath ping command has the following syntax:

ping vsn {all | {ip ip-addr [vlan vlan-num]}} src-module {all | vpath-all | module-num} [timeout secs] [count {count | unlimited}]

Examples

The following example shows how to see the VSN connections and if they are reachable:

VSM-1# ping vsn all src-module all

ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec

  module(usec)   :  3(156)  5(160)

ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec

  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)

ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec

  module(usec)   :  3(230)  5(151)

ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec

  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)

ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec

  module(usec)   :  3(239)  5(131)

ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec

  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)

ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec

  module(usec)   :  3(248)  5(153)

ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec

  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)

ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec

  module(usec)   :  3(259)  5(126)

ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec

  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)

This example shows how VSN ping options are displayed:

VSM-1# ping vsn ?

  all   All VSNs associated to VMs

  ip    IP Address

  vlan  VLAN Number

This example shows how VSN ping options are displayed for all source modules:

VSM-1# ping vsn all src-module ?

  <3-66>     Module number

  all        All modules in VSM

  vpath-all  All modules having VMs associated to VSNs

This example shows how to set up a ping for all source modules froma specified IP address:

VSM-1# ping vsn ip 10.1.1.60 src-module all

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=0 timeout=1-sec

  module(usec)   :  4(301)  5(236)

  module(failed) :  7(VSN ARP not resolved)

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=1 timeout=1-sec

  module(usec)   :  4(241)  5(138)  7(270)

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=2 timeout=1-sec

  module(usec)   :  4(230)  5(155)  7(256)

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=3 timeout=1-sec

  module(usec)   :  4(250)  5(154)  7(284)

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=4 timeout=1-sec

  module(usec)   :  4(231)  5(170)  7(193)

This example shows to set up a ping for all vpath source modules for a specified IP address:

VSM-1# ping vsn ip 10.1.1.60 src-module vpath-all

ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=0 timeout=1-sec

  module(usec)   :  4(223)  5(247)

ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=1 timeout=1-sec

  module(usec)   :  4(206)  5(167)

ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=2 timeout=1-sec

  module(usec)   :  4(241)  5(169)

This example shows how to set up a ping for all source modules of a specified IP address with a time-out and a count:

VSM-1# ping vsn ip 10.1.1.60 src-module all timeout 2 count 3

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=0 timeout=2-sec

  module(usec)   :  4(444)  5(238)  7(394)

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=1 timeout=2-sec

  module(usec)   :  4(259)  5(154)  7(225)

ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=2 timeout=2-sec

  module(usec)   :  4(227)  5(184)  7(216)

Where to Go Next

After you have completed configuring the Cisco VSG port profile on the switch for protection, proceed to assign port profiles to your VMs for Cisco VSG firewall protection on the vCenter.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)