Installing the Cisco Prime NSC and Cisco VSG-Quick Start

Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Installing the Cisco Prime NSC and Cisco
VSG-Quick Start
This chapter contains the following sections:
• Information About Installing Cisco Prime NSC and Cisco VSG, page 1
• Task 1: Installing the Cisco Prime NSC from an ISO Image, page 9
• Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent, page 12
• Task 3: On the VSM, Preparing Cisco VSG Port Profiles, page 14
• Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts, page 16
• Task 5: Installing Cisco VSG from an ISO Image, page 17
• Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent, page 21
• Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status,
page 22
• Task 8: On Cisco Prime NSC, Configuring a Tenant, Security Profile, Compute Firewall, and Assigning
Cisco VSG to the Compute Firewall, page 23
• Task 9: On the Prime NSC, Configuring a Permit-All Rule, page 26
• Task 10: On Cisco VSG, Verifying the Permit-All Rule, page 26
• Task 11: Enabling Logging, page 27
• Task 12: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication
Between the VSM, VEM, and VSG, page 28
• Task 13: Installing Microsoft Service Provider Foundation, page 31
• Task 14: Sending Traffic Flow and on Cisco VSG Verifying Statistics and Logs, page 33
Information About Installing Cisco Prime NSC and Cisco VSG
This chapter describes how to install and set up a basic working configuration of Cisco Prime Network Services
Controller (Cisco Prime NSC) and Cisco Virtual Security Gateway (Cisco VSG). The example in this chapter
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
1
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
uses the ISO files of the software for installation. The steps assume that Cisco Nexus 1000V Series switch is
operational, and endpoint VMs are already installed.
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Planning the arrangement and architecture of your network and equipment is essential for a successful operation
of Cisco Prime NSC and Cisco VSG.
Basic Hardware and Software Requirements
The following table lists the basic hardware and software requirements for Cisco VSG and Cisco Prime NSC
installation.
Requirement
Virtual CPUs
Description
• Cisco VSG: 1 (1.5 GHz)
• Cisco Prime NSC: 4 (1.8 GHz each)
Memory
• Cisco VSG: 2GB RAM
• Cisco Prime NSC: 4GB RAM
Disk Space
Cisco VSG: 3 GB
Cisco Prime NSC: Without InterCloud functionality,
40 GB on shared NFS or SAN, and configured on
two disks as follows:
• Disk 1: 20 GB
• Disk 2: 20 GB
Processor
Network Interfaces
x86 Intel or AMD server with a 64-bit processor.
• Cisco VSG: 3
• Cisco Prime NSC: 1
Microsoft SCVMM
SCVMM 2012 SP1 or SCVMM 2012 R2
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
2
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Requirement
Description
Browser
Any of the following browsers:
• Internet Explorer 9.0 or higher
• Mozilla Firefox 23.0 or higher
• Google Chrome 29.0 or higher
Note
Note
Ports
If you are running Firefox or IE and do not
have Flash, or you have a version of Flash
that is older than 11.2, a message displays
asking you to install Flash and provides a
link to the Adobe website.
Before using Google Chrome with Cisco
Prime NSC, you must disable the Adobe
Flash Players that are installed by default
with Chrome. For more information, see
Configuring Chrome for Use with Cisco
Prime NSC.
Access to the Cisco Prime NSC application using a
web browser and the following ports (if the
deployment uses a firewall, make sure to permit the
following ports):
• 443 (HTTPS)
• 80 (HTTP/TCP)
• 843 (Adobe Flash)
Flash Player
Note
Adobe Flash Player plugin 11.2 or higher
The Cisco VSG software is available for download at http://www.cisco.com/en/US/products/ps13095/
index.html and the Cisco Prime NSC software is available for download at http://www.cisco.com/en/US/
products/ps13213/index.html.
License Requirements
Cisco VSG license is integrated with the Nexus1000V Multi-Hypervisor License. You need to install the
Nexus1000V Multi-Hypervisor License for Cisco VSG for Microsoft Hyper-V. The Cisco N1kv VSM is
available in two modes: essential and advanced. VSG functionality is available only in the advanced mode.
You need to install the Nexus1000V Multi-Hypervisor License and change the VSM mode to advanced mode.
When the Nexus1000V Multi-Hypervisor License is installed, the license for Cisco VSG is automatically
included.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
3
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Note
If you try to access VSG services with VSM in essential mode, an error message is generated on VSM
console indicating that the Nexus1000V Multi-Hypervisor License is required for VSG.
The Nexus1000V Multi-Hypervisor License in the Release 5.2(1)SM1(5.2) is available in three different
types:
• Default: The Nexus 1000v switch may be configured in Essential or Advanced mode.
◦Essential Mode: Not Supported.
◦Advanced Mode: After upgrade to Software Release 5.2(1)SM(5.2) - Nexus1000V Multi-Hypervisor
License is available with 1024 Socket Count and expires in 60 days.
Note
You must install either the evaluation or the permanent (MSFT PKG) license prior to
upgrading to the Software Release 5.2(1)SM(5.2).
• Evaluation: The Nexus 1000V switch should be in Advanced mode. After upgrading to Software Release
5.2(1)SM (5.2) - Nexus1000V Multi-Hypervisor License is available with1024 Socket Count and expires
in 60 days.
• Permanent: The Nexus 1000V switch should be in Advanced mode. After upgrading to Software Release
5.2(1)SM(5.2) - Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires
in 60 days.
Note
You have to request for an evaluation or permanent Nexus1000V Multi-Hypervisor License.
For more information about the Cisco Nexus 1000V for Microsoft Hyper-V licenses, see the Cisco Nexus
1000V for Microsoft Hyper-V License Configuration Guide.
VLAN Configuration Requirements for VSG
You must have two port-profiles configured on two different VLANs in the VSM:
• Service interface VLAN
• HA interface VLAN
Required Cisco Prime NSC and Cisco VSG Information
The following information can be used during the Cisco Prime NSC and Cisco VSG installation.
Type
Your Information
Cisco VSG name—Unique within the inventory folder
and up to 80 characters
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
4
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Type
Your Information
Hostname—Where the Cisco VSG will be installed
in the inventory folder
ISOs—Managed within SCVMM library, if stored at
C:\ProgramData\Virtual Machine Manager Library
Files\ISO to manage. Refresh the SCVMM library
after saving the ISO file to the specified location.
Cisco VSG management IP address
VSM management IP address
Cisco Prime NSC instance IP address
Mode for installing the Cisco VSG
• Standalone
• HA primary
• HA secondary
Cisco VSG VLAN number
• Service (1)
• Management (2)
• High availability (HA) (3)
Cisco VSG port profile name
• Data (1)
• Management (2)
• High availability (HA) (3)
Note
The numbers indicate the Cisco VSG port
profile that must be associated with the Cisco
VSG VLAN number.
HA pair ID (HA domain ID)
Cisco VSG admin password
Cisco Prime NSC admin password
Cisco VSM admin password
Shared secret password (Cisco Prime NSC, Cisco
VSG policy agent, Cisco VSM policy agent)
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
5
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Type
Your Information
NSC DNS IP address
NSC NTP IP address
Tasks and Prerequisites Checklist
Tasks
Prerequisites
Task 1: Installing the Cisco Prime NSC
from an ISO Image.
Make sure that you know the following:
• Verified that the Hyper-V host on which to deploy Cisco
Prime NSC VM is available in SCVMM.
• Copied the Cisco Prime NSC 3.2 ISO image to the
SCVMM library location on the file system. To make this
image available in SCVMM, choose Library > Library
Servers, right-click the library location, and then refresh.
• NTP server information.
Task 2: On the VSM, Configuring Cisco
Prime NSC Policy Agent, on page 12
Make sure that you know the following:
• Cisco Prime NSC policy-agent image on the VSM (for
example, vsmhv-pa.3.2.1c.bin)
Note
The string vsmhv-pa must appear in the image
name as highlighted.
• The IP address of Cisco Prime NSC
• The shared secret password you defined during Cisco
Prime NSC installation
• IP connectivity between the VSM and Cisco Prime NSC
is working
Note
If you upgrade your VSM, you must also copy
the latest Cisco VSM policy agent image. This
image is available in Cisco Prime NSC image
bundle to boot from a flash drive and to complete
registration with Cisco Prime NSC.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
6
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Tasks
Prerequisites
Task 3: On the VSM, Preparing Cisco VSG Make sure that you know the following:
Port Profiles, on page 14
• Logical Switch name (Network Uplink port-profile name).
• VLAN ID for the Cisco VSG data interface (for
example,100).
• VLAN ID for the Cisco VSG-ha interface (for example,
200).
• Management VLAN (management).
Note
None of these VLANs need to be system
VLANs.
Task 4: On the VSM, Configuring Virtual Make sure that you know the following:
Network Adapters on the Hosts, on page
• Cisco VSG port-profile configured on VSM.
16
Task 5: Installing Cisco VSG from an ISO Make sure that you know the following:
Image, on page 17
• Installed Microsoft SCVMM SP1 or SCVMM R2.
• Downloaded the Cisco VSG ISO image and uploaded it
to the server (C:\ProgramData\Virtual Machine Manager
Library Files\ISO). Refresh the library server under the
Library tab.
• Cisco VSG-Data port profile: VSG-Data.
• Cisco VSG-ha port profile: VSG-ha.
• HA ID.
• IP/subnet mask/gateway information for Cisco VSG
• Administrator password
• Minimum of 2 GB RAM and 2 GB hard disk space,
recommended space is 4 GB RAM and 4 GB hard disk.
• Cisco Prime NSC IP address.
• The shared secret password.
• IP connectivity between Cisco VSG and Cisco Prime NSC
is okay.
• Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin)
is available.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
7
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Cisco VSG and Cisco Prime NSC Installation Planning Checklists
Tasks
Prerequisites
Task 6: On the VSG, Configuring the Cisco Make sure that you know the following:
Prime NSC Policy Agent, on page 21
• The Cisco Prime NSC policy-agent image on Cisco VSG
(for example, vsghv-pa.2.1.1e.bin).
Note
The string vsghv-pa must appear in the image
name as highlighted.
• IP address of the Cisco Prime NSC.
• Shared secret password you defined during the Cisco Prime
NSC installation.
• IP connectivity between the VSG and the Cisco Prime
NSC.
Note
Task 7: On Cisco VSG, Cisco VSM, and
Cisco Prime NSC, Verifying the NSC
Policy-Agent Status, on page 22
If you upgrade your VSG, you must also copy
the latest Cisco VSG policy agent image. This
image is available in Cisco Prime NSC image
bundle to boot from a flash drive and to complete
registration with Cisco Prime NSC.
—
Task 8: On Cisco Prime NSC, Configuring Make sure that you know the following:
a Tenant, Security Profile, Compute
• Adobe Flash Player (version 11.2 or later) has been
Firewall, and Assigning Cisco VSG to the
installed
Compute Firewall, on page 23
• The IP address of the Cisco Prime NSC
• The admin user password
Task 13: Installing Microsoft Service
Provider Foundation, on page 31
—
Task 9: On Cisco Prime NSC, Assigning
Cisco VSG to the Compute Firewall
—
Task 9: On the Prime NSC, Configuring a —
Permit-All Rule, on page 26
Task 10: On Cisco VSG, Verifying the
Permit-All Rule, on page 26
—
Task 11: Enabling Logging, on page 27
—
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
8
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 1: Installing the Cisco Prime NSC from an ISO Image
Tasks
Prerequisites
Task 12: Enabling the Traffic VM
Make sure that you know the following:
Port-Profile for Firewall Protection and
• The server VM that runs with an access port profile (for
Verifying the Communication Between the
example, web server)
VSM, VEM, and VSG, on page 28
• The Cisco VSG data IP address (for example,
10.10.10.200) and VLAN ID (for example, 100)
• The security profile name (for example, sp-web)
• The organization (Org) name (for example, root/Tenant-A)
• The port profile that you would like to edit to enable
firewall protection
• That one active port in the port-profile with Cisco vPath
configuration has been set up
Task 14: Sending Traffic Flow and on
—
Cisco VSG Verifying Statistics and Logs,
on page 33
Host Requirements
• Microsoft SCVMM SP1 or SCVMM R2
• Microsoft Windows Server 2012 or Windows Server 2012 R2
• 6 GB RAM
Obtaining Cisco Prime NSC and Cisco VSG Software
Cisco VSG software is available for download at the following URL:
http://software.cisco.com/download/navigator.html
Cisco Prime NSC software is available for download at the following URL:
http://software.cisco.com/download/navigator.html
Task 1: Installing the Cisco Prime NSC from an ISO Image
Before You Begin
Ensure that you have:
• Verified that the Hyper-V host on which to deploy Cisco Prime NSC VM is available in SCVMM.
• Copied the Cisco Prime NSC 3.2 ISO image to the SCVMM library location on the file system. To make
this image available in SCVMM, choose Library > Library Servers, right-click the library location,
and then refresh.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
9
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 1: Installing the Cisco Prime NSC from an ISO Image
• NTP server information.
Step 1
Launch the SCVMM.
Figure 1: Create Virtual Machine Wizard - Select Source
Step 2
In the VMs and Services pane, choose the Hyper-V host on which to deploy the Cisco Prime NSC VM.
Step 3
Step 4
Right-click the Hyper-V host and choose Create Virtual Machine.
In the Create Virtual Machine wizard, from the Select Source screen, choose the Create the new virtual machine with
a blank virtual hard disk radio button, and then click Next.
In the Specify Virtual Machine Identity screen, Specify the name and description for the virtual machine, and then
click Next.
In the Configure Hardware screen, do the following:
Step 5
Step 6
a) From General, do the following:
• Choose Processor and set the number of processors.
• Choose Memory and choose the required memory value. You will need a minimum 4 GB of memory.
b) From Bus Configuration > IDE Devices, do the following:
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
10
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 1: Installing the Cisco Prime NSC from an ISO Image
• Choose the hard disk with the virtual machine name you specified and enter the required size of the hard disk.
You will need at least 20 GB.
• Click New > Disk to add a new hard disk, enter hard disk name in the File Name field, set the hard disk size
to 20 GB and click Ok.
• Choose Virtual DVD Drive, choose the Existing ISO image file radio button, and browse to select the Cisco
Prime NSC 3.2 ISO image file from the library in the Select ISO dialog box.
c) Choose Network Adapters > Network Adapter 1, select the Connect to a VM Network radio button, and browse
to select a VM Network.
d) Click Next.
Step 7
In the Select Destination screen, do the following:
a) Choose the Place the virtual machine on a host radio button.
b) Ffrom the Destination drop-down list, choose All hosts.
c) Click Next.
Step 8
In the Select Host screen, choose the destination, and then click Next.
Step 9
Step 10
In the Configure Settings screen, click Browse and navigate to the storage location of virtual machine file, and then
click Next.
In the Add properties screen, choose the Red Hat Enterprise Linux 5 (64 bit) operating system, and then click Next.
Step 11
In the Summary screen, do the following:
a) Verify the settings.
b) Check the Start the virtual machine after deploying it check box.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
11
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent
c) Click Create.
Figure 2: Create Virtual Machine Wizard - Summary
The job Create VM starts. You can see the status of this job in the Recent Jobs window. Ensure that the job completes
without any errors.
Step 12
Step 13
Step 14
After the VM is successfully created, right-click the new Virtual Machine and choose Connect or View > Connect Via
Console.
Launch the console and install Cisco Prime NSC.
Note
Before the final Cisco Prime NSC installation step, before you reboot, launch SCVMM again, and right-click
the Virtual machine and choose Properties > Hardware Configuration > Bus Configuration > Virtual DVD
Drive > no media, so that Cisco Prime NSC does not use the ISO image at boot time.
After Cisco Prime NSC is successfully deployed, click Close and power on the Cisco Prime NSC VM.
Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent
Once Cisco Prime NSC is installed, you must register the VSM with Cisco Prime NSC.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
12
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent
Before You Begin
Ensure that you have:
• Cisco Prime NSC policy-agent image on the VSM (for example, vsmhv-pa.3.2.1c.bin)
Note
The string vsmhv-pa must appear in the image name as highlighted.
• The IP address of Cisco Prime NSC
• The shared secret password you defined during Cisco Prime NSC installation
• IP connectivity between the VSM and Cisco Prime NSC is working
Note
Note
If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image.
This image is available in Cisco Prime NSC image bundle to boot from a flash drive
and to complete registration with Cisco Prime NSC.
VSM clock should be synchronized with Cisco Prime NSC clock.
SUMMARY STEPS
1. On the VSM, enter the following commands:
2. Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC
correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco
Prime NSC is reachable and the installation is correct:
DETAILED STEPS
Step 1
On the VSM, enter the following commands:
vsm# configure terminal
vsm(config)# nsc-policy-agent
vsm(config-nsc-policy-agent)# registration-ip 10.193.75.95
vsm(config-nsc-policy-agent)# shared-secret Example_Secret123
vsm(config-nsc-policy-agent)# policy-agent-image vsmhv-pa.3.2.1c.bin
vsm(config-nsc-policy-agent)# exit
vsm(config)# copy running-config startup-config
vsm(config)# exit
Step 2
Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and
it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable
and the installation is correct:
vsm# show nsc-pa status
NSC Policy-Agent status is - Installed Successfully. Version 3.2(1)-vsm
vsm
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
13
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 3: On the VSM, Preparing Cisco VSG Port Profiles
The VSM is now registered with Cisco Prime NSC.
This example shows that Cisco Prime NSC is unreachable or an incorrect IP is configured:
vsm# show nsc-pa status
nsc Policy-Agent status is - Installation Failure
Cisco Prime NSC not reachable.
vsm#
This example shows that the NSC policy-agent is not configured or installed:
vsm# show nsc-pa status
NSC Policy-Agent status is - Not Installed
Task 3: On the VSM, Preparing Cisco VSG Port Profiles
To prepare Cisco VSG port profiles, you must create the VLANs and use the VLANs in Cisco VSG data port
profile and the Cisco VSG-ha port profile.
Before You Begin
Ensure that you have:
• Logical Switch name (Network Uplink port-profile name).
• VLAN ID for the Cisco VSG data interface (for example,100).
• VLAN ID for the Cisco VSG-ha interface (for example, 200).
• Management VLAN (management).
Note
None of these VLANs need to be system VLANs.
