Manual 18119180
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
CH A P T E R
2
Quick Start Guide for Cisco Virtual Security
Gateway and Cisco Virtual Network
Management Center
This chapter provides a Quick Start reference for installing and completing the basic configuration for
the Cisco Virtual Network Management Center (VNMC) and the Cisco Virtual Security Gateway (VSG)
software.
This chapter includes the following sections:
•
Information About Installing Cisco VNMC and Cisco VSG, page 2-2
•
Host Requirements, page 2-6
•
Obtaining the Cisco VNMC and the Cisco VSG Software, page 2-6
•
Task 1—Installing Cisco VNMC Software from an OVA Template, page 2-6
•
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter Connectivity, page 2-15
•
Task 3—On the VSM, Configuring the Cisco VNMC Policy-Agent, page 2-20
•
Task 4—On the VSM, Preparing Cisco VSG Port Profiles, page 2-21
•
Task 5—Installing the Cisco VSG from an OVA Template, page 2-23
•
Task 6—On the Cisco VSG and Cisco VNMC, Verifying the VNM Policy Agent Status, page 2-33
•
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall,
page 2-34
•
Task 8—On the Cisco VNMC, Assigning the Cisco VSG to the Compute Firewall, page 2-42
•
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule, page 2-43
•
Task 10—On the Cisco VSG, Verifying the Permit-All Rule, page 2-49
•
Task 11—Enabling Logging, page 2-50
•
Task 12—Enabling the Traffic VM’s Port-Profile for Firewall Protection and Verifying the
Communication Between the VSM, VEM, and VSG., page 2-51
•
Task 13—Sending Traffic Flow and on the Cisco VSG Verifying Statistics and Logs, page 2-53
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-1
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Information About Installing Cisco VNMC and Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Information About Installing Cisco VNMC and Cisco VSG
This chapter presents an example of an effective way to install and set up a basic working configuration
of the Cisco VNMC and Cisco VSG. The example in this chapter uses the OVF template method to
install the OVA files of the software. The steps assume that the Cisco Nexus 1000V is up and running
and endpoint VMs are already installed.
Cisco VSG and Cisco VNMC Installation Planning Checklists
Planning the arrangement and architecture of your network and equipment is essential for successful
operation of the Cisco VNMC and Cisco VSG. This section provides some planning and information
checklists to assist you in installing the Cisco VNMC and Cisco VSG.
This section includes the following checklists:
Table 2-1
•
Basic Hardware and Software Requirements
•
Preparation of the Cisco Nexus 1000V Series Switch for Further Installation Processes
•
Your Cisco VNMC and Cisco VSG Information for Use Later During Installation
Basic Hardware and Software Requirements
Item Do You Have?
1
x86 Intel or AMD server with 64-bit processor listed in the VMware compatibility matrix
2
Intel VT is enabled in the BIOS
3
VMware ESX 4.0, 4.0 U1, 4.0 U2 or 4.1
4
ESX/ESXi platform that runs VMware software release 4.0.0 or 4.1.0 with a minimum of
4-GB physical RAM for VSG and similar for VNMC or 6-GB for both.
5
VMware vSphere Hypervisor
6
VMware vCenter 4.0, 4.0 U1, 4.0 U2 or 4.1
7
1 processor
8
CPU speed of 1.5 Ghz
9
Datastore with at least 25-GB disk space available on shared NFS/SAN storage when Cisco
VNMC is deployed in an HA cluster
10
Internet Explorer 7.0 or Mozilla Firefox 3.6.x on Windows
11
Flash 10.0 or 10.1
12
Cisco VSG software available for download at the following URL:
Your Information
http://www.cisco.com/en/US/products/ps13095/tsd_products_support_series_home.html
13
Cisco VNMC software available for download at the following URL:
http://www.cisco.com/en/US/products/ps11213/index.html
2-2
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Information About Installing Cisco VNMC and Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Table 2-2
Preparation of the Cisco Nexus 1000V Series Switch for Further Installation Processes
Item Requirement
Your Information
1
Two VLANs are configured on the Cisco Nexus 1000V Series switch uplink ports: the service
VLAN and an HA VLAN (the VLAN do not need to be the system VLAN)
2
Two port profiles are configured on the Cisco Nexus 1000V Series switch: one for the service
VLAN and one for the HA VLAN (you will be configuring the Cisco VSG IP address on the
Cisco VSG so that the Cisco Nexus 1000V Series switch can communicate with it)
Table 2-3
Your Cisco VNMC and Cisco VSG Information for Use Later During Installation
Item Type
1
Cisco VSG name—unique within the inventory folder and up to
80 characters long
2
Hostname—where the Cisco VSG will be installed in the
inventory folder
3
Datastore name—where the VM files will be stored
4
Cisco VSG management IP address
5
VSM management IP address
6
Cisco VNMC instance IP address
7
Mode for installing the Cisco VSG
8
Your Information
•
Standalone
•
HA primary
•
HA secondary
•
Manual installation
Cisco VSG VLAN number
Service (1)
Management (2)
High availability (HA) (3)
9
Cisco VSG port profile name
Data (1)
Management (2)
High availability (HA) (3)
10
HA pair ID (HA domain ID)
11
Cisco VSG admin password
12
Cisco VNMC admin password
13
Cisco VSM admin password
14
Shared secret password (Cisco VNMC, Cisco VSG policy agent,
Cisco VSM policy agent)
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-3
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Information About Installing Cisco VNMC and Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Table 2-4
Task
1
Tasks, Descriptions, and Particulars Checklist
Task Description
Installing Cisco VNMC
Software from an OVA
Template
Task Particulars
Before starting the procedure, know or do the following:
•
Verify that the Cisco VNMC OVA image is available in the vCenter
•
IP/subnet mask/gateway information for Cisco VNMC
•
The admin password and hostname that you want to use
•
The shared secret password you want to use (this password is what
enables communication between the Cisco VNMC, VSM, and Cisco
VSG)
•
The DNS server and domain name information
•
The management port-profile name for the virtual machine (VM)
(management)
Note
•
2
3
On the Cisco VNMC,
Setting Up VM-Mgr for
vCenter Connectivity
On the VSM, Configuring
the Cisco VNMC Policy
Agent
The management port-profile is the same one used for the VSM.
The port-profile is configured in the VSM and is used for the Cisco
VNMC management interface.
Make sure that the host has 2-GB RAM and 25-GB available hard-disk
space
Before starting the procedure, know or do the following:
•
Install Adobe Flash Player (Version 10.1.102.64 or later)
•
The IP address of the Cisco VNMC
•
The admin user password
Before starting the procedure, know or do the following:
•
Note
4
Completed
The Cisco VNMC policy-agent image is available on the VSM (it will
look like vnmc-vsmpa.1.0.1j.bin)
The string vsmpa must appear in the image name as highlighted.
•
The IP address of the Cisco VNMC
•
The shared secret password you defined during Cisco VNMC
installation
•
IP connectivity between the VSM and the Cisco VNMC is okay.
On the VSM, Preparing the Before starting the procedure, know or do the following:
Cisco VSG Port Profiles
• The uplink port-profile name
•
The VLAN ID for the Cisco VSG data interface (for example, 100)
•
The VLAN ID for the Cisco VSG HA interface (for example, 200)
•
The management VLAN (management)
None of these VLANs need to be system VLANs.
2-4
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Information About Installing Cisco VNMC and Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Task
5
Task Description
Installing the Cisco VSG
from an OVA Template
Task Particulars
Before starting the procedure, know or do the following:
•
Make sure that the Cisco VSG OVA image is available in the vCenter
•
Cisco VSG-data and Cisco VSG-HA port profile created on VSM
•
Management port-profile (management)
Note
The management port profile is the same one used for the VSM.
The port profile is configured in the VSM and is used for the Cisco
VNMC management interface.
•
HA pair ID
•
IP/SubnetMask/Gateway information for Cisco VSG
•
Admin password
•
2-GB RAM and 3-GB hard disk space
•
Cisco VNMC IP
•
Shared secret password
•
IP connectivity between Cisco VSG and Cisco VNMC is okay
•
Cisco VSG VNM-PA image name (vnmc-vsgpa.1.0.1j.bin)
6
On the Cisco VSG,
Verifying the VNM
Policy-Agent Status
—
7
On the Cisco VNMC,
Configuring a Tenant and
Security Profile
Before doing this procedure, know or do the following:
8
On the Cisco VNMC,
Assigning the Cisco VSG to
the Compute Firewall
9
On the Cisco VNMC,
Configuring a Permit-All
Rule
10
On the Cisco VSG,
Verifying the Permit-All
Rule
11
Enabling Logging
Completed
•
Install Adobe Flash Player (Version 10.1.102.64)
•
IP address of the Cisco VNMC
•
Admin user password
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-5
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Host Requirements
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Task
12
13
Task Description
Preparing Traffic VM’s
Port-Profile for Firewall
Protection and Verifying
the VSM/VEM
Task Particulars
Completed
Make sure you have the following:
Sending Traffic Flow and
on the Cisco VSG Verifying
Statistics and Logs
•
Cisco VSG data IP (10.10.10.200) and VLAN ID (100)
•
Security profile name (for example, sp-web)
•
Organization (Org) name (for example, root/Tenant-A)
•
The port-profile that you will edit to enable firewall protection
•
Make sure that you have the VM (Server-VM) that is using
port-profile (pp-webserver) configured for firewall protection.
•
Log in to any of your client VM (Client-VM) and send traffic (for
example, HTTP) to your Server-VM.
•
Check the policy-engine statistics and log on the Cisco VSG.
Host Requirements
The Cisco VSG and Cisco VNMC installation has the following host requirements:
•
ESX/ESXi platform that runs VMware software release 4.0.0 or 4.1.0 with a minimum of 4-GB
physical RAM for the Cisco VSG and similar for the Cisco VNMC or 6-GB for both.
•
1 processor
•
CPU speed of 1.5 GHz
Obtaining the Cisco VNMC and the Cisco VSG Software
The Cisco VSG software is available for download at the following URL:
http://www.cisco.com/en/US/products/ps13095/tsd_products_support_series_home.html
The Cisco VNMC software is available for download at the following URL:
http://www.cisco.com/en/US/products/ps11213/index.html
Task 1—Installing Cisco VNMC Software from an OVA Template
As with most software application installations, there is an order of installation for the Cisco VNMC and
the Cisco VSG that must be followed to ensure that all components work and communicate properly.
This first task involves using an OVA Template to install the Cisco VNMC software.
BEFORE YOU BEGIN
Before starting the procedure, know or do the following:
2-6
•
Verify that the Cisco VNMC OVA image is available in the vCenter
•
IP/subnet mask/gateway information for the Cisco VNMC
•
The admin password, shared_secret, host name that you want to use
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Note
•
The DNS server and domain name information
•
The management port-profile name for the virtual machine (VM) (management)
The management port-profile is the same one used for the VSM. The port-profile is configured in the
VSM and is used for the Cisco VNMC management interface.
•
Make sure that the host has 2-GB RAM and 25-GB available hard-disk space
•
Have a shared secret password available (this password is what enables communication between the
Cisco VNMC, VSM, and Cisco VSG)
PROCEDURE
Step 1
Choose the host on which to deploy the Cisco VNMC VM.
Step 2
Select from the File Menu Deploy OVF Template.
The Deploy OVF Template window opens. See Figure 2-1.
Figure 2-1
Step 3
Deploy OVF Template—Source Window
In the Deploy from a file or URL field, provide the path to the Cisco VNMC OVA file and click Next.
The OVF Template Details window opens. See Figure 2-2.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-7
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-2
Step 4
Deploy OVF Template—OVF Template Details Window
Review the details of the Cisco VNMC template and click Next.
The End User License Agreement window opens. See Figure 2-3.
Figure 2-3
Step 5
2-8
Deploy OVF Template—End User License Agreement Window
Click Accept to accept the End User License Agreement and click Next.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
The Name and Location window opens. See Figure 2-4.
Figure 2-4
Deploy OVF Template—Name and Location
Step 6
In the Name field, enter the Name.
Step 7
In the Inventory Location pane, choose the location you would like to use and click Next.
The Deployment Configuration window opens. See Figure 2-5.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-9
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-5
Step 8
Deploy OVF Template—Deployment Configuration Window
From the Configuration drop-down list, choose VNMC Installer and click Next.
The Datastore window opens. See Figure 2-6.
Figure 2-6
Step 9
2-10
Deploy OVF Template—Datastore Window
In the Datastore pane, choose the datastore for the VM and click Next.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Note
The storage can be local or shared remote such as network file storage (NFS) or storage area
network (SAN).
Note
If only one storage location is available for an ESX host, this window does not display and you
are assigned to the one that’s available.
The Disk Format window opens. See Figure 2-7.
Figure 2-7
Step 10
Deploy OVF Template—Disk Format Window
Click either Thin provisioned format or Thick provisioned format to store the VM vdisks and click
Next.
Note
The default is thick provisioned. If you do not want to allocate the storage immediately, use thin
provisioned.
The Network Mapping window opens. See Figure 2-8.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-11
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-8
Step 11
Deploy OVF Template—Network Mapping Window
In the network mapping pane, choose the management network port-profile for the VM and click Next.
The Properties window opens. See Figure 2-9.
2-12
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-9
Step 12
Deploy OVF Template—Properties Window
Do the following:
a.
In the IPv4 field, enter the IP address.
b.
In the Netmask field, enter the subnet mask.
c.
In the IPv4Gateway field, enter the gateway.
d.
In the Hostname section:
– In the DomainName field, enter the domain name.
– In the DNS field, enter the domain name server name.
e.
In the Passwords section:
– In the Password field, enter the admin password.
– In the Secret field, enter the shared secret password.
Step 13
Click Next.
Note
Make sure that red text messages do not appear before you click Next. If you do not want to enter
valid information in the red-indicated fields, use null values to fill those fields. If those fields are
left empty or filled with invalid null values, the application does not power on.
Note
Ignore the f. VNMC Restore fields.
The Ready to Complete window opens. See Figure 2-10.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-13
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 1—Installing Cisco VNMC Software from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-10
Step 14
Deploy OVF Template—Ready to Complete Window
Review the deployment settings information and click Finish.
Note
Review the IP/Mask/gateway information carefully because any failure of these parameters may
cause the VM to have bootup issues.
The Deploying Virtual Network Management Center progress indicator opens. See Figure 2-11.
The progress bar in Figure 2-11 shows how much of the deployment task is completed before the Cisco
VNMC is deployed.
Figure 2-11
Deploying Virtual Network Management Center—Deploying Disk Files Progress
Indicator
The progress indicator in Figure 2-12 shows that the deployment has completed successfully.
2-14
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter Connectivity
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-12
Deployment Completed Successfully Progress Indicator
Step 15
Click Close.
Step 16
Power on the Cisco VNMC VM.
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter
Connectivity
Download vCenter extension file from the Cisco VNMC
Register vCenter extension plugin in the vCenter
Configure vCenter in VM-Manager in the Cisco VNMC
BEFORE YOU BEGIN
Before doing this procedure, know or do the following:
•
Install Adobe Flash Player (Version 10.1.102.64)
•
IP address of the Cisco VNMC
•
Admin user password
Downloading the vCenter Extension File from the Cisco VNMC
Step 1
For Cisco VNMC access, from your client machine, open Internet Explorer and access
https://vnmc-ip/ (https://xxx.xxx.xxx.xxx).
A Website Security Certification window opens. See Figure 2-13.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-15
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter Connectivity
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-13
Step 2
Website Security Certification Warning
On the certificate warning, click Continue to this website.
The Cisco VNMC access window opens. See Figure 2-14
Figure 2-14
Step 3
2-16
VNMC Access Window
Log in to the Cisco VNMC with the username admin and password. The VNMC Main window opens.
See Figure 2-15.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter Connectivity
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-15
Step 4
Cisco Virtual Network Management Center—Opening Page
Click Administration > VM Managers. The Cisco Virtual Network Management Center VM Managers
window opens. See Figure 2-16.
Figure 2-16
Cisco VNMC Administration VM Managers Window
Step 5
From VM Managers, right-click and choose Export vCenter Extension and save the file on your
vCenter Desktop.
Step 6
The vCenter Desktop displays as shown in Figure 2-17.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-17
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter Connectivity
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Registering the vCenter Extension Plugin in the vCenter
This task is completed from within your client desktop vSphere client directory.
Step 1
From vSphere client, log in to vCenter. See Figure 2-17.
Figure 2-17
vSphere Client Directory Window
Step 2
Choose Plug-ins > Manage Plug-ins.
Step 3
Right-click in empty space, and in the drop-down list, choose New Plug-in.
The Register Plug-in window opens. See Figure 2-18.
Figure 2-18
vSphere Client and vCenter Directory for Managing Plug-ins with Security Warning
Step 4
Browse to the Cisco VNMC vCenter extension file and click Register Plug-in.
Step 5
On the security warning that displays, click Ignore.
The successful registration message should display. See Figure 2-19.
2-18
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 2—On the Cisco VNMC, Setting Up VM-Mgr for vCenter Connectivity
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-19
Step 6
Click OK.
Step 7
Click Close.
Register Plug-in Progress Success Indicator
Configuring the vCenter in VM-Manager in the Cisco VNMC
Step 1
Return to the Cisco VNMC and click Administration > VM Managers.
The Cisco VNMC Administration VM Managers Window opens. See Figure 2-20
Figure 2-20
Step 2
Cisco VNMC Administration VM Managers Window
Choose VM Managers > Add VM Manager.
On the right panel, the vCenter Server pane opens. See Figure 2-21.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-19
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 3—On the VSM, Configuring the Cisco VNMC Policy-Agent
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-21
Step 3
Step 4
Note
Virtual Network Management Center—Administration Window vCenter-Server Pane
In the right-side vCenter-Server panel, do the following:
a.
In the Name field, enter the vCenter name.
b.
In the Description field, enter a brief description of the vCenter.
c.
In the Hostname/IP Address field, enter the vCenter IP address.
Click OK.
The successful addition should display the Admin State as enable and the Operational State as up with
the version information.
Task 3—On the VSM, Configuring the Cisco VNMC Policy-Agent
Once you have the Cisco VNMC installed, you must register the Virtual Supervisor Module (VSM) with
the Cisco VNMC policy-agent.
BEFORE YOU BEGIN
Before starting the procedure, know or do the following:
•
Note
Note
2-20
Make sure that the Cisco VNMC policy-agent image is available on the VSM (it will look like
vnmc-vsmpa.1.0.1j.bin)
The string vsmpa must appear in the image name as highlighted.
•
The IP address of the Cisco VNMC
•
The shared secret password you defined during Cisco VNMC installation
•
Make sure that IP connectivity between the VSM and the Cisco VNMC is okay.
If you have upgraded your VSM to 1.4, you need to copy the VSM policy agent image, available in
VNMC image bundle, to bootflash to complete registration with VNMC.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 4—On the VSM, Preparing Cisco VSG Port Profiles
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
PROCEDURE
Step 1
On the VSM, enter the following commands:
vsm# configure terminal
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# registration-ip 10.193.75.95
vsm(config-vnm-policy-agent)# shared-secret Example_Secret123
vsm(config-vnm-policy-agent)# policy-agent-image vnmc-vsmpa.1.0.1j.bin
vsm(config-vnm-policy-agent)# exit
vsm(config)# copy running-config startup-config
vsm(config)# exit
Step 2
Check the status of the VNM policy agent configuration to verify that you have installed the Cisco
VNMC correctly and it is reachable by entering the show vnm-pa status command.
The following example shows that the Cisco VNMC is reachable and the install is correct.
vsm# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 1.0(1j)-vsm
vsm#
The VSM is now registered with the Cisco VNMC.
Other Status Messages
The following example shows that the Cisco VNMC is unreachable or an incorrect IP is configured.
vsm# show vnm-pa status
VNM Policy-Agent status is - Installation Failure
VNMC not reachable.
vsm#
The following example shows that the VNM policy-agent is not configured or installed.
vsm# show vnm-pa status
VNM Policy-Agent status is - Not Installed
Task 4—On the VSM, Preparing Cisco VSG Port Profiles
To prepare Cisco VSG port profiles, you must create the VLANs and use the VLANs in the Cisco VSG
data port profile and the Cisco VSG HA port profile.
BEFORE YOU BEGIN
Before starting the procedure, know or do the following:
Note
•
The uplink port-profile name
•
The VLAN ID for the Cisco VSG data interface (for example,100)
•
The VLAN ID for the Cisco VSG HA interface (for example, 200)
•
The management VLAN (management)
None of these VLANs need to be system VLANs.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-21
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 4—On the VSM, Preparing Cisco VSG Port Profiles
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
PROCEDURE
Step 1
On the VSM, create the VLANs by first entering global configuration mode using the following
command:
vsm# configure
Step 2
Enter the following configuration commands, one per line.
vsm(config)# vlan
vsm(config-vlan)#
vsm(config-vlan)#
vsm(config)# vlan
vsm(config-vlan)#
vsm(config-vlan)#
vsm(config)# exit
vsm# configure
vsm(config)# copy
vsm(config)# exit
100
no shutdown
exit
200
no shutdown
exit
running-config startup-config
Step 3
To exit, press Cntl-Z.
Step 4
Create a Cisco VSG data port-profile and a Cisco VSG HA port-profile by first enabling the Cisco VSG
data port-profile configuration mode. Use the confgure command to enter global configuration mode:
vsm# configure
Step 5
Enter the following configuration commands, one per line.
vsm(config)# port-profile VSG-Data
vsm(config-port-prof)# vmware port-group
vsm(config-port-prof)# switchport mode access
vsm(config-port-prof)# switchport access vlan 100
vsm(config-port-prof)# no shutdown
vsm(config-port-prof)# state enabled
vsm(config-port-prof)# exit
vsm(config)#
vsm(config)# copy running-config startup-config
vsm(config)# exit
Step 6
To end the session, press Cntl-Z.
Step 7
Enable the Cisco VSG HA port profile configuration mode.
vsm# configure
Step 8
Enter the following configuration commands, one per line.
vsm(config)# port-profile VSG-HA
vsm(config-port-prof)# vmware port-group
vsm(config-port-prof)# switchport mode access
vsm(config-port-prof)# switchport access vlan 200
vsm(config-port-prof)# no shutdown
vsm(config-port-prof)# state enabled
vsm(config-port-prof)# exit
vsm(config)#
vsm(config)# copy running-config startup-config
vsm(config)# exit
Step 9
Add the VLANs created for the VSG data and VSG HA interfaces as part of the allowed VLANs into
the uplink port-profile. Use the confgure command to enter global configuration mode:
vsm# configure
2-22
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Step 10
Enter the following configuration commands, one per line:
vsm(config)# port-profile type ethernet uplink
vsm(config-port-prof)# switchport trunk allowed vlan add 100, 200
vsm(config-port-prof)# exit
vsm(config)#
To end the session, press Cntl-Z.
Task 5—Installing the Cisco VSG from an OVA Template
Once you have installed the Cisco Virtual Network Management Center (Cisco VNMC), configured the
Cisco VNM policy agent on the VSM, and prepared the Cisco VSG port profiles by creating the VLANs
that will be used, you now must install the Cisco VSG.
For this example, the OVF Template is used to install a Cisco VSG in standalone mode.
BEFORE YOU BEGIN
Before starting the procedure, know or do the following:
Note
•
Make sure that the Cisco VSG OVA image is available in the vCenter
•
Cisco VSG-data and Cisco VSG-HA port profile created on VSM
•
Management port-profile (management)
The management port profile is the same one used for the VSM. The port profile is configured in the
VSM and is used for the Cisco VNMC management interface.
•
HA ID
•
IP/SubnetMask/Gateway information for VSG
•
Admin password
•
2-GB RAM and 3-GB hard disk space
•
Cisco VNMC IP
•
Shared secret
•
IP connectivity between Cisco VSG and Cisco VNMC is okay
•
Cisco VSG VNM-PA image name (vnmc-vsgpa.1.0.1j.bin)
PROCEDURES
Step 1
Select Your Host to deploy the VSG VM
Step 2
Select Deploy OVF Template from the File Menu
The Source window opens. See Figure 2-22.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-23
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-22
Step 3
Deploy OVF Template—Source Window
Provide the path to the Cisco VSG OVA file and click Next.
The OVF Template Details window opens. See Figure 2-23.
Figure 2-23
2-24
Deploy OVF Template—OVF Template Details Window
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Step 4
Review the details of the Cisco VSG template and click Next.
The End User License Agreement window opens. See Figure 2-24.
Figure 2-24
Deploy OVF Template—End User License Agreement Window
Step 5
Click Accept to accept the End User License Agreement.
Step 6
Click Next.
The Name and Location window opens. See Figure 2-25.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-25
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-25
Deploy OVF Template—Name and Location Window
Step 7
In the Name field, enter the name you want to use for the Cisco VSG.
Step 8
In the Inventory Location field, choose the location you want to use for hosting the Cisco VSG.
Step 9
Click Next.
The Deployment Configuration window opens. See Figure 2-26.
2-26
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-26
Step 10
Deploy OVF Template—Select a Deployment Configuration Window
From the Configuration drop-down list, choose Deploy Nexus 1000V as Standalone and click Next.
The Datastore window opens. See Figure 2-27.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-27
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-27
Step 11
Deploy OVF Template—Datastore Window
In the Datastore pane, choose the datastore for the VM and click Next.
Note
Storage can be local or shared-remote such network file storage (NFS) or storage area network (SAN).
Note
If only one storage location is available for an ESX host, this window does not display and you are
assigned to the storage location that’s available.
The Disk Format window opens. See Figure 2-28.
2-28
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-28
Step 12
Deploy OVF Template—Disk Format Window
Select the Disk Format in which to store the VM vdisks and click Next.
Note
The default is thick provisioned. If you do not want to allocate the storage immediately, use thin
provisioned.
Note
Ignore the red text in the window.
The Network Mapping window opens. See Figure 2-29.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-29
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-29
Deploy OVF Template—Network Mapping Window
Step 13
Choose the data interface port profile as VSG-Data, choose the management interface port profile as
Management, and choose the HA interface port profile as VSG-HA.
Step 14
Click Next.
Note
In this example, for VSG-Data and VSG-HA port profiles created in Task 4—On the VSM,
Preparing Cisco VSG Port Profiles, page 2-21, the management port profile is used for
management connectivity and is the same as in the VSM and Cisco VNMC.
The Properties window opens. See Figure 2-30.
2-30
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-30
Step 15
Deploy OVF Template—Properties Window
Do the following:
a.
In the HaId field, enter the high-availability identification number for a Cisco VSG pair (value from
1 through 4095).
b.
In the Password field, enter a password that contains at least one capital, one lower case, and one
number.
c.
In the Management IP Address section, do the following:
– In the ManagementIpV4 field, enter the IP address for the Cisco VSG.
– In the ManagementIpV4 Subnet field, enter the subnet mask.
Step 16
d.
In the Gateway field, enter the gateway name.
e.
In the VnmcIpV4 field, enter the IP address of the Cisco VNMC.
f.
In the SharedSecret field, enter the shared secret password defined during the Cisco VNMC
installation.
g.
In the ImageName field, enter the VSG VNM-PA image name (vnmc-vsgpa.1.0.1j.bin)
Click Next.
Note
Make sure that red text messages do not appear before you click Next. If you do not want to enter
valid information in the red-indicated fields, use null values to fill those fields. If those fields are
left empty or filled with invalid null values, the application does not power on.
The Ready to Complete window opens. See Figure 2-31.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-31
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 5—Installing the Cisco VSG from an OVA Template
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-31
Step 17
Note
Deploy OVF Template—Ready to Complete Window
Review the deployment settings information and click Finish.
Review the IP/mask/gateway information carefully. Any discrepancies here may cause the VM to have
bootup issues.
The Deploying Nexus1000VSG Progress Indicator opens. See Figure 2-32.
The progress bar in Figure 2-32 shows how much of the deployment task is completed before the Cisco
VSG is deployed.
Figure 2-32
Deploying Nexus1000VSG—Deploying Disk Files Progress Indicator
The progress indicator in Figure 2-33 shows that the deployment has completed successfully.
2-32
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 6—On the Cisco VSG and Cisco VNMC, Verifying the VNM Policy Agent Status
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-33
Deployment Completed Successfully Progress Indicator
Step 18
Click Close.
Step 19
Power On the Cisco VSG VM
Task 6—On the Cisco VSG and Cisco VNMC, Verifying the VNM
Policy Agent Status
You can use the show vnm-pa status command to verify the VNM policy agent status (which can
indicate that you have installed the VNM successfully).
PROCEDURES
Step 1
Log in to the Cisco VSG.
Step 2
Check the status of VNM-PA configuration by entering the following command:
vsg# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 1.0(1j)-vsg
vsg#
Step 3
Log in to the Cisco VNMC.
Step 4
Navigate to the Administration > Service Registry > Clients > General pane. See Figure 2-34.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-33
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-34
Step 5
VNMC Administration Service Registry Window Clients Pane
Verify that the VSM and VSG information is listed in the Clients pane.
Task 7—On the Cisco VNMC, Configuring a Tenant, Security
Profile, and Compute Firewall
Now that you have the Cisco VNMC and the Cisco VSG successfully installed with the basic
configurations (completed through the OVA File Template wizard), it’s time to start configuring some of
the basic security profiles and policies. Use the following steps to complete this process.
BEFORE YOU BEGIN
Before doing this procedure, know or do the following:
Step 1
•
Install Adobe Flash Player (Version 10.1.102.64 or later)
•
IP address of the Cisco VNMC
•
Admin user password
For Cisco VNMC access, from your client machine, open Internet Explorer and access
https://vnmc-ip/ (https://xxx.xxx.xxx.xxx).
A Website Security Certification window opens. See Figure 2-35.
2-34
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-35
Step 2
Website Security Certification Warning
On the certificate warning, click Continue to this website.
The Cisco VNMC access window opens. See Figure 2-36
Figure 2-36
Step 3
VNMC Access Window
Log in to the Cisco VNMC with the username admin and password.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-35
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Step 4
The VNMC Main window opens. See Figure 2-37.
Figure 2-37
Step 5
Cisco Virtual Network Management Center—Opening Page
To quickly check the VSM and VSG registration in the Cisco VNMC, click Administration > Service
Registry > Clients.
The Clients pane of the VNMC opens. See Figure 2-38.
Figure 2-38
VNMC Administration Service Registry Window Clients Pane
VSM and VSG information should be listed in the Clients pane.
2-36
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Configuring a Tenant in the Cisco VNMC
Tenants are entities (businesses, agencies, institutions, and so on) whose data and processes are hosted
on virtual machines (VM) on the virtual data center. To provide firewall security for each tenant, the
tenant must first be configured in the Cisco VNMC.
Step 1
From the Cisco VNMC top tool bar, click the Tenant Management tab.
The root pane opens. See Figure 2-39.
Figure 2-39
VNMC Window Tenant Management Tab root Pane
Step 2
Right-click on Root in the left pane directory tree, and from the drop-down list, choose Create Tenant.
Step 3
The Create Tenant dialog box opens. See Figure 2-40
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-37
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-40
Step 4
Step 5
Create Tenant Dialog Box
Do the following:
a.
In the Name field, enter the tenant name; for example, Tenant-A.
b.
In the Description field, enter a description for that tenant.
Click OK.
Notice that the tenant you just created is now listed in the left-side pane under root. See Figure 2-41.
Figure 2-41
Cisco VNMC VSG Configuration Directory Tree Pane
Configuring a Security Profile in the Cisco VNMC
Step 1
Click on the Policy Management tab in the Cisco VNMC top row tool bar.
The Policy Management window opens. See Figure 2-42.
2-38
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-42
Step 2
VNMC Policy Management Security Policies Window
From the directory path Security Policies > Security Profile > root > Tenant-A > Security Profiles,
right-click and choose from the drop-down Add Security Profile.
The Add Security Profile dialog box opens. See Figure 2-43.
Figure 2-43
Step 3
Add Security Profile Dialog Box
Do the following:
a.
In the Name field, provide a name for the security profile; for example, sp-web.
b.
In the Description field, provide a brief description of this security profile.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-39
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Step 4
Click OK.
On the Cisco VNMC, Configuring a Compute Firewall
The compute firewall is a logical virtual entity that contains the device profile that you can bind (assign)
to a Cisco VSG virtual machine. The device policy in the device profile is then pushed from the Cisco
VNMC to the Cisco VSG. Once this is complete, the compute firewall is in the applied configuration
state on the Cisco VNMC.
Step 1
From the Cisco VNMC, choose Resource Management > Managed Resources > Firewall Profiles.
The VNMC Resource Management, Managed Resources, Firewall Profiles Window opens. See
Figure 2-44.
Figure 2-44
Step 2
VNMC Resource Management, Managed Resources, Firewall Profiles Window
On the left-pane directory tree, right-click on Firewall Profiles and choose from the drop-down list Add
Compute Firewall.
The Add Compute Firewall dialog box opens. See Figure 2-45.
2-40
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 7—On the Cisco VNMC, Configuring a Tenant, Security Profile, and Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-45
Step 3
Step 4
In the General tab display, do the following:
•
In the Name field, enter a name for the compute firewall.
•
In the Decription field, enter a brief description of the compute firewall.
Click on the Firewall Details tab. See Figure 2-46.
Figure 2-46
Step 5
Add Compute Firewall Dialog Box—Firewall Details
In the Firewall Details tab view, do the following:
•
Step 6
Add Compute Firewall Dialog Box—General
In the Management Hostname field, enter the name for your Cisco VSG.
Click OK.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-41
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 8—On the Cisco VNMC, Assigning the Cisco VSG to the Compute Firewall
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Task 8—On the Cisco VNMC, Assigning the Cisco VSG to the
Compute Firewall
The compute firewall is a logical virtual entity that contains the device profile that can be later bound to
the device for communication with the Cisco VNMC and VSM. This procedure shows how to assign the
Cisco VSG to the compute firewall on the Cisco VNMC.
Step 1
Click Resource Management > Managed Resources.
The VNMC Resource Management Managed Resources window opens. See Figure 2-47.
Figure 2-47
Step 2
VNMC Resource Management Managed Resources Firewall Profiles Window
Click root > Tenant-A > Firewall Profiles, right-click Add Compute Firewall and from the drop-down
list, choose Assign VSG.
The Assign VSG dialog box opens. See Figure 2-48.
2-42
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-48
Assign VSG Dialog Box
Step 3
From the Name drop-down list, choose the Cisco VSG IP address.
Step 4
Click OK.
Note
The Config State status changes from not-applied to applying and then to applied.
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Configure a permit-all rule in the Cisco VNMC.
Configuring a Permit-All Rule in the Cisco VNMC
You can use the following procedure to configure a permit-all rule in the Cisco VNMC.
Step 1
Log in to the Cisco VNMC and choose Policy Management > Security Policies.
The Cisco VNMC Policy Management Security Policies window opens. See Figure 2-49.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-43
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-49
Step 2
Virtual Network Management Center—Policy Management Policies Window
Choose Firewall Policy > root > Tenant-A > Policies, right-click Policies and from the drop-down list,
choose Add Policy.
The Add Policy dialog box opens. See Figure 2-50.
Figure 2-50
Step 3
Step 4
2-44
Add Policy Dialog Box
Do the following:
a.
In the Name field, enter the security policy name.
b.
In the Description field, enter a brief description of the security policy.
Click OK.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-51
Virtual Network Management Center—Policy Management Window pol-web Pane
Step 5
Log in to VNMC, click Policy Management tab > Security Policies sub-tab.
Step 6
Click Firewall Policy > root > Tenant-A > Policies > pol_web. Click the Rules tab on the right side,
click Add Rule. The Add Rule dialog box appears. See Figure 2-52.
Figure 2-52
Step 7
Add Rule Dialog Box
Provide the name, select Permit and Log from the Actions and click OK.
The newly created rule is now listed in the pol-web pane. See Figure 2-53.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-45
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-53
Step 8
Virtual Network Management Center—Policy Management Window pol_web Rules
Pane
Click Save to save the configuration.
On the Cisco VNMC, Configuring a Policy Set
You can configure a policy set on the Cisco VNMC.
Step 1
From the Cisco VNMC main window, choose Policy Management > Security Policies > root >
Tenant-A > Policy Sets.
The Cisco VNMC Policy Management window opens to show the Policy Sets pane. See Figure 2-54.
2-46
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-54
Step 2
Virtual Network Management Center—Policy Management Window Policy Sets Pane
Choose Add Policy Set.
The Add Policy Set dialog box opens. See Figure 2-55.
Figure 2-55
Step 3
Step 4
Add Policy Set Dialog Box
From the General view of the Add Policy Set dialog box, do the following:
a.
In the Name field, enter the policy set name.
b.
In the Description field, enter a brief description of the policy set.
From the Policies view of the Add Policy Set dialog box, click Assign Policy.
The Assign Policy dialog opens. See Figure 2-56.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-47
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 9—On the Cisco VNMC, Configuring a Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-56
Add Policy Set Dialog Box and Assign Policy Dialog Box
Step 5
From the Assign Policy drop-down list, choose pol_web.
Step 6
Click OK.
Assign a Policy-Set to a Security Profile
Step 1
From the Cisco VNMC Policy Management window left panel directory tree, choose Security Profile
> root > Tenant-A > Security Profiles > sp-web.
The Cisco VNMC Policy Management Window Security Profiles sp-web Pane opens. See Figure 2-57
2-48
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 10—On the Cisco VSG, Verifying the Permit-All Rule
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Figure 2-57
Virtual Network Management Center—Policy Management Window
Step 2
Choose the Policy Set option on the right side sp-web panel and from the drop-down menu, select
PS_web
Step 3
Click Save to save the configuration.
Task 10—On the Cisco VSG, Verifying the Permit-All Rule
To verify the rule presence in the Cisco VSG, use the Cisco VSG CLI and the show commands.
Step 1
Log in to the Cisco VSG and enter the following commands:
vsg# show running-configure | begin security
security-profile default@root
policy default@root
custom-attribute vnsporg "root"
security-profile sp-web@root/Tenant-A
policy PS_web@root/Tenant-A
custom-attribute vnsporg "root/Tenant-A"
rule default/default-rule@root
action 10 drop
rule pol_web/permit-all@root/Tenant-A
action 10 log
action 11 permit
policy default@root
rule default/default-rule@root order 2
policy PS_web@root/Tenant-A
rule pol_web/permit-all@root/Tenant-A order 101
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-49
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 11—Enabling Logging
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Task 11—Enabling Logging
Enabling Logging Level 6 for Policy-Engine Logging
Logging enables you to see what traffic is going through your monitored virtual machine. This logging
is helpful for verifying that you have a proper configuration and to help in troubleshooting.
Use the following steps to enable Logging Level 6 for policy-engine logging in a monitor sesson.
Step 1
Log in to the Cisco VNMC.
Step 2
Choose Policy Management > Device Policies. See Figure 2-58.
Figure 2-58
2-50
Virtual Network Management Center—Policy Management Window Edit Syslog
Dialogue Box
Step 3
Click Device Configuration > root > Policies > Syslog. Click Default on the right side. Click Edit.
Step 4
Click Servers. Choose the primary server type from the displayed list.
Step 5
Click Edit. In the Hostname/IP address field, type in the syslog server IP address.
Step 6
Select Information(6) from the Severity drop-down list.
Step 7
Select Enabled from the Admin State drop-down list.
Step 8
Click OK.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 12—Enabling the Traffic VM’s Port-Profile for Firewall Protection and Verifying the Communication Between
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
Enabling Global Policy-Engine Logging
Logging enables you to see what traffic is going through your monitored virtual machine. This logging
is helpful for verifying that you have a proper configuration and to help in troubleshooting.
Use the following steps to enable global policy-engine logging.
Step 1
Log in to the Cisco VNMC and choose Policy Management > Device Policies > Device Profile > root
> Profiles > default.
The Cisco VNMC Policy Management window opens with the default pane showing. See Figure 2-59.
Figure 2-59
Cisco VNMC—Policy Management Window Device Profile Default Policy Pane
Step 2
Choose the Policy tab on the right side default pane.
Step 3
Click Enable in the Policy Engine Logging area at the bottom of the pane.
Step 4
Click Save to save the configuration.
Task 12—Enabling the Traffic VM’s Port-Profile for Firewall
Protection and Verifying the Communication Between the VSM,
VEM, and VSG.
BEFORE YOU BEGIN
Make sure you have the following:
•
Cisco VSG data IP (10.10.10.200) and VLAN ID (100)
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-51
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 12—Enabling the Traffic VM’s Port-Profile for Firewall Protection and Verifying the Communication Between the
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
•
Security profile name (for example, sp-web)
•
Organization (Org) name (for example, root/Tenant-A)
•
The port-profile that you would like to edit to enable firewall protection
Enabling Traffic VM’s Port-Profile for Firewall Protection
The following example shows the traffic VM port-profile before firewall protection:
port-profile type vethernet pp-webserver
vmware port-group
switchport mode access
switchport access vlan 3770
no shutdown
state enabled
The following example shows the commands required to enable firewall protection:
vsm(config)# port-profile pp-webserver
vsm(config-port-prof)# vn-service ip-address 10.10.10.200 vlan 100 security-profile sp-web
vsm(config-port-prof)# org root/Tenant-A
The following example shows the traffic VM port-profile after firewall protection:
port-profile type vethernet pp-webserver
vmware port-group
switchport mode access
switchport access vlan 3770
vn-service ip-address 10.10.10.200 vlan 100 security-profile sp-web
org root/Tenant-A
no shutdown
state enabled
Verifying the VSM/VEM for Cisco VSG Reachability
Verify show vsn brief to check VEM/VSG communication:
vsm# show vsn brief
VLAN
IP-ADDR
MAC-ADDR
100
10.10.10.200 00:50:56:83:00:46
vsm#
FAIL-MODE STATE
Close
Up 3
MODULE
A display showing the MAC-ADDR Listing and Up state verifies that the VEM can communicate with
the Cisco VSG.
Checking the VMs Veth Port for Firewall Protection
The following example shows how to verify show vsn port vethernet output:
vsm# show vsn port vethernet16
Veth
: Veth16
VM Name
: sg-allrun-centos2
VM uuid
: 42 03 d1 ab 29 20 fd 01-57 89 80 1a 6f fe 04 8b
DV Port
: 2112
DVS uuid
: 40 f2 03 50 4b b3 50 eb-2e 13 bc 0c 82 ee 54 58
Flags
: 0x148
2-52
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Chapter 2
Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 13—Sending Traffic Flow and on the Cisco VSG Verifying Statistics and Logs
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
VSN Data IP
Security Profile
Org
VNSP id
IP addresses:
172.31.2.92
Note
:
:
:
:
10.10.10.200
sp-web
root/Tenant-A
2
Make sure that your VNSP ID value is more than 1.
Task 13—Sending Traffic Flow and on the Cisco VSG Verifying
Statistics and Logs
•
Make sure that you have the VM (Server-VM) that is using port-profile (pp-webserver) configured
for firewall protection.
•
Log in to any of your client VM (Client-VM) and send traffic (for example, HTTP) to your
Server-VM.
•
Check the policy-engine statistics and log on the Cisco VSG.
Sending Traffic Flow
Figure 2-60
Virtual Machine Properties Window
Make sure that you have VM (Server-VM) configured with pp-webserver port-profile configured for
firewall protection.
Log in to any of your client VM (Client-VM) and send traffic (for example, HTTP) to your Server-VM.
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
2-53
Chapter 2 Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
Task 13—Sending Traffic Flow and on the Cisco VSG Verifying Statistics and Logs
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m
[root@sg-centos-vk1 ~]# wget http://172.31.2.92/
--2010-11-28 13:38:40-- http://172.31.2.92/
Connecting to 172.31.2.92:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258 [text/html]
Saving to: `index.html'
100%[=======================================================================>] 258
--.-K/s
in 0s
2010-11-28 13:38:40 (16.4 MB/s) - `index.html' saved [258/258]
[root@sg-centos-vk1 ~]#
On the Cisco VSG, Verifying Policy-Engine Statistics and Logs
Log in to the Cisco VSG and check the policy-engine statistics and logs.
The following example shows how to check these parameters:
Example:
vsg# show policy-engine stats
Policy Match Stats:
default@root
:
default/default-rule@root :
NOT_APPLICABLE
:
PS_web@root/Tenant-A :
1
pol_web/permit-all@root/Tenant-A :
NOT_APPLICABLE
:
0
0 (Drop)
0 (Drop)
1 (Log, Permit)
0 (Drop)
vsg# terminal monitor
vsg# 2010 Nov 28 05:41:27 firewall %POLICY_ENGINE-6-POLICY_LOOKUP_EVENT:
policy=PS_web@root/Tenant-A rule=pol_web/permit-all@root/Tenant-A action=Permit
direction=egress src.net.ip-address=172.31.2.91 src.net.port=48278
dst.net.ip-address=172.31.2.92 dst.net.port=80 net.protocol=6 net.ethertype=800
2-54
Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1) and Cisco Virtual Network Management Center, Release 1.0.1 Installation Guide
OL-24126-04
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising