Installing the Cisco VSG

Installing the Cisco VSG
Installing the Cisco VSG
This chapter contains the following sections:
• Information About the Cisco VSG, page 1
• Prerequisites for Installing the Cisco VSG Software, page 3
• Obtaining the Cisco VSG Software, page 3
• Installing the Cisco VSG Software, page 3
• Configuring Initial Settings, page 7
• Verifying the Cisco VSG Configuration, page 10
• Where to Go Next, page 10
Information About the Cisco VSG
This section describes how to install and complete the basic configuration of the Cisco VSG for VMware
vSphere software.
• Host and VM Requirements, on page 1
• Cisco VSG and Supported Cisco Nexus 1000V Series Device Terminology, on page 2
Host and VM Requirements
The Cisco VSG has the following requirements:
• ESXi platform running VMware software release 5.0, or 5.1 and requiring a minimum of 4-GB physical
RAM to host a Cisco VSG VM
• Virtual Machine (VM)
◦32-bit VM is required and “Other 2.6.x (32-bit) Linux” is a recommended VM type.
◦2 processors (1 processor is optional.)
◦2-GB RAM
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
OL-30760-01
1
Installing the Cisco VSG
Cisco VSG and Supported Cisco Nexus 1000V Series Device Terminology
◦3 NICs (1 of type VMXNET3 and 2 of type E1000)
◦Minimum 3-GB SCSI hard disk with LSI Logic Parallel adapter (default)
◦Minimum CPU speed of 1 GHz
• There is no dependency on the VM hardware version, so the VM hardware version can be upgraded if
required.
Cisco VSG and Supported Cisco Nexus 1000V Series Device Terminology
The following table lists the terminology is used in the Cisco VSG implementation.
Term
Description
Distributed Virtual Switch (DVS)
Logical switch that spans one or more VMware ESX servers. It is
controlled by one VSM instance.
ESXi
Virtualization platform used to create the virtual machines as a set
of configuration and disk files.
NIC
Network interface card.
Open Virtual Appliance or Application Package that contains the following files used to describe a virtual
(OVA) file
machine and saved in a single archive using .TAR packaging:
• Descriptor file (.OVF)
• Manifest (.MF) and certificate files (optional)
Open Virtual Machine Format (OVF)
Platform-independent method of packaging and distributing Virtual
Machines (VMs).
vCenter Server
Service that acts as a central administrator for VMware ESXi hosts
that are connected on a network. vCenter Server directs actions on
the VMs and the VM hosts (the ESXi hosts).
Virtual Ethernet Module (VEM)
Part of the Cisco Nexus 1000V Series switch that switches data
traffic. It runs on a VMware ESX host. Up to 64 VEMs are
controlled by one VSM. All the VEMs that form a switch domain
should be in the same virtual data center as defined by the VMware
vCenter Server.
Virtual Machine (VM)
Virtualized x86 PC environment in which a guest operating system
and associated application software can run. Multiple VMs can
operate on the same host system concurrently.
VMotion
Practice of migrating virtual machines live from server to server.
(The Cisco VSGs cannot be moved by VMotion.)
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
2
OL-30760-01
Installing the Cisco VSG
Prerequisites for Installing the Cisco VSG Software
Term
Description
vPath
Component in the Cisco Nexus 1000V Series switch with a VEM
that directs the appropriate traffic to the Cisco VSG for policy
evaluation. It also acts as fast path and can short circuit part of the
traffic without sending it to the Cisco VSG.
Virtual Security Gateway (VSG)
Cisco software that secures virtual networks and provides firewall
functions in virtual environments using the Cisco Nexus 1000V
Series switch by providing network segmentation.
Virtual Supervisor Module (VSM)
Control software for the Cisco Nexus 1000V Series distributed
virtual device that runs on a virtual machine (VM) and is based on
Cisco NX-OS.
vSphere Client
User interface that enables users to connect remotely to the vCenter
Server or ESXi from any windows PC. The primary interface for
creating, managing, and monitoring VMs, their resources, and their
hosts. It also provides console access to VMs.
