- Preface
- Overview
- Installing the Cisco Prime NSC and Cisco VSG-Quick Start
- Installing the Cisco Prime Network Services Controller
- Installing the Cisco VSG
- Registering Devices with the Cisco Prime NSC
- Installing the Cisco VSG on a Cisco Cloud Service Platform Virtual Services Appliance
- Upgrading the Cisco VSG and the Cisco Prime NSC
- Index
Installing the Cisco VSG
This chapter contains the following sections:
- Information About the Cisco VSG
- Prerequisites for Installing the Cisco VSG Software
- Obtaining the Cisco VSG Software
- Installing the Cisco VSG Software
- Configuring Initial Settings
- Verifying the Cisco VSG Configuration
- Where to Go Next
Information About the Cisco VSG
This section describes how to install and complete the basic configuration of the Cisco VSG for Cisco Nexus 1000v Series switch software.
Host and VM Requirements
The Cisco VSG has the following requirements:
Cisco VSG and Supported Cisco Nexus 1000V Series Device Terminology
This table lists the terminology used in the Cisco VSG implementation.
Term |
Description |
---|---|
Logical Switch |
Logical switch that spans one or more servers. It is controlled by one VSM instance. |
NIC |
Network interface card. |
Server hosting SCVMM |
Service that acts as a central administrator for Microsoft Hyper-V hosts that are connected on a network. The server directs actions on the VMs and the VM hosts. |
Virtual Ethernet Module (VEM) |
Part of the Cisco Nexus 1000V Series switch that switches data traffic. It runs on a Microsoft Hyper-V host. Up to 64 VEMs are controlled by one VSM. All the VEMs that form a switch domain should be in the same virtual data center as defined by the Hyper-V server. |
Virtual Machine (VM) |
Virtualized x86 PC environment in which a guest operating system and associated application software can run. Multiple VMs can operate on the same host system concurrently. |
vPath |
Component in the Cisco Nexus 1000V Series switch with a VEM that directs the appropriate traffic to the Cisco VSG for policy evaluation. It also acts as fast path and can short circuit part of the traffic without sending it to the Cisco VSG. |
Virtual Security Gateway (VSG) |
Cisco software that secures virtual networks and provides firewall functions in virtual environments using the Cisco Nexus 1000V Series switch by providing network segmentation. |
Virtual Supervisor Module (VSM) |
Control software for the Cisco Nexus 1000V Series distributed virtual device that runs on a Virtual Machine (VM) and is based on Cisco NX-OS. |
SCVMM |
System Center Virtual Machine Manager Connect remotely to Hyper-V server. It is the primary interface for creating, managing, and monitoring VMs, their resources, and their hosts. It also provides console access to VMs. |
Prerequisites for Installing the Cisco VSG Software
The following components must be installed and configured:
- On the Cisco Nexus 1000V Series switch, configure two port profiles for the Cisco VSG: one for the service VLAN and the other for the HA VLAN. (You will be configuring the Cisco VSG IP address on the Cisco VSG so that the Cisco Nexus 1000V Series switch can communicate with it.)
Details about configuring VLANs and port profiles on the Cisco Nexus 1000V Series switch are available in the Cisco Nexus 1000V Series switch documentation.
Obtaining the Cisco VSG Software
You can obtain the Cisco VSG software files at this URL:
http://software.cisco.com/download/navigator.htmlInstalling the Cisco VSG Software
You can install the Cisco VSG software on a VM by using an ISO image file from the CD.
Installing the Cisco VSG Software from an ISO File
Ensure that you have:
- Installed Microsoft SCVMM 2012 SP1 or SCVMM 2012 R2.
- Downloaded the Cisco VSG ISO image and uploaded it to the server (C:\ProgramData\Virtual Machine Manager Library Files\ISO). Refresh the library server under the Library tab.
- Cisco VSG-Data port profile: VSG-Data.
- Cisco VSG-ha port profile: VSG-ha.
- HA ID.
- IP/subnet mask/gateway information for the Cisco VSG.
- Admin password.
- 2 GB RAM and 2 GB hard disk space.
- Cisco Prime NSC IP address.
- The shared secret password.
- IP connectivity between Cisco VSG and Cisco Prime NSC.
- Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin).
Configuring Initial Settings
This section describes how to configure the initial settings on Cisco VSG and configure a standby Cisco VSG with its initial settings. For configuring a standby Cisco VSG, see Configuring Initial Settings on a Secondary Cisco VSG section.
You can connect to a VSG VM console through the SCVMM user interface by right-clicking a VM instance and connecting to it.
On the VSG, Configuring the Cisco Prime NSC Policy Agent
Once the Cisco Prime NSC is installed, you must register the VSG with the Cisco Prime NSC.
Note | Cisco VSG is supported as VSB on Nexus Cloud Services platform only. |
Make sure that you know the following:
-
The
Cisco Prime NSC policy-agent image is available on the
VSG (for example, vsghv-pa.2.1.1a.bin)
Note
The string vsghv-pa must appear in the image name as highlighted.
- The IP address of the Cisco Prime NSC.
- The shared secret password you defined during the Cisco Prime NSC installation.
-
That IP
connectivity between the VSG and the
Cisco Prime NSC is working.
Note
If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image. This image is available in the Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with the Cisco Prime NSC.
Note | VSG clock should be synchronized with the Cisco Prime NSC clock. |
Step 1 | On the VSG,
enter the following commands:
VSG-Firewall# configure terminal Enter configuration commands, one per line. End with CNTL/Z. VSG-Firewall(config)# nsc-policy-agent VSG-Firewall(config-nsc-policy-agent)# registration-ip 10.193.72.242 VSG-Firewall(config-nsc-policy-agent)# shared-secret Sgate123 VSG-Firewall(config-nsc-policy-agent)# policy-agent-image vnmc-vsgpa.2.1.1b.bin VSG-Firewall(config-nsc-policy-agent)# copy running-config startup-config [########################################] 100% Copy complete, now saving to disk (please wait)... VSG-Firewall(config-nsc-policy-agent)# exit |
Step 2 | Check the status
of the NSC policy agent configuration to verify that you have installed the
Cisco Prime NSC correctly and it is reachable by
entering the
show nsc-pa
status command. This example shows that the
Cisco Prime NSC is reachable and the installation is
correct:
VSG-Firewall(config)# show nsc-pa status NSC Policy-Agent status is - Installed Successfully. Version 2.1(1b)-vsg The VSG is now registered with the Cisco Prime NSC. |
This example shows that the Cisco Prime NSC is unreachable or an incorrect IP is configured:
vsg# show nsc-pa status
NSC Policy-Agent status is - Installation Failure
Cisco Prime NSC not reachable.
vsg#
This example shows that the NSC policy-agent is not configured or installed:
vsg# show nsc-pa status NSC Policy-Agent status is - Not Installed
Configuring Initial Settings on a Secondary Cisco VSG
You can configure a standby Cisco VSG by logging in to the Cisco VSG you have identified as secondary and using the following procedure to configure a secondary Cisco VSG with its initial settings.
Step 1 | Navigate to the
Console tab in the VM.
Cisco Nexus 1000V Series switch opens the Console window and boots the Cisco VSG software. | ||
Step 2 | At the Enter the password for "admin" prompt, enter the password for the admin account and press Enter. | ||
Step 3 | At the prompt, confirm the admin password and press Enter. | ||
Step 4 | At the Enter HA role[standalone/primary/secondary] prompt, enter the secondary HA role and press Enter. | ||
Step 5 | At the
Enter
the ha id(1-1024) prompt, enter
25 for the HA pair Id and press
Enter.
| ||
Step 6 | At the
VSG
login prompt, enter the name of the admin account you want to
use and press
Enter.
The default account name is admin. | ||
Step 7 | At the
Password prompt, enter the name of the password
for the admin account and press
Enter.
You are now at the Cisco VSG node. |
Verifying the Cisco VSG Configuration
To display the Cisco VSG configuration, perform this task:
Command |
Purpose |
---|---|
show interface brief |
Displays a brief status and interface information. |
This example shows how to verify the Cisco VSG configurations:
vsg# show interface brief -------------------------------------------------------------------------------- Port VRF Status IP Address Speed MTU -------------------------------------------------------------------------------- mgmt0 -- up 10.193.77.217 1000 1500
Where to Go Next
After installing and completing the initial configuration of the Cisco VSG, you can configure firewall policies on the Cisco VSG through the Cisco Prime NSC.