SUMMARY STEPS
1. Create a Cisco VSG data port profile and a Cisco VSG-ha port profile by first enabling the Cisco VSG
data port-profile configuration mode. Cisco VSG data interface should be in the system VLAN. To configure
VSG data interface in the system VLAN, you need a system network segment, a system port-profile, and
an uplink configured as a system uplink. Use the configure command to enter global configuration mode.
2. Create Network Uplink port-profile and use it in the Logical Switch.
3. Create the network segment and port-profile for the Data VLAN.
4. Create the network segment and port-profile for the HA VLAN.
DETAILED STEPS
Step 1
Create a Cisco VSG data port profile and a Cisco VSG-ha port profile by first enabling the Cisco VSG data port-profile
configuration mode. Cisco VSG data interface should be in the system VLAN. To configure VSG data interface in the
system VLAN, you need a system network segment, a system port-profile, and an uplink configured as a system uplink.
Use the configure command to enter global configuration mode.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
14
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 3: On the VSM, Preparing Cisco VSG Port Profiles
Important
Ensure that all the critical VMs are configured in the system
VLANs.
vsm# configure
Step 2
Create Network Uplink port-profile and use it in the Logical Switch.
vsm(config)# nsm logical network vsm_LogicalNet
vsm(config-logical-net)# exit
vsm(config)# nsm network segment pool vsm_NetworkSite
vsm(config-net-seg-pool)# member-of logical network vsm_LogicalNet
vsm(config-net-seg-pool)# exit
vsm(config)# nsm ip pool template VM_IP_Pool
vsm(config-ip-pool-template)# ip address 10.0.0.2 10.0.0.255
vsm(config-ip-pool-template)# network 255.255.255.0 10.0.0.1
vsm(config-ip-pool-template)# exit
vsm(config)#port-profile type ethernet sys-uplink
vsm(config-port-prof)#channel-group auto
vsm(config-port-prof)#no shutdown
vsm(config-port-prof)#system port-profile
vsm(config-port-prof)#state enabled
vsm(config-port-prof)#exit
vsm(config)# nsm network uplink vsm_Uplink
vsm(config-uplink-net)# allow network segment pool vsm_NetworkSite
vsm(config-uplink-net)# import port-profile sys_Uplink
vsm(config-uplink-net)# system network uplink
vsm(config-uplink-net)# publish uplink-network
vsm(config-uplink-net)# exit
Step 3
Create the network segment and port-profile for the Data VLAN.
vsm(config)# nsm network segment VMAccess_502
vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite
vsm(config-net-seg)# system network segment
vsm(config-net-seg)# switchport access vlan 502
vsm(config-net-seg)# ip pool import template VM_IP_Pool
vsm(config-net-seg)# publish network-segment
vsm(config-net-seg)# exit
vsm(config)# port-profile type vethernet VSG_Data
vsm(config-port-prof)# no shutdown
vsm(config-port-prof)# state enabled
vsm(config-port-prof)# system port-profile
vsm(config-port-prof)# publish port-profile
vsm(config-port-prof)# exit
Step 4
Create the network segment and port-profile for the HA VLAN.
vsm(config)# nsm network segment VMAccess_503
vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite
vsm(config-net-seg)# switchport access vlan 503
vsm(config-net-seg)# ip pool import template VM_IP_Pool
vsm(config-net-seg)# publish network-segment
vsm(config-net-seg)# exit
vsm(config)# port-profile type vethernet VSG_HA
vsm(config-port-prof)# no shutdown
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
15
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts
vsm(config-port-prof)# state enabled
vsm(config-port-prof)# publish port-profile
vsm(config-port-prof)# exit
Task 4: On the VSM, Configuring Virtual Network Adapters on
the Hosts
Now that you have prepared Cisco VSG port profiles on VSM, you should configure virtual network adapters
on the hosts.
This task includes the following subtasks:
• Create Port-profile for the Virtual Network Adapter, on page 16
• Creating Virtual Network Adapter, on page 17
Before You Begin
Ensure that you have:
• Cisco VSG port-profile configured on VSM.
Create Port-profile for the Virtual Network Adapter
You need to log in to VSM to create port-profile for the virtual network adapter.
SUMMARY STEPS
1. Create port-profile for the virtual network adapter in VSM.
DETAILED STEPS
Create port-profile for the virtual network adapter in VSM.
Example:
vsm#configure terminal
vsm(config)#port-profile type vethernet Virtual-Net-PP
vsm(config-port-prof)#capability l3-vservice
vsm(config-port-prof)#no shutdown
vsm(config-port-prof)#state enabled
vsm(config-port-prof)#publish port-profile
vsm(config-port-prof)#exit
vsm#copy running-config startup-config
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
16
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Creating Virtual Network Adapter
Creating Virtual Network Adapter
Before You Begin
Make sure that you know the following:
• Port-profile for virtual network adapter is created.
Step 1
Step 2
Launch SCVMM.
In the VMs and Services tab, click All Hosts.
Step 3
Step 4
Step 5
Choose the host on which you want to add the virtual network adapter.
Right-click the host and choose Properties from the pop-up menu.
Step 6
On the Virtual Switches tab, click New Virtual Network Adapter.
Step 7
Step 8
Step 9
Step 10
In the Name field, enter name of virtual network adapter.
Under the Connectivity, in the VM Network field, choose an appropriate VM network.
Under Port profile, select L3 service enabled port-profile that you created from the Classification drop-down list.
Under IP address configuration, check Static radio-button and do the following:
a) Choose IP-pool for virtual network adapter from the IPv4 pool drop-down list.
b) In the IPv4 address field, enter IP address for virtual network adapter.
Step 11
Step 12
Click Ok.
The VM manager warning message appears, click Ok.
In the Properties window, click Virtual Switches.
What to Do Next
Add a physical router between VSG and virtual network adapter.
Task 5: Installing Cisco VSG from an ISO Image
Note
Cisco VSG is supported as VSB on Nexus Cloud Services platform only.
Before You Begin
Ensure that you have:
• Installed Microsoft SCVMM SP1 or SCVMM R2.
• Downloaded the Cisco VSG ISO image and uploaded it to the server (C:\ProgramData\Virtual Machine
Manager Library Files\ISO). Refresh the library server under the Library tab.
• Cisco VSG-Data port profile: VSG-Data.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
17
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 5: Installing Cisco VSG from an ISO Image
• Cisco VSG-ha port profile: VSG-ha.
• HA ID.
• IP/subnet mask/gateway information for Cisco VSG
• Administrator password
• Minimum of 2 GB RAM and 2 GB hard disk space, recommended space is 4 GB RAM and 4 GB hard
disk.
• Cisco Prime NSC IP address.
• The shared secret password.
• IP connectivity between Cisco VSG and Cisco Prime NSC is okay.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
18
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 5: Installing Cisco VSG from an ISO Image
• Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin) is available.
Step 1
Step 2
Launch SCVMM.
On the VMs and Services tab, click Create Virtual Machine.
Step 3
In the Create Virtual Machine Wizard, in the Select Source screen, check the Create the new virtual machine with a
blank virtual hard disk radio button, and click Next.
In the Specify Virtual Machine Identity screen, enter the name for the Cisco VSG in the Virtual machine name field
and click Next.
Step 4
Figure 3: Create Virtual Machine Wizard - Specify Virtual Machine Identity
Step 5
In the Configure Hardware section, do the following:
a) Under General, choose Memory, choose the Static option, and enter 2048 MB in the Virtual machine memory
field.
b) Under Bus Configuration, choose the primary disk and enter 2 in the Size (GB) field.
c) Choose the virtual DVD Drive, select the Existing ISO image file radio button and browse for the VSG ISO within
the SCVMM Library.
d) Click New > Network Adapter to create a total of three new Network Adapters.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
19
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 5: Installing Cisco VSG from an ISO Image
• Under the Network Adapters section, choose Network Adapter 1, and then choose Connected to a VM
network and browse for the appropriate network that corresponds to the network segment for the VSG's data
interface.
Note
Network Adapter 1 is Service/Data network, use it to connect to the Data network.
Note
Note
Network Adapter 2 is the management network, connect it to the management network for the
VSG.
Network Adapter 3 is the HA network, connect it to the HA network.
Figure 4: Create Virtual Machine Wizard - Configure Hardware
• From the Classification drop-down list, choose the port-profile corresponding to the VSG's data interface.
Note
Repeat Step d to create network adapters for management and
HA.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
20
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent
Step 6
Step 7
In the Select Destination section, choose Place the virtual machine in a host, choose the host group on which you
want to store the VSG from the drop-down list, and click Next.
In the Select Host section, choose the host that you want to place the VSG on and click Next.
Step 8
In the Configure Settings section, review the virtual machine settings to ensure they are correct, and click Next.
Step 9
Step 10
(Optional) In the Add Properties section, choose the Other Linux (64-bit) from the Operating System from the
drop-down list, and then click Next.
In the Summary section, click Create.
Step 11
Once the VSG is successfully installed, choose the VSG on the VMs and Services tab, and click Power On.
Step 12
Connect to the VSG using Connect or View > Connect via Console.
Task 6: On the VSG, Configuring the Cisco Prime NSC Policy
Agent
Once Cisco Prime NSC is installed, you must register Cisco VSG with Cisco Prime NSC.
Before You Begin
Ensure that you have:
• The Cisco Prime NSC policy-agent image on Cisco VSG (for example, vsghv-pa.2.1.1e.bin).
Note
The string vsghv-pa must appear in the image name as highlighted.
• IP address of the Cisco Prime NSC.
• Shared secret password you defined during the Cisco Prime NSC installation.
• IP connectivity between the VSG and the Cisco Prime NSC.
Note
Note
If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image.
This image is available in Cisco Prime NSC image bundle to boot from a flash drive
and to complete registration with Cisco Prime NSC.
VSG clock should be synchronized with Cisco Prime NSC clock.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
21
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status
SUMMARY STEPS
1. On Cisco VSG, configure the NSC policy agent:
2. Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC
correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco
Prime NSC is reachable and the installation is correct:
DETAILED STEPS
Step 1
On Cisco VSG, configure the NSC policy agent:
VSG-Firewall# configure
Enter configuration commands, one per line. End with CNTL/Z.
VSG-Firewall(config)# nsc-policy-agent
VSG-Firewall(config-nsc-policy-agent)# registration-ip 10.193.72.242
VSG-Firewall(config-nsc-policy-agent)# shared-secret Sgate123
VSG-Firewall(config-nsc-policy-agent)# policy-agent-image vnmc-vsgpa.2.1.1b.bin
VSG-Firewall(config-nsc-policy-agent)# copy running-config startup-config
[########################################] 100%
Copy complete, now saving to disk (please wait)...
VSG-Firewall(config-nsc-policy-agent)# exit
Step 2
Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and
it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable
and the installation is correct:
VSG-Firewall(config)# show nsc-pa status
NSC Policy-Agent status is - Installed Successfully. Version 2.1(1b)-vsg
Cisco VSG is now registered with Cisco Prime NSC.
This example shows that Cisco Prime NSC is unreachable or an incorrect IP is configured:
vsg# show nsc-pa status
NSC Policy-Agent status is - Installation Failure
Cisco Prime NSC not reachable.
vsg#
This example shows that the NSC policy-agent is not configured or installed:
vsg# show nsc-pa status
NSC Policy-Agent status is - Not Installed
Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC,
Verifying the NSC Policy-Agent Status
You can use the show nsc-pa status command to verify the nsc policy-agent status on Cisco VSG, Cisco
VSM, and Cisco Prime NSC (which can indicate that you have installed the policy-agent successfully).
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
22
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 8: On Cisco Prime NSC, Configuring a Tenant, Security Profile, Compute Firewall, and Assigning Cisco VSG to
the Compute Firewall
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
Log in to the Cisco VSG.
Check the status of NSC-PA configuration by entering the following command:
Log in to the Cisco VSM.
Check the status of NSC-PA configuration by entering the following command:
Log in to Cisco Prime NSC.
Click Resource Management and then click Resources.
In the navigation pane, click VSMs and verify the VSM information in the VSMs pane.
8. In the navigation pane, click VSGs and verify the VSG information in the VSGs pane.
DETAILED STEPS
Step 1
Step 2
Log in to the Cisco VSG.
Check the status of NSC-PA configuration by entering the following command:
vsg# show nsc-pa status
NSC Policy-Agent status is - Installed Successfully. Version 2.0(1a)-vsg
vsg#
Step 3
Step 4
Log in to the Cisco VSM.
Check the status of NSC-PA configuration by entering the following command:
VSM# show nsc-pa status
NSC Policy-Agent status is - Installed Successfully. Version 2.0(0.22)-vsm
VSM#
Step 5
Step 6
Step 7
Log in to Cisco Prime NSC.
Click Resource Management and then click Resources.
In the navigation pane, click VSMs and verify the VSM information in the VSMs pane.
Step 8
In the navigation pane, click VSGs and verify the VSG information in the VSGs pane.
Task 8: On Cisco Prime NSC, Configuring a Tenant, Security
Profile, Compute Firewall, and Assigning Cisco VSG to the
Compute Firewall
Now that you have Cisco Prime NSC and Cisco VSG successfully installed with the basic configurations,
you should configure the basic security profiles and policies.
This task includes the following subtasks:
• Configuring a Tenant on Cisco Prime NSC, on page 24
• Configuring a Security Profile on the Cisco Prime NSC, on page 24
• Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC, on page 25
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
23
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Configuring a Tenant on Cisco Prime NSC
What to Do Next
Go to Configuring a Tenant on Cisco Prime NSC, on page 24
Configuring a Tenant on Cisco Prime NSC
Tenants are entities (businesses, agencies, institutions, and so on) whose data and processes are hosted on
VMs on the virtual data center. To provide firewall security for each tenant, the tenant must first be configured
in Cisco Prime NSC.
SUMMARY STEPS
1. From the Cisco Prime NSC toolbar, click the Tenant Management tab.
2. In the Navigation pane directory tree, right-click root, and from the drop-down list, choose Create Tenant.
3. In the Create Tenant dialog box, do the following:
4. Click OK.
DETAILED STEPS
Step 1
Step 2
Step 3
From the Cisco Prime NSC toolbar, click the Tenant Management tab.
In the Navigation pane directory tree, right-click root, and from the drop-down list, choose Create Tenant.
In the Create Tenant dialog box, do the following:
a) In the Name field, enter the tenant name; for example, Tenant-A.
b) In the Description field, enter a description for that tenant.
Step 4
Click OK.
Notice that the tenant that you have just created is listed in the left-side pane under root.
What to Do Next
See Configuring a Security Profile on the Cisco Prime NSC, on page 24
Configuring a Security Profile on the Cisco Prime NSC
You can configure a security profile on Cisco Prime NSC.
Step 1
Step 2
Step 3
Step 4
In the Cisco Prime NSC toolbar, click the Policy Management>Service Profiles.
In the Root navigation window, from the directory path, choose Tenant > Compute Firewall > Compute Security
Profile.
Right-click Compute Security Profile and choose Add Compute Security Profile.
The Add Compute Security Profile dialog box opens.
In the Add Compute Security Profile dialog box, do the following:
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
24
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC
a) In the Name field, enter a name for the security profile; for example, sp-web.
b) In the Description field, enter a brief description of this security profile.
Step 5
Click OK
What to Do Next
See Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC, on page 25
Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC
The compute firewall is a logical virtual entity that contains the device profile that you can bind (assign) to
Cisco VSG VM. The device policy in the device profile is then pushed from Cisco Prime NSC to Cisco VSG.
Once this is complete, the compute firewall is in the applied configuration state on Cisco Prime NSC.
Step 1
Step 2
Step 3
From Cisco Prime NSC, choose Resource Management > Managed Resources.
On the left-pane directory tree, navigate to choose a tenant.
Click the Action drop-down list, choose Add Compute Firewall. The Add Compute Firewall dialog box opens.
Step 4
In the Add Compute Firewall dialog box, do the following:
a) In the Name field, enter a name for the compute firewall.
b) In the Description field, enter a brief description of the compute firewall.
c) In the Host Name field, enter the name for your Cisco VSG.
Step 5
Click Next.
The new Compute Firewall pane displays with the information that you provided.
Step 6
Step 8
In the Select Service Devices pane, choose Assign VSG radio button, from the VSG Devices drop-down, choose a VSG.
then and click Next.
In the Interface tab, Configure Data Interface pane, enter data interface (data0) IP address and subnet mask, and click
Next.
Verify the configuration in Summary tab and click Finish.
Step 9
Click Root > Tenant > Network Services and verify the status of the firewall.
Step 7
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
25
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 9: On the Prime NSC, Configuring a Permit-All Rule
Task 9: On the Prime NSC, Configuring a Permit-All Rule
You can configure a permit-all rule in the Cisco Prime NSC.
Step 1
Step 2
Step 3
Step 4
Step 5
Log in to the Cisco Prime NSC.
Choose Policy Management > Service Profiles.
Choose Root > Tenant > Compute Firewall > Compute Security Profile, and then select a security profile.
In the right pane, click Add ACL Policy Set.
In the Add ACL Policy dialog box, do the following:
a) In the Name field, enter the ACL Policy Set name.
b) In the Description field, enter a brief description of the ACL Policy Set.
c) Click Add ACL Policy.
Step 6
In the Add ACL Policy dialog-box, enter the policy name, enter policy description, and then click Add Rule.
Step 7
In the Add Rule dialog box, do the following:
a) In the Name field, enter the rule name.
b) For the Action radio button, choose the matching condition (for example, Permit-All to permit all the traffic).
c) On the Condition Match Criteria field, choose the required condition.
d) On the Source - Destination - Service tab, click Add to add source/destination conditions or service.
e) On the Protocol tab, uncheck Any to choose specific protocols. Do not uncheck Any if you wish to match all the
protocols.
f) On the Ether-Type tab, click Add to specify an Ether type for the rule.
g) On the Time Range tab, keep the default option to leave the rule enabled.
h) On the Advanced tab, click Add to add checks for source ports.
i) Click Ok.
Step 8
In the Add Policy dialog box, click OK.
The newly created policy is displayed in the Assigned field.
Step 9
In the Add Policy Set dialog box, click OK.
Step 10
In the Service Profile window, click Save.
Task 10: On Cisco VSG, Verifying the Permit-All Rule
You can verify the rule presence in Cisco VSG, by using the Cisco VSG CLI and the show commands.
vsg# show running-config rule
rule POL-DEMO/R-DEMO@root/Tenant/VDC
cond-match-criteria: match-allaction permit
rule POL1/R1@root/Tenant/VDC
cond-match-criteria: match-allaction permit
rule default/default-rule@root
cond-match-criteria: match-allaction drop
vsg#
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
26
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 11: Enabling Logging
Task 11: Enabling Logging
To enable logging follow these procedures:
• Enabling Logging level 6 for Policy-Engine Logging, on page 27
• Enabling Global Policy-Engine Logging, on page 28
Enabling Logging level 6 for Policy-Engine Logging
Logging enables you to see what traffic is going through your monitored virtual machine. This logging is
helpful for verifying that you have a proper configuration and to help in troubleshooting. You can enable
Logging Level 6 for policy-engine logging in a monitor session.
Step 1
Step 2
Step 3
Log in to Cisco Prime NSC.
Choose Policy Management > Device Configurations.
In the Navigation pane, choose root > Policies > Syslog > Default, and then click Edit.
Step 4
In the Edit Syslog dialog box, do the following:
a) Click the Servers tab.
b) In the Server Type column, choose the primary server type from the displayed list.
c) From the pane toolbar, click Edit.
Figure 5: Edit Syslog Dialog Box
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
27
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Enabling Global Policy-Engine Logging
Step 5
In the Edit Syslog Client dialog box, do the following:
a)
b)
c)
d)
Step 6
In the Hostname/IP address field, enter the syslog server IP address.
From the Severity drop-down list, choose Information(6).
From the Admin State drop-down list, check Enabled radio button.
Click OK.
Click OK.
What to Do Next
See Enabling Global Policy-Engine Logging, on page 28.
Enabling Global Policy-Engine Logging
Logging enables you to see what traffic is going through your monitored VM. This logging is helpful for
verifying that you have a proper configuration and to help in troubleshooting.
Step 1
Step 2
Log in to Cisco Prime NSC.
In the Cisco Prime NSC window, choose Policy Management > Device Configurations > root > Device Profiles >
default. The default Device Profile window opens.
Step 3
In the default pane, do the following:
a) In the Work pane, click the Policies.
b) In the Policy Engine Logging field, check the Enabled radio button.
Step 4
Click Save.
Task 12: Enabling the Traffic VM Port-Profile for Firewall
Protection and Verifying the Communication Between the VSM,
VEM, and VSG
This section includes the following topics:
• Enabling Traffic VM Port-Profile for Firewall Protection , on page 29
• Verifying the VSM or VEM for Cisco VSG Reachability, on page 30
• Checking the VM Virtual Ethernet Port for Firewall Protection, on page 31
Before You Begin
Ensure that you have:
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
28
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Enabling Traffic VM Port-Profile for Firewall Protection
• Server VM that runs with an access port profile (for example, web server)
• Cisco VSG data IP address (for example, 10.10.10.200) and VLAN ID (for example, 100)
• Set up the Virtual Network Adapter
• Security profile name (for example, sp-web)
• Organization (Org) name (for example, root/Tenant-A)
• Port profile that you would like to edit to enable firewall protection
Enabling Traffic VM Port-Profile for Firewall Protection
You can enable a traffic VM port profile for traffic protection.
SUMMARY STEPS
1. Create VSG node.
2. Create the network segment and Traffic VM Port-Profile for Firewall Protection.
DETAILED STEPS
Step 1
Create VSG node.
vsm#configure terminal
vsm (config)# vservice node VSG type vsg
vsm (config-vservice-node)# ip address 10.10.10.200
vsm (config-vservice-node)# adjacency l3
vsm (config-vservice-node)# exit
vsm (config)# copy running-config startup-config
Step 2
Create the network segment and Traffic VM Port-Profile for Firewall Protection.
vsm(config)# nsm network segment VMAccess_400
vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite
vsm(config-net-seg)# switchport access vlan 400
vsm(config-net-seg)# ip pool import template VM_IP_Pool
vsm(config-net-seg)# publish network-segment
vsm(config-net-seg)# exit
vsm(config)# port-profile type vethernet pp-webserver
vsm(config-port-prof)# org root/Tenant-A
vsm(config-port-prof)# vservice node VSG profile sp-web
vsm(config-port-prof)# no shutdown
vsm(config-port-prof)# state enabled
vsm(config-port-prof)# publish port-profile
vsm(config-port-prof)# exit
vsm(config)# show port-profile name pp-webserver
What to Do Next
See Verifying the VSM or VEM for Cisco VSG Reachability, on page 30.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
29
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Verifying the VSM or VEM for Cisco VSG Reachability
Verifying the VSM or VEM for Cisco VSG Reachability
Ensure that you have assigned the traffic VM port profile with firewall protection to the traffic VM.
Figure 6: Virtual Machine Properties Window
This example shows how to verify the communication between the VEM and the VSG:
VSM# show vservice brief
-------------------------------------------------------------------------------Node Information
-------------------------------------------------------------------------------ID Name
Type
IP-Address
Mode
State
Module
1 VSG-1
vsg
192.161.0.85
l3
Alive
3,4,
-------------------------------------------------------------------------------Path Information
--------------------------------------------------------------------------------------------------------------------------------------------------------------Port Information
-------------------------------------------------------------------------------PortProfile:PP-VSERVICE
Org:root/Tenant1
Node:VSG-1(192.161.0.85)
Profile(Id):SP1(6)
Veth Mod VM-Name
vNIC IP-Address
4
4 traffic-vm-win-22
192.163.0.53,
8
3 traffic-vm-win-12
192.163.0.76
10
3 traffic-vm-ubuntu-61
192.163.0.80,
11
3 traffic-vm-ubuntu-52
192.163.0.52,
A display showing the IP-ADDR Listing and Alive state verifies that the VEM can communicate with the
Cisco VSG.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
30
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Checking the VM Virtual Ethernet Port for Firewall Protection
Checking the VM Virtual Ethernet Port for Firewall Protection
This example shows how to verify the VM Virtual Ethernet port for firewall protection:
VSM(config)# show vservice port brief port-profile VSGDemo-WEB-FW
-------------------------------------------------------------------------------Port Information
-------------------------------------------------------------------------------PortProfile:VSGDemo-WEB-FW
Org:root/Demo
Node:VSG(153.1.1.13)
Profile(Id):Demo-Default-Security-Profile(6)
Veth Mod VM-Name
vNIC IP-Address
1
3 web-server1
152.1.1.11,
Note
Make sure that your VNSP ID value is greater than 1.
Task 13: Installing Microsoft Service Provider Foundation
After installing Cisco Prime NSC, you need to enable communication between the Prime NSC and Microsoft
SCVMM. This is required for virtual machine attribute based policies to work on VSG. Microsoft Service
Provider Foundation (SPF) is a plugin that enables communication between Microsoft SCVMM and Cisco
Prime NSC. The following table lists the SPF versions compatible with Cisco Prime NSC 3.2:
Table 1: SPF versions compatible with Cisco Prime NSC 3.2
SCVMM Version
SPF Version
System Center 2012 Service Pack 1
7.1.3117.0
System Center 2012 R2
7.2.379.0
This task includes the following subtasks:
• Installing Service Provider Foundation, on page 31
• Configuring Service Provider Foundation, on page 32
• Verifying Service Provider Foundation Installation, on page 32
• Creating VM Manager on Cisco Prime NSC, on page 32
What to Do Next
See Installing Service Provider Foundation, on page 31
Installing Service Provider Foundation
For detailed information about installing Service Provider Foundation, see How to Install Service Provider
Foundation for System Center 2012 R2 available at: http://technet.microsoft.com/en-us/library/dn266007.aspx
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
31
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Configuring Service Provider Foundation
Before You Begin
Ensure that you have:
• Downloaded install system center 2012 R2 orchestrator.
• Verified the system requirements for Service Provider Foundation (SPF). For information on system
requirements, refer to System Requirements for Service Provider Foundation for System Center 2012
SP1, available at: http://technet.microsoft.com/en-us/library/jj642899.aspx.
• NTP server information.
Configuring Service Provider Foundation
After the Service Provider Foundation (SPF) is successfully installed, you need to a create stamp ID (stampId)
and associate it with the Microsoft SCVMM server. For more information about configuring SPF, see http://
technet.microsoft.com/en-us/library/jj613915.aspx.
What to Do Next
See Verifying Service Provider Foundation Installation, on page 32
Verifying Service Provider Foundation Installation
To check if the SPF installation is successful and functional, launch the following VMM REST interface web
link:
https://<spf_host>:8090/SC2012R2/VMM/Microsoft.Management.Odata.Svc
where <spf_host> is the IP address for the Microsoft SCVMM VM.
Use the following link to launch the Virtual Machines REST URL:
https://<spf_host>:8090/SC2012R2/VMM/Microsoft.Management.Odata.Svc/VirtualMachines
where <spf_host> is the IP address for the SCVMM VM.
Creating VM Manager on Cisco Prime NSC
You need to create a VM manager to enable Prime NSC to retrieve VM information from Microsoft SCVMM.
Step 1
Step 2
Step 3
Launch Cisco Prime NSC.
Choose Resource Management > VM Manager > Add VM Manager.
In the Add VM Manager dialog box, enter the following:
a)
b)
c)
d)
e)
f)
Name for VM manager.
Description for the VM manager
Hostname/IP address of SCVMM.
Domain-Name/User-name.
Password SCVMM host.
Keep the default Port Number.
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
32
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Task 14: Sending Traffic Flow and on Cisco VSG Verifying Statistics and Logs
g) Click OK.
Task 14: Sending Traffic Flow and on Cisco VSG Verifying
Statistics and Logs
This section includes the following topics:
• Sending Traffic Flow, on page 34
• Verifying Policy-Engine Statistics and Logs on Cisco VSG, on page 35
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
33
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Sending Traffic Flow
Sending Traffic Flow
You can send traffic flow through the Cisco VSG to ensure that it is functioning properly.
Step 1
Ensure that you have the VM (Server-VM) that is using the port profile (pp-webserver) configured for firewall protection.
Figure 7: Virtual Machine Properties Window
Step 2
Step 3
Log in to any of your client virtual machine (Client-VM).
Send traffic (for example, HTTP) to your Server-VM.
[root@]# wget http://172.31.2.92/
--2010-11-28 13:38:40-- http://172.31.2.92/
Connecting to 172.31.2.92:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258 [text/html]
Saving to: `index.html'
100%[=======================================================================>] 258
in 0s
--.-K/s
2010-11-28 13:38:40 (16.4 MB/s) - `index.html' saved [258/258]
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
34
OL-31174-01
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Verifying Policy-Engine Statistics and Logs on Cisco VSG
[root]#
Step 4
Check the policy-engine statistics and log in to Cisco VSG.
What to Do Next
See Verifying Policy-Engine Statistics and Logs on Cisco VSG, on page 35.
Verifying Policy-Engine Statistics and Logs on Cisco VSG
Log in to Cisco VSG and check the policy-engine statistics and logs.
This example shows how to check the policy-engine statistics and logs:
vsg# show policy-engine stats
Policy Match Stats:
default@root
:
default/default-rule@root :
NOT_APPLICABLE
:
PS_web@root/Tenant-A :
1
pol_web/permit-all@root/Tenant-A :
NOT_APPLICABLE
:
0
0 (Drop)
0 (Drop)
1 (Log, Permit)
0 (Drop)
vsg# terminal monitor
vsg# 2010 Nov 28 05:41:27 firewall %POLICY_ENGINE-6-POLICY_LOOKUP_EVENT:
policy=PS_web@root/Tenant-A rule=pol_web/permit-all@root/Tenant-A action=Permit
direction=egress src.net.ip-address=172.31.2.91 src.net.port=48278
dst.net.ip-address=172.31.2.92 dst.net.port=80 net.protocol=6 net.ethertype=800
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
OL-31174-01
35
Installing the Cisco Prime NSC and Cisco VSG-Quick Start
Verifying Policy-Engine Statistics and Logs on Cisco VSG
Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1a) and Cisco Prime NSC, Release 3.2 Installation and
Upgrade Guide
36
OL-31174-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising