- Overview
- Installing the Cisco VSG and the Cisco Prime NSC-Quick Start
- Installing Cisco Prime Network Services Controller
- Installing the Cisco VSG
- Registering Devices With the Cisco Prime NSC
- Installing the Cisco VSG on a Cisco Cloud Services Platform Virtual Services Appliance
- Upgrading the Cisco VSG and the Cisco Prime NSC
- Examples of Cisco Prime NSC OVA Template Deployment and Cisco Prime NSC ISO Installations
- Information About Installing the Cisco PNSC and the Cisco VSG
Installing the Cisco VSG and the Cisco Prime NSC-Quick Start
This chapter contains the following sections:
- Information About Installing the Cisco PNSC and the Cisco VSG
- Task 1: Installing the Cisco PNSC from an OVA Template
- Task 2: On the Cisco PNSC, Setting Up VM-Mgr for vCenter Connectivity
- Task 3: On the VSM, Configuring the Cisco PNSC Policy Agent
- Task 4: On the VSM, Preparing Cisco VSG Port Profiles
- Task 5: Installing the Cisco VSG from an OVA Template
- Task 6: On the Cisco VSG and Cisco PNSC, Verifying the NSC Policy-Agent Status
- Task 7: On the Cisco PNSC, Configuring a Tenant and Security Profile
- Task 8: On the Cisco PNSC, Importing Service Image
- Task 9: On the Cisco PNSC, Adding a Compute Firewall
- Task 10: On the Cisco PNSC, Configuring a Permit-All Rule
- Task 11: On the Cisco VSG, Verifying the Permit-All Rule
- Task 12: Enabling Logging
- Task 13: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG
- Task 14: Sending Traffic Flow and on the Cisco VSG Verifying Statistics and Logs
Information About Installing the Cisco PNSC and the Cisco VSG
This chapter describes how to install and set up a basic working configuration of the Cisco PNSC and Cisco VSG. The example in this chapter uses the OVF template method to install the OVA files of the software. The steps assume that the Cisco Nexus 1000V Series switch is operational, and endpoint VMs are already installed.
Cisco VSG and Cisco PNSC Installation Planning Checklists
Planning the arrangement and architecture of your network and equipment is essential for a successful operation of the Cisco PNSC and Cisco VSG.
- Basic Hardware and Software Requirements
- License Requirements
- VLAN Configuration Requirements
- Required Cisco PNSC and Cisco VSG Information
- Tasks and Prerequisites Checklist
- Host Requirements
- Obtaining the Cisco PNSC and the Cisco VSG Software
Basic Hardware and Software Requirements
The following table lists the basic hardware and software requirements for Cisco VSG and Cisco PNSC installation.
The Cisco VSG software is available for download at http://www.cisco.com/en/US/products/ps13095/index.html and the Cisco PNSC software is available for download at http://www.cisco.com/en/US/products/ps13213/index.html.
For detailed Cisco PNSC installation requirement, see Installing Cisco Prime Network Services Controller.
Requirement | Description | ||||
---|---|---|---|---|---|
Two Virtual CPUs |
1.5 GHz for each Virtual CPU for VSG and 1.8 GHz for each Virtual CPU for PNSC. |
||||
Memory |
4 GB RAM for the Cisco VSG and 4 GB RAM for the Cisco PNSC or 8 GB for both |
||||
Disk Space |
One of the following, depending on InterCloud functionality: |
||||
Processor |
x86 Intel or AMD server with a 64-bit processor listed in the VMware compatibility matrix.
|
||||
VMware vSphere |
5.5, 6.0, and 6.5 with VMware ESXi (English only) |
||||
VMware vCenter |
5.1, 5.5, and 6.0 (English only) |
||||
Intel Virtualization Technology (VT) |
Enabled in the BIOS |
||||
Browser |
Any of the following browsers:
|
||||
Ports |
Access to the Cisco PNSC application using a web browser and the following ports (if the deployment uses a firewall, make sure to permit the following ports): |
||||
Flash Player |
Adobe Flash Player plugin 11.9 or higher |
License Requirements
Cisco VSG license is integrated with the Nexus1000V Multi-Hypervisor License. You need to install the Nexus1000V Multi-Hypervisor License for Cisco VSG for VMware vSphere. The Cisco N1kv VSM is available in two modes: essential and advanced. VSG functionality is available only in the advanced mode. You need to install the Nexus1000V Multi-Hypervisor License and change the VSM mode to advanced mode. When the Nexus1000V Multi-Hypervisor License is installed, the license for Cisco VSG is automatically included.
- Default: The Nexus 1000v
switch may be configured in Essential or Advanced mode.
- Essential Mode: Not Supported.
- Advanced Mode: After upgrading the software, Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires in 60 days.
Note
You must install either the evaluation or the permanent (NEXUS1000V_LAN_SERVICES_PKG) license prior to upgrading to the latest software. - Evaluation: The Nexus 1000V switch should be in Advanced mode. After upgrading the software, Nexus1000V Multi-Hypervisor License is available with1024 Socket Count and expires in 60 days.
- Permanent: The Nexus 1000V switch should be in Advanced mode. After upgrading the software, Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires in 60 days.
Note | You have to request for an evaluation or permanent Nexus1000V Multi-Hypervisor License. |
For more information about the Cisco Nexus 1000V for VMware vSphere licenses, see the Cisco Nexus 1000V for VMware vSphere License Configuration Guide.
VLAN Configuration Requirements
Follow these VLAN requirements to prepare the Cisco Nexus 1000V Series switch for further installation processes:
-
You must have two VLANs that are configured on the Cisco Nexus 1000V Series switch uplink ports: the service VLAN and an HA VLAN (the VLAN does not need to be the system VLAN).
-
You must have two port profiles that are configured on the Cisco Nexus 1000V Series switch: one port profile for the service VLAN and one port profile for the HA VLAN (you will be configuring the Cisco VSG IP address on the Cisco VSG so that the Cisco Nexus 1000V Series switch can communicate with it)
Required Cisco PNSC and Cisco VSG Information
The following information can be used later during the Cisco PNSC and Cisco VSG installation.
Type | Your Information | ||
---|---|---|---|
Cisco VSG name—Unique within the inventory folder and up to 80 characters |
|||
Hostname—Where the Cisco VSG will be installed in the inventory folder |
|||
Datastore name—Where the VM files will be stored |
|||
Cisco VSG management IP address |
|||
VSM management IP address |
|||
Cisco PNSC instance IP address |
|||
Mode for installing the Cisco VSG |
|||
Cisco VSG VLAN number |
|||
Cisco VSG port profile name
|
|||
HA pair ID (HA domain ID) |
|||
NSC DNS IP address |
|||
NSC NTP IP address |
|||
Cisco VSG admin password |
|||
Cisco PNSC admin password |
|||
Cisco VSM admin password |
|||
Shared secret password (Cisco PNSC, Cisco VSG policy agent, Cisco VSM policy agent) |
Tasks and Prerequisites Checklist
Tasks |
Prerequisites | ||||
---|---|---|---|---|---|
Task 1: Installing the Cisco PNSC from an OVA Template |
|
||||
Task 2: On the Cisco PNSC, Setting Up VM-Mgr for vCenter Connectivity |
|
||||
Task 3: On the VSM, Configuring the Cisco PNSC Policy Agent |
|
||||
Task 4: On the VSM, Preparing Cisco VSG Port Profiles |
|
||||
Task 5: Installing the Cisco VSG from an OVA Template |
|
||||
Task 6: On the Cisco VSG and Cisco PNSC, Verifying the NSC Policy-Agent Status | — | ||||
Task 7: On the Cisco PNSC, Configuring a Tenant and Security Profile |
|
||||
Task 8: On the Cisco PNSC, Importing Service Image | — | ||||
Task 10: On the Cisco PNSC, Configuring a Permit-All Rule | — | ||||
Task 11: On the Cisco VSG, Verifying the Permit-All Rule | — | ||||
Task 12: Enabling Logging | — | ||||
Task 13: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG |
|
||||
Task 14: Sending Traffic Flow and on the Cisco VSG Verifying Statistics and Logs | — |
Host Requirements
Obtaining the Cisco PNSC and the Cisco VSG Software
The Cisco VSG software is available for download at the following URL:
http://www.cisco.com/en/US/products/ps13095/index.htmlThe Cisco PNSC software is available for download at the following URL:
http://www.cisco.com/en/US/products/ps13213/index.htmlTask 1: Installing the Cisco PNSC from an OVA Template
Know the following:
-
The Cisco PNSC OVA image is available in the vCenter.
-
Know the IP/subnet mask/gateway information for the Cisco PNSC.
-
Know the admin password, shared_secret, hostname that you want to use.
-
Know the DNS server and domain name information.
-
Know the NTP server information.
-
Know the management port-profile name for the Virtual Machine (VM) (management).
Note
The management port profile is the same port profile that is used for the Virtual Supervisor Module (VSM). The port profile is configured in the VSM and is used for the Cisco PNSC management interface.
-
Make sure that all system requirements are met as specified in System Requirements.
-
A shared secret password is available (this password enables communication between the Cisco PNSC, VSM, and Cisco VSG).
Task 2: On the Cisco PNSC, Setting Up VM-Mgr for vCenter Connectivity
Perform the following tasks in the same order as listed below to set up the VM-manager for vCenter connectivity:
- Downloading the vCenter Extension File from the Cisco PNSC
- Registering the vCenter Extension Plugin in the vCenter
- Configuring the vCenter in VM Manager in the Cisco PNSC
Downloading the vCenter Extension File from the Cisco PNSC
Make sure that you have the following:
-
Supported Adobe Flash Player given in System Requirements
-
IP address of the Cisco PNSC
-
The password for Admin user
Step 1 | In your browser, enter https://server-ip-address where server-ip-address is the Cisco PNSC IP address. |
Step 2 | In the Website Security Certificate window, choose Continue to this website. |
Step 3 | In the Cisco PNSC login window, enter the username admin and the admin user password. This is the password that you set when installing the Cisco PNSC. |
Step 4 | In the Cisco PNSC window, choose |
Step 5 | In the VM Managers pane, click Export vCenter Extension. |
Step 6 | Save the vCenter extension file in a directory that the vSphere Client can access, because you will need to register the vCenter extension plug-in from within the vSphere Client (see Registering the vCenter Extension Plugin in the vCenter). |
What to Do Next
Go to Registering the vCenter Extension Plugin in the vCenter.
Registering the vCenter Extension Plugin in the vCenter
This task is completed within your client desktop vSphere client directory
See Downloading the vCenter Extension File from the Cisco PNSC.
Step 1 | From the VMware vSphere Client, log into the vCenter server. |
Step 2 | In the vSphere Client window, choose . |
Step 3 | Right-click the window background and choose New Plug-in. |
Step 4 | Browse to the Cisco PNSC vCenter extension file that you previously downloaded and click Register Plug-in. The vCenter Register Plug-in Window appears, displaying a security warning. |
Step 5 | In the security warning message box, click Ignore. A progress indicator shows the task status. |
Step 6 | When the success message is displayed, click OK, then click Close. |
What to Do Next
Go to Configuring the vCenter in VM Manager in the Cisco PNSC.
Configuring the vCenter in VM Manager in the Cisco PNSC
See Task 2: On the Cisco PNSC, Setting Up VM-Mgr for vCenter Connectivity.
Task 3: On the VSM, Configuring the Cisco PNSC Policy Agent
After installing the Cisco PNSC, you must register the VSM with the Cisco PNSC policy.
Make sure that you know the following:
-
The Cisco PNSC policy-agent image is available on the VSM (for example, vsmcpa.3.2.3a.bin)
Note
The string vsmcpa must appear in the image name as highlighted.
-
The IP address of the Cisco PNSC
-
The shared secret password you defined during the Cisco PNSC installation
-
That IP connectivity between the VSM and the Cisco PNSC is working
Note
If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image. This image is available in the Cisco PNSC image bundle to boot from a flash drive and to complete registration with the Cisco PNSC.
Step 1 | On the VSM,
enter the following commands:
vsm# configure terminal vsm(config)# nsc-policy-agent vsm(config-nsc-policy-agent)# registration-ip 10.193.75.95 vsm(config-nsc-policy-agent)# shared-secret Example_Secret123 vsm(config-nsc-policy-agent)# policy-agent-image vsmcpa.3.2.3a.bin vsm(config-nsc-policy-agent)# exit vsm(config)# copy running-config startup-config vsm(config)# exit |
Step 2 | Check the status
of the NSC policy agent configuration to verify that you have installed the
Cisco PNSC
correctly and it is reachable by entering the
show nsc-pa
status command. This example shows that the
Cisco PNSC
is reachable and the installation is correct:
vsm# show nsc-pa status NSC Policy-Agent status is - Installed Successfully. Version 3.4(2)-vsm vsm The VSM is now registered with the Cisco PNSC. |
This example shows that the Cisco PNSC is unreachable or an incorrect IP is configured:
vsm# show nsc-pa status NSC Policy-Agent status is - Installation Failure PNSC not reachable. vsm#
This example shows that the NSC policy-agent is not configured or installed:
vsm# show nsc-pa status NSC Policy-Agent status is - Not Installed
Task 4: On the VSM, Preparing Cisco VSG Port Profiles
To prepare Cisco VSG port profiles, you must create the VLANs and use the VLANs in the Cisco VSG data port profile and the Cisco VSG-ha port profile.
Make sure that you know the following:
Step 1 | On the VSM,
create the VLANs by first entering global configuration mode using the
following command:
vsm# configure |
Step 2 | Enter the
following configuration commands:
vsm(config)# vlan 100 vsm(config-vlan)# no shutdown vsm(config-vlan)# exit vsm(config)# vlan 200 vsm(config-vlan)# no shutdown vsm(config-vlan)# exit vsm(config)# exit vsm# configure vsm(config)# copy running-config startup-config vsm(config)# exit |
Step 3 | Press Ctrl-Z to exit. |
Step 4 | Create a
Cisco
VSG data port
profile and a
Cisco VSG-ha port
profile by first enabling the
Cisco
VSG data
port-profile configuration mode. Use the
configure command to enter global configuration mode.
vsm# configure |
Step 5 | Enter the
following configuration commands:
vsm(config)# port-profile VSG-Data vsm(config-port-prof)# vmware port-group vsm(config-port-prof)# switchport mode access vsm(config-port-prof)# switchport access vlan 100 vsm(config-port-prof)# no shutdown vsm(config-port-prof)# state enabled vsm(config-port-prof)# exit vsm(config)# vsm(config)# copy running-config startup-config vsm(config)# exit |
Step 6 | Press Ctrl-Z to end the session. |
Step 7 | Enable the
Cisco VSG-ha port
profile configuration mode.
vsm# configure |
Step 8 | Enter the
following configuration commands:
vsm(config)# port-profile VSG-HA vsm(config-port-prof)# vmware port-group vsm(config-port-prof)# switchport mode access vsm(config-port-prof)# switchport access vlan 200 vsm(config-port-prof)# no shutdown vsm(config-port-prof)# state enabled vsm(config-port-prof)# exit vsm(config)# copy running-config startup-config vsm(config)# exit |
Step 9 | Add the VLANs
created for the
Cisco
VSG data and
Cisco VSG-ha
interfaces as part of the allowed VLANs into the uplink port profile. Use the
configure command to enter global configuration mode.
vsm# configure |
Step 10 | Enter the
following configuration commands:
vsm(config)# port-profile type ethernet uplink vsm(config-port-prof)# switchport trunk allowed vlan add 100, 200 vsm(config-port-prof)# exit vsm(config)# |
Step 11 | Press Ctrl-Z to end the session. |
Task 5: Installing the Cisco VSG from an OVA Template
Make sure that you know the following:
-
The Cisco VSG OVA image is available in the vCenter.
-
Cisco VSG-Data and Cisco VSG-ha port profiles are created on the VSM.
-
The management port profile (management)
Note
The management port profile is the same port profile that is used for the VSM. The port profile is configured in the VSM and is used for the Cisco PNSC management interface.
-
The Cisco VSG-Data port profile: VSG-Data
-
The Cisco VSG-ha port profile: VSG-ha
-
The HA ID
-
The IP/subnet mask/gateway information for the Cisco VSG
-
The admin password
-
2 GB RAM and 3 GB hard disk space are available
-
The Cisco PNSC IP address
-
The shared secret password
-
The IP connectivity between Cisco VSG and Cisco PNSC is okay.
-
The Cisco VSG NSC-PA image name (nsc-vsgpa.2.1.3i.bin) is available.
Step 1 | Choose the host on which to deploy the Cisco VSG VM. | ||
Step 2 | Choose . | ||
Step 3 | In the Deploy OVF Template—Source window, browse to the path to the Cisco VSG OVA file, and then click Next. | ||
Step 4 | In the Deploy OVF Template—OVF Template Details window, review the product information including the size of the file and the VM disk, and then click Next. | ||
Step 5 | In the Deploy OVF Template—End User License Agreement window, click Accept after reviewing the end user license agreement and then click Next. | ||
Step 6 | In the Deploy OVF Template—Name and Location window, do the following: | ||
Step 7 | In the Deploy OVF Template—Deployment Configuration window, from the Configuration drop-down list, choose Deploy medium VSG, and then click Next. | ||
Step 8 | In the
Deploy
OVF Template—Datastore window, choose the data store for the VM and
click
Next.
The storage can be local or shared remote such as the network file storage (NFS) or the storage area network (SAN).
| ||
Step 9 | In the
Deploy
OVF Template—Disk Format
window, do the following:
| ||
Step 10 | In the
Deploy
OVF Template—Network Mapping window, do the following:
| ||
Step 11 | In the
Deploy
OVF Template—Properties window, do the following:
| ||
Step 12 | In the
Ready
to Complete window, review the deployment settings information .
| ||
Step 13 | Click
Finish. The
Deploying Nexus 1000VSG dialog box opens.
The progress bar in the Deploying Nexus 1000VSG dialog box shows how much of the deployment task is completed before the Cisco PNSC is deployed. | ||
Step 14 | Wait and click Close after the progress indicator shows that the deployment is completed successfully. | ||
Step 15 | From your virtual machines, do one of the following: | ||
Step 16 | In the
Virtual
Machine Properties window, do the following:
Choosing 2 CPUs results in a higher performance. | ||
Step 17 | Power on the Cisco VSG VM. |
Task 6: On the Cisco VSG and Cisco PNSC, Verifying the NSC Policy-Agent Status
You can use the show nsc-pa status command to verify the NSC policy-agent status (which can indicate that you have installed the policy-agent successfully).
Step 1 | Log in to the Cisco VSG. |
Step 2 | Check the status
of NSC-PA configuration by entering the following command:
vsg# show nsc-pa status NSC Policy-Agent status is - Installed Successfully. Version 2.1(3i)-vsg vsg# |
Step 3 | Log in to the Cisco PNSC. |
Step 4 | Choose . |
Step 5 | Confirm that the table in the Clients window contains the registered value in the Oper State column for the Cisco VSG and VSM entries. |
Task 7: On the Cisco PNSC, Configuring a Tenant and Security Profile
This task includes the following subtasks:
Make sure that you know the following:
-
Supported Adobe Flash Player given in System Requirements
-
The IP address of the Cisco PNSC
-
The password for Admin user
Step 1 | In your browser, enter https://server-ip-address where server-ip-address is the Cisco PNSC IP address. |
Step 2 | In the Website Security Certificate window, choose Continue to this website. |
Step 3 | In the Cisco PNSC login window, enter the username admin and the admin user password. |
Step 4 | In the Cisco PNSC main window, choose to check the Cisco VSG and VSM registration in the Cisco PNSC. |
What to Do Next
Configuring a Tenant on the Cisco PNSC
Tenants are entities (businesses, agencies, institutions, and so on) whose data and processes are hosted on VMs on the virtual data center. To provide firewall security for each tenant, the tenant must first be configured in the Cisco PNSC.
Step 1 | In the Cisco PNSC, choose . |
Step 2 | In the upper-right corner of the Tenant Management Root pane, click Create Tenant. The tenant name can contain 1 to 32 alphanumeric characters including hyphen, underscore, dot, and colon. You cannot change this name after it is created. The newly created tenant is listed in the navigation pane under root. |
What to Do Next
Configuring a Security Profile on the Cisco PNSC
You can configure a security profile on the Cisco PNSC.
What to Do Next
Next, you need to add a compute firewall as described in Task 9: On the Cisco PNSC, Adding a Compute Firewall. While adding a compute firewall, you either instantiate a VSG service device from an image or assign a VSG or VSG pool. To instantiate a VSG service device from an image, you first need to import the VSG service image as described in Task 8: On the Cisco PNSC, Importing Service Image.
Task 8: On the Cisco PNSC, Importing Service Image
This step is required to instantiate a VSG service device from an image in Task 9: On the Cisco PNSC, Adding a Compute Firewall. This step is not required for assigning a VSG or VSG pool option in Task 9: On the Cisco PNSC, Adding a Compute Firewall.
Step 1 | Log in to the Cisco PNSC. |
Step 2 | Choose . |
Step 3 | Click Import Service Image. |
Step 4 | In the Import
Service Image dialog box, do the following:
|
Task 9: On the Cisco PNSC, Adding a Compute Firewall
You can add a compute firewall and assign it to a Cisco VSG, thereby placing the Cisco VSG in service. A wizard walks you through the configuration process, which includes assigning a Cisco VSG, assigning profiles, and configuring interfaces.
When you add a new compute firewall, the firewall data IP address can be the same as the data IP address of an existing compute firewall in Cisco PNSC as long as the firewalls have different organizational paths. That is, as long as the firewalls do not reside in the same organization, including parent and child organizations.
To place a Cisco VSG in service, at least one of the following must exist:
-
To assign a Cisco VSG, an available Cisco VSG must be registered in Cisco PNSC. For more information, see Task 6: On the Cisco VSG and Cisco PNSC, Verifying the NSC Policy-Agent Status.
-
To assign a Cisco VSG pool, a Cisco VSG pool must have at least one available Cisco VSG.
-
To instantiate a Cisco VSG service device, a VM service image must be imported and VM Manager must be configured in the Cisco PNSC. For more information on importing service images, see Task 8: On the Cisco PNSC, Importing Service Image.
Step 1 | Log in to the Cisco PNSC. |
Step 2 | Choose . |
Step 3 | From the Actions drop-down list, select Add Compute Firewall. The Add Compute Firewall Wizard opens. |
Step 4 | In the Properties window, supply the information as described in the Properties Window, and then click Next. |
Step 5 | In the Service Device window, select the required VSG service device as described in the Service Device Window, and then click Next. |
Step 6 | (Instantiate option only) If you instantiate a VSG service device from an image, do one or both of the following in the Placement screen, then click Next: |
Step 7 | In the
Interfaces window, configure interfaces as follows, and then click
Next:
|
Step 8 | In the Summary window, confirm that the information is correct, and then click Finish. |
Properties Window
Field | Description |
---|---|
Name |
Compute firewall name. This name can contain 1 to 32 identifier characters. You can use alphanumeric characters including hyphen, underscore, dot, and colon. You cannot change this name after it is created. |
Description |
Compute firewall description. |
Host Name |
Management hostname of the firewall. |
Device Configuration Profile |
|
Service Device Window
Field | Description |
---|---|
Assign VSG |
Assign a VSG to the compute firewall. In the VSG Device drop-down list, choose the required service device. |
Assign VSG Pool |
Assign a VSG pool to the compute firewall. In the VSG Pool field, either choose the required pool from the drop-down list or click Add Pool to add a new pool. |
Instantiate |
|
Task 10: On the Cisco PNSC, Configuring a Permit-All Rule
You can configure a permit-all rule in the Cisco PNSC.
Step 1 | Log in to the Cisco PNSC. |
Step 2 | In the Cisco PNSC window, choose . |
Step 3 | In the Service Profile window, choose . |
Step 4 | In the right pane, click Add ACL Policy Set. |
Step 5 | In the Add ACL Policy Set dialog box, enter a name and description for the policy set, and then click Add ACL Policy. |
Step 6 | In the Add ACL Policy dialog box, enter a name and description for the policy, and then click Add Rule above the Name column. |
Step 7 | In the
Add ACL
Policy Rule dialog box, do the following:
|
Step 8 | In the
Add ACL
Policy dialog box, click
OK.
The newly created policy is displayed in the Assigned field. |
Step 9 | In the Add ACL Policy Set dialog box, click OK. |
Step 10 | In the Security Profile window, click Save. |
Task 11: On the Cisco VSG, Verifying the Permit-All Rule
You can verify the rule presence in the Cisco VSG, by using the Cisco VSG CLI and the show commands.
vsg# show running-config | begin security security-profile SP_web@root/Tenant-A policy PS_web@root/Tenant-A custom-attribute vnsporg "root/tenant-a" security-profile default@root policy default@root custom-attribute vnsporg "root" rule Pol_web/permit-all@root/Tenant-A cond-match-criteria: match-all action permit action log rule default/default-rule@root cond-match-criteria: match-all action drop Policy PS_web@root/Tenant-A rule Pol_web/permit-all@root/Tenant-A order 101 Policy default@root rule default/default-rule@root order 2
Task 12: Enabling Logging
To enable logging follow these procedures:
Enabling Policy-Engine Logging in a Monitor Session
Configuring a syslog policy enables you to specify the level of syslog messages to log and where to log the messages.
Step 1 | Log in to the Cisco PNSC. |
Step 2 | In the Cisco PNSC window, choose . |
Step 3 | In the Syslog table, select default, then click Edit. |
Step 4 | In the Edit Syslog dialog box, click the Servers tab. |
Step 5 | In the Syslog Policy table, select the primary server type, then click Edit. |
Step 6 | In the Edit Syslog Client dialog box, provide the following information, then click OK in the open dialog boxes: |
What to Do Next
Enabling Global Policy-Engine Logging
Logging enables you to see what traffic is going through your monitored VM. This logging is helpful for verifying that you have a proper configuration and to help in troubleshooting.
Task 13: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG
This section includes the following topics:
Enabling Traffic VM Port-Profile for Firewall Protection
Verifying the VSM or VEM for Cisco VSG Reachability
Checking the VM Virtual Ethernet Port for Firewall Protection
Make sure that you know the following:
-
The server virtual machine that runs with an access port profile (for example, web server)
-
The Cisco VSG data IP address (for example, 10.10.10.200) and VLAN ID (100)
-
The security profile name (for example, sp-web)
-
The organization (Org) name (for example, root/Tenant-A)
-
The port profile that you would like to edit to enable firewall protection
-
That one active port in the port-profile with vPath configuration has been set up
Enabling Traffic VM Port-Profile for Firewall Protection
You can enable a traffic VM port profile for traffic protection.
vsm(config)# port-profile type vethernet pp-webserver vmware port-group switchport mode access switchport access vlan 756 no shutdown state enabled Enable firewall protection. VSM(config)# port-profile pp-webserver VSM(config-port-prof)# vservice node vsg1 profile SP_web VSM(config-port-prof)# org root/Tenant-A Verify the traffic VM port profile after firewall protection. VSM(config)# port-profile type vethernet pp-webserver vmware port-group switchport mode access switchport access vlan 756 org root/Tenant-A vservice node vsg1 profile SP_web no shutdown state enabled |
Verifying the VSM or VEM for Cisco VSG Reachability
This example shows how to verify the communication between the VEM and the VSG:
vsm(config)# show vservice brief
--------------------------------------------------------------------------------
License Information
--------------------------------------------------------------------------------
Type In-Use-Lic-Count UnLicensed-Mod
asa 0
--------------------------------------------------------------------------------
Node Information
--------------------------------------------------------------------------------
ID Name Type IP-Address Mode State Module
2 VSG-L2-V vsg 10.1.1.251 v-920 Alive 3,6,
--------------------------------------------------------------------------------
Path Information
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Port Information
--------------------------------------------------------------------------------
PortProfile:Vsg220
Org:root/T1
Node:VSG-L2-V(10.1.1.251) Profile(Id):sp11(5)
Veth Mod VM-Name vNIC IP-Address
9 6 inside_vm 1 10.1.1.81
19 3 outside_vm 1 10.1.1.82
A display showing the MAC-ADDR Listing and Up state verifies that the VEM can communicate with the Cisco VSG.
Note | In order to see the above status, one active port in the port profile with vPath configuration needs to be up. |
Checking the VM Virtual Ethernet Port for Firewall Protection
This example shows how to verify the VM Virtual Ethernet port for firewall protection:
VSM(config)# show vservice port brief vethernet 23 -------------------------------------------------------------------------------- Port Information -------------------------------------------------------------------------------- PortProfile:pp-webserver Org:root/Tenant-A Node:vsg1(40.40.40.40) Profile(Id):SP_web(29) Veth Mod VM-Name vNIC IP-Address 23 4 vm1 2 14.14.14.21
Note | Make sure that your VNSP ID value is greater than 1. |
Task 14: Sending Traffic Flow and on the Cisco VSG Verifying Statistics and Logs
This section includes the following topics:
Sending Traffic Flow
You can send traffic flow through the Cisco VSG to ensure that it is functioning properly.
Step 1 | Ensure that the
VM (Server-VM) is using the port profile (pp-webserver) configured for firewall
protection.
|
Step 2 | In the
Virtual
Machine Properties window, do the following:
[root@]# wget http://172.31.2.92/ --2010-11-28 13:38:40-- http://172.31.2.92/ Connecting to 172.31.2.92:80... connected. HTTP request sent, awaiting response... 200 OK Length: 258 [text/html] Saving to: `index.html' 100%[=======================================================================>] 258 --.-K/s in 0s 2010-11-28 13:38:40 (16.4 MB/s) - `index.html' saved [258/258] [root]# |
Step 3 | Check the policy-engine statistics and log on the Cisco VSG. |
What to Do Next
Go to Verifying Policy-Engine Statistics and Logs on the Cisco VSG.
Verifying Policy-Engine Statistics and Logs on the Cisco VSG
Log in to the Cisco VSG and check the policy-engine statistics and logs.
This example shows how to check the policy-engine statistics and logs:
vsg# show policy-engine stats Policy Match Stats: default@root : 0 default/default-rule@root : 0 (Drop) NOT_APPLICABLE : 0 (Drop) PS_web@root/Tenant-A : 1 pol_web/permit-all@root/Tenant-A : 1 (Log, Permit) NOT_APPLICABLE : 0 (Drop) vsg# terminal monitor vsg# 2010 Nov 28 05:41:27 firewall %POLICY_ENGINE-6-POLICY_LOOKUP_EVENT: policy=PS_web@root/Tenant-A rule=pol_web/permit-all@root/Tenant-A action=Permit direction=egress src.net.ip-address=172.31.2.91 src.net.port=48278 dst.net.ip-address=172.31.2.92 dst.net.port=80 net.protocol=6 net.ethertype=800