Prerequisites for Installing the Cisco VSG Software
The following components must be installed and configured:
• On the Cisco Nexus 1000V Series switch, configure two VLANs, a service VLAN, and an HA VLAN
on the switch uplink ports. (The VLAN does not need to be the system VLAN.)
• On the Cisco Nexus 1000V Series switch, configure two port profiles for the Cisco VSG: one for the
service VLAN and the other for the HA VLAN. (You will be configuring the Cisco VSG IP address on
the Cisco VSG so that the Cisco Nexus 1000V Series switch can communicate with it.)
Details about configuring VLANs and port profiles on the Cisco Nexus 1000V Series switch are available in
the Cisco Nexus 1000V Series switch documentation.
Obtaining the Cisco VSG Software
You can obtain the Cisco VSG software files at this URL:
http://www.cisco.com/en/US/products/ps13095/index.html
Installing the Cisco VSG Software
You can install the Cisco VSG software on a VM by using an open virtual appliance (OVA) file or an ISO
image file from the CD. Depending upon the type of file that you are installing, use one of the installation
methods described in the following topics
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
OL-30760-01
3
Installing the Cisco VSG
Installing the Cisco VSG Software from an OVA File
• Installing the Cisco VSG Software from an OVA File, on page 4
• Installing the Cisco VSG Software from an ISO File, on page 5
Installing the Cisco VSG Software from an OVA File
To install the Cisco VSG software from an OVA file, obtain the OVA file and either install it directly from
the URL or copy the file to the local disk from where you connect to the vCenter Server.
Before You Begin
• Specify a name for the new Cisco VSG that is unique within the inventory folder and has up to 80
characters.
• Know the name of the host where the Cisco VSG will be installed in the inventory folder.
• Know the name of the datastore in which the VM files will be stored.
• Know the names of the network port profiles used for the VM.
• Know the Cisco VSG IP address.
• Know the mode in which you will be installing the Cisco VSG:
◦Standalone
◦HA Primary
◦HA Secondary
◦Manual Installation
Step 1
Step 2
Step 3
Choose the host on which to deploy the Cisco VSG VM.
Choose File > Deploy OVF Template.
In the Deploy OVF Template—Source window, do the following:
a) Browse to the path to the Cisco VSG OVA file in the Deploy from a file or URL field.
b) Click Next. The Deploy OVF Template—OVF Template Details window opens.
Step 4
In the Deploy OVF Template—OVF Template Details window, review the product information including the size of
the file and the VM disk and then click Next.
Step 5
In the Deploy OVF Template—End User License Agreement window, click Accept after reviewing the end user
license agreement, and then click Next.
Step 6
In the Deploy OVF Template—Name and Location window, do the following:
a) In the Name field, enter a name for the Cisco VSG that is unique within the inventory folder and has up to 80
characters.
b) In the Inventory Location pane, choose the location that you would like to use for hosting the Cisco VSG.
c) Click Next.
Step 7
In the Deploy OVF Template—Deployment Configuration window, do the following:
a) From the Configuration drop-down list, choose Standalone.
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
4
OL-30760-01
Installing the Cisco VSG
Installing the Cisco VSG Software from an ISO File
Step 8
b) Click Next.
Note
The Standalone Installation for this document is an example in this publication. If you chose Manual Installation
mode, you would choose the default values for the following steps. In Standalone mode, be sure to fill in all the
fields indicated (they will be indicated on the GUI with red type).
In the Disk Format dialog box, choose the radio button for the selected format and click Next.
Step 9
In the Host or Cluster window, choose the host where the Cisco VSG will be installed, and then click Next.
Step 10
Step 11
Step 12
From the Select a datastore field in which to store the VM files pane, choose your datastore, and then click Next.
Click the drop-down arrows for Data (Service), Management, and HA to associate port profiles, and then click Next.
Step 13
Step 14
Step 15
Step 16
Step 17
Step 18
In the Deploy OVF Template—Properties window, do the following:
a) In the HaId field, enter the high-availability identification number for a Cisco VSG pair (value from 1 through 4095).
b) In the Password field, enter a password that contains at least one uppercase letter, one lowercase letter, and one
number.
c) In the ManagementIpV4 field, enter the IP address for the Cisco VSG.
d) In the ManagementIpV4 Subnet field, enter the subnet mask.
e) In the Gateway field, enter the gateway name.
f) In the VnmcIpV4 field, enter the IP address of the Cisco Prime NSC.
g) In the SharedSecret field, enter the shared secret password defined during the Cisco Prime NSC installation.
h) In the ImageName field, enter the VSG VNM-PA image name (vnmc-vsgpa.2.1.1b.bin).
i) Click Next.
Note
In the following step, make sure that red text messages do not appear before you click Next. If you do not want
to enter valid information in the red-indicated fields, use null values to fill those fields. If those fields are left
empty or filled with invalid null values, the application does not power on. Ignore the Cisco Prime NSC Restore
fields.
In the Ready to Complete window, review the deployment settings information.
Note
Review the IP/mask/gateway information carefully because any discrepancies might cause the VM to have
bootup issues.
Click Finish. The Deploying Nexus 1000VSG dialog box opens.
The progress bar in the Deploying Nexus 1000VSG dialog box shows how much of the deployment task is completed
before the Cisco Prime NSC is deployed.
Wait and click Close after the progress indicator shows that the deployment is completed successfully.
Power on the Cisco VSG VM.
If you chose the Standalone mode for installation earlier, you now see the Cisco VSG login prompt. Log in with your
Cisco VSG administration password. You may now proceed with configuring the Cisco Virtual Security Gateway. For
details, see the Cisco Virtual Security Gateway for VMware vSphere Configuration Guide.
If you chose the manual installation in the Configuration field earlier, see Configuring Initial Settings, on page 7 to
configure the initial settings on the Cisco VSG.
Note
If you are installing high availability (HA), you must configure the software on the primary Cisco VSG before
installing the software on the secondary Cisco VSG.
Installing the Cisco VSG Software from an ISO File
You can install the Cisco VSG from an ISO file.
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
OL-30760-01
5
Installing the Cisco VSG
Installing the Cisco VSG Software from an ISO File
Before You Begin
• Specify a name for the new Cisco VSG that is unique within the inventory folder and has up to 80
characters.
• Know the name of the host where the Cisco VSG will be installed in the inventory folder.
• Know the name of the datastore in which the VM files will be stored.
• Know the names of the network port profiles used for the VM.
• Know the Cisco VSG IP address.
Step 1
Step 2
Upload the Cisco Virtual Security Gateway ISO image to the vCenter datastore.
From the data center in the vSphere Client menu, choose your ESXi host where you want to install the Cisco VSG and
choose New Virtual Machine.
For VM requirements, see the Host and VM Requirements, on page 1.
For detailed information about how to create a VM, see the VMware documentation.
Step 3
In the Create New Virtual Machine dialog box, do the following:
a) Click Custom to create a virtual machine.
b) Click Next.
Step 4
In the Create New Virtual Machine dialog box, do the following:
a) In the Name field, add a name for the Cisco VSG.
The Cisco VSG name must be a unique name within the inventory folder and should be up to 80 characters.
b) In the Inventory Location field, choose your data center and click Next.
Step 5
In the Datastore dialog box, choose your datastore from the Select a datastore and then click Next.
Step 6
In the Virtual Machine Version dialog box, click the Virtual Machine Version.
Note
Keep the selected virtual machine
version.
In the Guest Operating System dialog box, do the following:
Step 7
a) Click the Linux radio button.
b) In the Version field, choose Other 2.6x Linux (32-bit) from the drop-down list and click Next.
Step 8
In the CPUs dialog box, choose 1 socket with 2 cores or 2 sockets each with one core, and then click Next.
By default, the Cisco VSG virtual machine deployed with OVA has only one1 vCPU. You can choose 2 vCPUs. For an
older version of the ESX hosts, you can directly select the number of vCPUs.
Step 9
In the Memory dialog box, choose 2 GB memory size, and then click Next.
Step 10
In the Create Network Connectors dialog box, do the following:
a) In the How many NICs do you want to connect? field, choose 3 from the drop-down list.
b) In the Network area, choose service, management, and HA port profiles in that sequence for the NIC 1, NIC 2, and
NIC 3 from the drop-down list. Choose VMXNET3 for the adapter type for NIC 1. Choose E1000 for the adapter
type for NIC 2 and NIC 3.
Step 11
Click Next. The SCSI Controller dialog box opens.
The radio button for the default SCSI controller is chosen.
Step 12
Click Next. The Select a Disk dialog box opens.
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
6
OL-30760-01
Installing the Cisco VSG
Configuring Initial Settings
The radio button for the default disk is chosen.
Step 13
Click Next. The Create a Disk dialog box opens.
The default virtual disk size and policy is chosen.
Step 14
Click Next. The Advanced Options dialog box opens.
The default options are chosen.
Step 15
Click Next. The Ready to Complete dialog box opens.
Step 16
Step 17
Review your settings in the Settings for the new virtual machine area.
Check the Edit the virtual machine before completion check box and click Continue to open a dialog box with the
device details.
In the Work pane, choose your New CD/DVD (adding) in the Hardware area.
Click Datastore ISO File, and select your ISO file from the drop-down list.
In the work pane, check the Connect at power on check box and click Finish.The Summary tab window opens.
The Create virtual machine status completes.
Step 18
Step 19
Step 20
Step 21
Step 22
Step 23
From the vSphere Client menu, choose your recently installed VM.
In the work pane, click Power on the virtual machine.
Click the Console tab to view the VM console. Wait for the Install Virtual Firewall and bring up the new image to boot.
See the Configuring Initial Settings section to configure the initial settings on the Cisco VSG.
Note
To allocate additional RAM, right-click the VM icon to power off the VM and then choose Power > Power
Off from the dialog box. After the VM is powered down, edit the configuration settings on the VM for controlling
memory resources.
Configuring Initial Settings
This section describes how to configure the initial settings on the Cisco VSG and configure a standby Cisco
VSG with its initial settings. For configuring a standby Cisco VSG, see Configuring Initial Settings on a
Standby Cisco VSG, on page 9 section.
When you power on the Cisco VSG for the first time, depending on which mode you used to install your
Cisco VSG, you might be prompted to log in to the Cisco VSG to configure initial settings at the console on
your vSphere Client. For details about installing Cisco VSG, see Installing the Cisco VSG Software, on page
3 in this chapter.
Before You Begin
The following table determines if you must configure the initial settings as described in this section.
Your Cisco Virtual Security Gateway
Software Installation Method
Do You Need to Proceed with “Configuring Initial Settings”?
Installing an OVA file and choosing
Yes. Proceed with configuring initial settings described in this
Manually Configure Nexus 1000 VSG section.
in the configuration field during
installation.
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
OL-30760-01
7
Installing the Cisco VSG
Configuring Initial Settings
Your Cisco Virtual Security Gateway
Software Installation Method
Do You Need to Proceed with “Configuring Initial Settings”?
Installing an OVA file and choosing any No. You have already configured the initial settings during the
of the options other than the manual
OVA file installation.
method in the configuration field during
installation.
Installing an ISO file.
Yes. Proceed with configuring initial settings described in this
section.
Step 1
Navigate to the Console tab in the VM.
Cisco Nexus 1000V Series switch opens the Console window and boots the Cisco VSG software.
Step 2
At the Enter the password for "admin" prompt, enter the password for the admin account and press Enter.
Step 3
Step 4
At the prompt, confirm the admin password and press Enter.
At the Enter HA role[standalone/primary/secondary] prompt, enter the HA role you want to use and
press Enter.
This can be one of the following:
• standalone
• primary
• secondary
Step 5
Step 6
At the Enter the ha id(1-4095) prompt, enter the HA ID for the pair and press Enter.
Note
If you entered secondary in the earlier step, the HA ID for this system must be the same as the HA ID for the
primary system.
If you want to perform basic system configuration, at the Would you like to enter the basic
configuration dialog (yes/no) prompt, enter yes and press Enter, then complete the following steps.
a) At the Create another login account (yes/no)[n] prompt, do one of the following:
• To create a second login account, enter yes and press Enter.
• Press Enter.
b) (Optional) At the Configure read-only SNMP community string (yes/no)[n] prompt, do one
of the following:
• To create an SNMP community string, enter yes and press Enter.
• Press Enter.
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
8
OL-30760-01
Installing the Cisco VSG
Configuring Initial Settings on a Standby Cisco VSG
c) At the Enter the Virtual Security Gateway (VSG) name prompt, enter VSG-demo and press Enter.
Step 7
Step 8
At the Continue with Out-of-band (mgmt0) management configuration? (yes/no)[y]:
prompt, enter yes and press Enter.
At the Mgmt IPv4 address: prompt, enter 10.10.10.11 and press Enter.
Step 9
At the Mgmt IPv4 netmask prompt, enter 255.255.255.0 and press Enter.
Step 10
At the Configure the default gateway? (yes/no)[y] prompt, enter yes and press Enter.
Step 11
At the Enable the telnet service? (yes/no)[y]: prompt, enter noand press Enter.
Step 12
At the Enable the telnet service? (yes/no)[y]: prompt, enter no.
Step 13
At the Configure the ntp server? (yes/no)[n] prompt, enter noand press Enter.
The following configuration will be applied:
Interface mgmt0
ip address 10.10.10.11 255.255.255.0
no shutdown
vrf context management
ip route 0.0.0.0/10.10.11.1
no telnet server enable
ssh key rsa 768 force
ssh server enable
no feature http-server
ha-pair id 25
Step 14
At the Would you like to edit the configuration? (yes/no)[n] prompt, enter nand press Enter.
Step 15
At the Use this configuration and save it? (yes/no)[y]: prompt, enter yand press Enter.
Step 16
At the VSG login prompt, enter the name of the admin account you want to use and press Enter.
The default account name is admin.
Step 17
At the Password prompt, enter the name of the password for the admin account and press Enter.
You are now at the Cisco VSG node.
Configuring Initial Settings on a Standby Cisco VSG
You can add a standby Cisco VSG by logging in to the Cisco VSG you have identified as secondary and using
the following procedure to configure a standby Cisco VSG with its initial settings.
Step 1
Navigate to the Console tab in the VM.
Cisco Nexus 1000V Series switch opens the Console window and boots the Cisco VSG software.
Step 2
At the Enter the password for "admin" prompt, enter the password for the admin account and press Enter.
Step 3
Step 4
At the prompt, confirm the admin password and press Enter.
At the Enter HA role[standalone/primary/secondary] prompt, enter the secondary HA role and press
Enter.
At the Enter the ha id(1-4095) prompt, enter 25 for the HA pair id and press Enter.
Step 5
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
OL-30760-01
9
Installing the Cisco VSG
Verifying the Cisco VSG Configuration
The HA ID uniquely identifies the two Cisco VSGs in an HA pair. If you are configuring Cisco VSGs in an
HA pair, make sure that the ID number you provide is identical to the other Cisco VSG in the pair.
At the VSG login prompt, enter the name of the admin account you want to use and press Enter.
The default account name is admin.
Note
Step 6
Step 7
At the Password prompt, enter the name of the password for the admin account and press Enter.
You are now at the Cisco VSG node.
Verifying the Cisco VSG Configuration
To display the Cisco VSG configuration, perform one of the tasks:
Command
Purpose
show interface brief
Displays brief status and interface information.
show vsg
Displays the Cisco VSG and system-related
information.
This example shows how to verify the Cisco VSG configurations:
vsg# show interface brief
-------------------------------------------------------------------------------Port
VRF
Status IP Address
Speed
MTU
-------------------------------------------------------------------------------mgmt0
-up
10.193.77.217
1000
1500
vsg# show vsg
Model: VSG
HA ID: 3437
VSG Software Version: 4.2(1)VSG1(1) build [4.2(1)VSG1(0.399)]
VNMC IP: 10.193.75.73
Where to Go Next
After installing and completing the initial configuration of the Cisco VSG, you can configure firewall policies
on the Cisco VSG through the Cisco Prime NSC.
Cisco VSG for VMware vSphere, Release 4.2(1)VSG2(1.1) and Cisco Prime NSC, Release 3.0.2 Installation and
Upgrade Guide
10
OL-30760-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising