Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1b) and Cisco Prime NSC, Release 3.2 Installation and Upgrade Guide

(1)

Cisco VSG for Microsoft Hyper-V, Release 5.2(1)VSG2(1.1b) and Cisco Prime NSC, Release 3.2 Installation and Upgrade Guide

First Published: May 08, 2014

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Text Part Number: OL-28943-02

(2)

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright^©1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:http://

www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

(3)

C O N T E N T S

P r e f a c e Preface vii

Audience vii

Document Conventions vii

Related Documentation for Cisco Virtual Security Gateway for Microsoft Hyper-V viii Documentation Feedback ix

Obtaining Documentation and Submitting a Service Request ix

C H A P T E R 1 Overview 1

Information About Installing Cisco Prime NSC and Cisco VSG 1 Information About Cisco VSG 1

Cisco Prime NSC and VSG Architecture 2 Trusted Multitenant Access 4

Dynamic Virtualization-Aware Operation 5 Setting Up Cisco VSG and VLAN 6 Information About Cisco Prime NSC 7

Cisco Prime NSC Key Benefits 7 Cisco Prime NSC Components 8

Cisco Prime NSC Architecture 8 Cisco Prime NSC Security 9 Cisco Prime NSC API 9 Cisco Prime NSC and VSG 9 System Requirements 9

C H A P T E R 2 Installing the Cisco Prime NSC and Cisco VSG-Quick Start 11 Information About Installing Cisco Prime NSC and Cisco VSG 11

Cisco VSG and Cisco Prime NSC Installation Planning Checklists 12

(4)

License Requirements 13

VLAN Configuration Requirements for VSG 14

Required Cisco Prime NSC and Cisco VSG Information 14 Tasks and Prerequisites Checklist 16

Host Requirements 19

Obtaining Cisco Prime NSC and Cisco VSG Software 19 Task 1: Installing the Cisco Prime NSC from an ISO Image 19 Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent 23 Task 3: On the VSM, Preparing Cisco VSG Port Profiles 25

Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts 27 Create Port-profile for the Virtual Network Adapter 27

Creating Virtual Network Adapter 28

Task 5: Installing Cisco VSG from an ISO Image 28

Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent 32

Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status 33

Task 8: On Cisco Prime NSC, Configuring a Tenant, Security Profile, Compute Firewall, and Assigning Cisco VSG to the Compute Firewall 34

Configuring a Tenant on Cisco Prime NSC 35

Configuring a Security Profile on the Cisco Prime NSC 35

Configuring a Compute Firewall and Assigning Cisco VSG to Cisco Prime NSC 36 Task 9: On the Prime NSC, Configuring a Permit-All Rule 37

Task 10: On Cisco VSG, Verifying the Permit-All Rule 37 Task 11: Enabling Logging 38

Enabling Logging level 6 for Policy-Engine Logging 38 Enabling Global Policy-Engine Logging 39

Task 12: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG 39

Enabling Traffic VM Port-Profile for Firewall Protection 40 Verifying the VSM or VEM for Cisco VSG Reachability 41 Contents

(5)

Creating VM Manager on Cisco Prime NSC 43

Task 14: Sending Traffic Flow and on Cisco VSG Verifying Statistics and Logs 44 Sending Traffic Flow 45

Verifying Policy-Engine Statistics and Logs on Cisco VSG 46

C H A P T E R 3 Installing the Cisco Prime Network Services Controller 47

Information About the Cisco Prime NSC 47 Installation Requirements 47

Cisco Prime NSC System Requirements 47 Web-Based GUI Client Requirements 48 Firewall Ports Requiring Access 49

Cisco Nexus 1000V Series Switch Requirements 49 Information Required for Installation and Configuration 50 Shared Secret Password Criteria 51

Microsoft Hyper-V Server Requirement 52 Installing Cisco Prime NSC 52

C H A P T E R 4 Installing the Cisco VSG 55

Information About the Cisco VSG 55 Host and VM Requirements 55

Cisco VSG and Supported Cisco Nexus 1000V Series Device Terminology 56 Prerequisites for Installing the Cisco VSG Software 57

Obtaining the Cisco VSG Software 57 Installing the Cisco VSG Software 57

Installing the Cisco VSG Software from an ISO File 57 Configuring Initial Settings 60

On the VSG, Configuring the Cisco Prime NSC Policy Agent 61 Configuring Initial Settings on a Secondary Cisco VSG 63 Verifying the Cisco VSG Configuration 63

Where to Go Next 63

C H A P T E R 5 Registering Devices with the Cisco Prime NSC 65

Registering a Cisco VSG 65

Registering Cisco Nexus 1000V VSM 66 Contents

(6)

C H A P T E R 6 Installing the Cisco VSG on a Cisco Cloud Service Platform Virtual Services Appliance 69

Information About Installing the Cisco VSG on the Cisco Cloud Service Platform 69 Prerequisites for Installing Cisco VSG on the Cisco Cloud Service Platform 70 Guidelines and Limitations 70

Installing Cisco VSG on a Cisco Cloud Service Platform 71

C H A P T E R 7 Upgrading the Cisco VSG and the Cisco Prime NSC 77

Complete Upgrade Procedure 77

Information About Cisco Prime NSC Upgrades 78 Information About Cisco VSG Upgrades 78 Upgrade Guidelines and Limitations 78

Upgrade Procedure for Cisco VSG Release 5.2(1)VSG1(4.1) to Release 5.2(1)VSG2(1.1b), Cisco VNMC Release 2.1 to Cisco Prime NSC Release 3.2 and Cisco Nexus 1000V Release 5.2(1)SM1(5.1) to Release 5.2(1)SM1(5.2b) 79

Cisco VSG Release 5.2(1)VSG1(4.1) to 5.2(1)VSG2(1.1b) and Cisco VNMC 2.1 to Cisco Prime NSC 3.0.2 to Cisco Prime NSC 3.2 Staged Upgrade 79

Upgrading VNMC Release 2.1 to Cisco Prime NSC 3.0.2 82 Upgrading Cisco Prime NSC 3.0.2 to Cisco Prime NSC 3.2 84

Upgrading Cisco VSG from Release 5.2(1)VSG1(4.1) to 5.2(1)VSG2(1.1b) 86 Cisco VSG Software Upgrade Guidelines 86

Upgrade a VSG Pair in HA Mode 86 Upgrading a Device for Standalone VSG 90

Re-registering the Policy Agent with the Upgraded VSG 92 Upgrading the Cisco Nexus 1000V for Microsoft Hyper-V 93

Upgrading the Cisco Nexus 1000V for Microsoft Hyper-V 93

Upgrade Procedure for Cisco VSG Release 5.2(1)VSG2(1.1a) to Release 5.2(1)VSG2(1.1b) and Cisco Nexus 1000V Release 5.2(1)SM1(5.2) or 5.2(1)SM1(5.2a) to Release 5.2(1)SM1(5.2b) 94

Cisco VSG Release 5.2(1)VSG2(1.1a) to 5.2(1)VSG2(1.1b) Staged Upgrade 94 Contents

(7)

Preface

This preface contains the following sections:

• Audience, page vii

• Document Conventions, page vii

• Related Documentation for Cisco Virtual Security Gateway for Microsoft Hyper-V, page viii

• Documentation Feedback , page ix

• Obtaining Documentation and Submitting a Service Request, page ix

Audience

This publication is for network administrators and server administrators who understand virtualization.

Document Conventions

Command descriptions use the following conventions:

Description Convention

Bold text indicates the commands and keywords that you enter literally as shown.

bold

Italic text indicates arguments for which the user supplies the values.

Italic

Square brackets enclose an optional element (keyword or argument).

[x]

Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice.

[x | y]

Braces enclosing keywords or arguments separated by a vertical bar indicate a required choice.

{x | y}

(8)

Nested set of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element.

[x {y | z}]

Indicates a variable for which you supply values, in context where italics cannot be used.

variable

A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

string

Examples use the following conventions:

Terminal sessions and information the switch displays are in screen font.

screen font

Information you must enter is in boldface screen font.

boldface screen font

Arguments for which you supply values are in italic screen font.

italic screen font

Nonprinting characters, such as passwords, are in angle brackets.

< >

Default responses to system prompts are in square brackets.

[ ]

An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

!, #

This document uses the following conventions:

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Note

Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Caution

Documentation Feedback

To provide technical feedback on this document, or to report an error or omission, please send your comments to vsg-docfeedback@cisco.com. We appreciate your feedback.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation, at: http://

www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

Preface

Documentation Feedback

(10)

Preface Obtaining Documentation and Submitting a Service Request

(11)

C H A P T E R

1

Overview

This chapter contains the following sections:

• Information About Installing Cisco Prime NSC and Cisco VSG, page 1

• Information About Cisco Prime NSC, page 7

Information About Installing Cisco Prime NSC and Cisco VSG

You must install Cisco Prime NSC and Cisco VSG in a particular sequence on the Cisco Nexus 1000V switch to have a functioning virtual system. For the critical sequence information that you need for a successful installation on the Cisco Nexus 1000V switch, see Chapter 2, Installing Cisco VSG and Cisco Prime NSC-Quick Start. For installing Cisco VSG on the Cisco Cloud Service Platform Virtual Services Appliance, see Chapter 6, Installing Cisco VSG on Cisco Cloud Service Platform Virtual Services Appliance.

Information About Cisco VSG

Cisco VSG is a virtual firewall appliance that provides trusted access to virtual data center and cloud environments with dynamic policy-driven operation, mobility-transparent enforcement, and scale-out deployment for dense multi-tenancy. By associating one or more Virtual Machines (VMs) into distinct trust zones, Cisco VSG ensures that access to trust zones is controlled and monitored through established security

(12)

policies. The following figure shows the trusted zone-based access control that is used in per-tenant enforcement with Cisco VSG.

Figure 1: Trusted Zone-Based Access Control Using Per-Tenant Enforcement with Cisco VSG

Cisco Prime NSC and VSG Architecture

Cisco VSG operates with Cisco Nexus 1000V Series switch in Microsoft Hyper-V or Cisco Cloud Service Platform Virtual Services Appliance, and Cisco VSG leverages the virtual network service data path (Cisco vPath). Cisco vPath steers traffic, whether external-to-VM or VM-to-VM, to Cisco VSG of a tenant. Initial

Overview Information About Cisco VSG

(13)

packet processing occurs in Cisco VSG for policy evaluation and enforcement. After the policy decision is made, Cisco VSG offloads policy enforcement of the remaining packets to Cisco vPath.

Figure 2: Cisco Virtual Security Gateway Deployment Topology

Cisco vPath supports the following features:

• Tenant-aware flow classification and subsequent redirection to a designated Cisco VSG tenant

• Per-tenant policy enforcement of flows offloaded by the Cisco VSG to Cisco vPath Cisco VSG and the VEM provide the following benefits:

• Each Cisco VSG can provide protection across multiple physical servers, which eliminates the need for you to deploy a virtual appliance per physical server.

• By offloading the fast-path to one or more Cisco vPath Virtual Ethernet Modules (VEMs), Cisco VSG enhances security performance through distributed Cisco vPath-based enforcement.

• You can use Cisco VSG without creating multiple switches or temporarily migrating VMs to different switches or servers. Zone scaling, which is based on security profiles, simplifies physical server upgrades without compromising security or incurring application outages.

• For each tenant, you can deploy Cisco VSG in an active-standby mode to ensure that Cisco vPath redirects packets to the standby Cisco VSG when the primary Cisco VSG is unavailable.

Overview

Information About Cisco VSG

(14)

• You can place Cisco VSG on a dedicated server so that you can allocate the maximum compute capacity to application workloads. This feature enables capacity planning to occur independently and allows for operational segregation across security, network, and server groups.

Trusted Multitenant Access

You can transparently insert a Cisco VSG into the Microsoft Hyper-V environment where Cisco Nexus 1000V is deployed. One or more instances of Cisco VSG is deployed on a per-tenant basis, which allows a highly scale-out deployment across many tenants. Tenants are isolated from each other, so no traffic can cross tenant boundaries. You can deploy Cisco VSG at the tenant level in Hyper-V and manage each tenant instance using Microsoft System Center Virtual Machine Manager (SCVMM).

As you instantiate VMs for a given tenant, their association to security profiles (or zone membership) occurs immediately through binding with the Cisco Nexus 1000V port profile. Each VM is placed upon instantiation into a logical trust zone. Security profiles contain context-aware rule sets that specify access policies for traffic that enters and exits each zone. You can apply controls to zone-to-zone traffic and to external-to-zone (and zone-to-external) traffic. Zone-based enforcement occurs within a VLAN because a VLAN often identifies a tenant boundary. The Cisco VSG evaluates access control rules and then offloads enforcement to the Cisco Nexus 1000V VEM vPath module. Upon enforcement, Cisco VSG can permit or deny access and can generate optional access logs. Cisco VSG also provides policy-based traffic monitoring capability with access logs.

(15)

Dynamic Virtualization-Aware Operation

A virtualization environment is dynamic, where frequent additions, deletions, and changes occur across tenants and across VMs. The following figure shows how the structured environment can change over time due to dynamic VMs.

Figure 3: Cisco VSG Security in a Dynamic VM Environment, Including VM Live Migration Overview

Information About Cisco VSG

(16)

Cisco VSG operating with Cisco Nexus 1000V (and Cisco vPath) supports a dynamic VM environment. When you create a tenant with Cisco VSG (standalone or active-standby pair) on Cisco Prime NSC, associated security profiles are defined that include trust zone definitions and access control rules. Each security profile is bound to a Cisco Nexus 1000V port profile (authored on the Cisco Nexus 1000V Virtual Supervisor Module (VSM) and published to Microsoft SCVMM.

When a new VM is instantiated, the server administrator assigns appropriate port profiles to the virtual Ethernet port of the VM. Because the port profile uniquely refers to a security profile and VM zone membership, Cisco VSG immediately applies the security controls. You can repurpose a VM by assigning it to a different port profile or security profile.

As VM migration events are triggered, VMs move across physical servers. Because Cisco Nexus 1000V ensures that port profile policies follow the VMs, associated security profiles also follow these moving VMs, and security enforcement and monitoring remain transparent to the migration events.

Setting Up Cisco VSG and VLAN

You can set up Cisco VSG in an overlay fashion so that VMs can reach Cisco VSG irrespective of its location.

The Cisco vPath component in Cisco Nexus 1000V VEM intercepts the packets from the VM and sends them to Cisco VSG for further processing.

In the following figure, Cisco VSG connects to three different VLANs (service VLAN, management VLAN, and HA VLAN). Cisco VSG is configured with three vNICS—data vNIC (1), management vNIC (2), and HA vNIC (3)—with each of the vNICs connected to one of the VLANs through a port profile.

Figure 4: Cisco Virtual Security Gateway VLAN Usages

(17)

• The service VLAN provides communications between Cisco Nexus 1000V VEM and Cisco VSG through a physical router. Cisco VSG data interface and VEM interface are configured on different subnets. All the Cisco VSG data interfaces are part of the service VLAN and the VEM interacts with Cisco VSG using the router.

• The management VLAN connects the management platforms such as Microsoft SCVMM, Cisco Prime NSC, Cisco Nexus 1000V VSM, and managed Cisco VSGs. The Cisco VSG management vNIC is part of the management VLAN.

• The HA VLAN provides the heartbeat mechanism and identifies the active and standby relationship between the Cisco VSGs. The Cisco VSG vNICs are part of the HA VLAN.

You can allocate one or more VM data VLANs for VM-to-VM communications. In a typical multi-tenant environment, the management VLAN is shared among all the tenants and the service VLAN, HA VLAN, and the VM data. VLANs are allocated on a per-tenant basis. However, when VLAN resources become scarce, you might decide to use a single VLAN for service and HA functions.

Information About Cisco Prime NSC

Cisco Prime NSC virtual appliance is based on Red Hat Enterprise Linux (RHEL), which provides centralized device and security policy management of Cisco VSG for Cisco Nexus 1000V Series switch. Designed for multi-tenant operation, Cisco Prime NSC provides seamless, scalable, and automation-centric management for virtual data center and cloud environments. With a web-based GUI, CLI, and XML APIs, Cisco Prime NSC enables you to manage Cisco VSGs that are deployed throughout the data center from a centralized location.

Multi-tenancy is when a single instance of the software runs on a Software-as-a-Service (SaaS) server, serving multiple client organizations or tenants. In contrast, multi-instance architecture has separate software instances set up for different client organizations. With a multi-tenant architecture, a software application can virtually partition data and configurations so that each tenant works with a customized virtual application instance.

Note

Cisco Prime NSC is built on an information model-driven architecture, where each managed device is represented by its subcomponents.

Cisco Prime NSC Key Benefits

Cisco Prime NSC provides the following key benefits:

• Rapid and scalable deployment with dynamic, template-driven policy management based on security profiles.

• Seamless operational management through XML APIs that enable integration with third-party management tools.

• Greater collaboration across security and server administrators, while maintaining administrative separation and reducing administrative errors.

Overview

Information About Cisco Prime NSC

(18)

Cisco Prime NSC Components

Cisco Prime NSC architecture includes the following components:

• A centralized repository for managing security policies (security templates) and object configurations that allow managed devices to be stateless.

• A centralized resource management function that manages pools of devices that are commissioned and pools of devices that are available for commissioning. This function simplifies large scale deployments as follows:

◦Devices can be pre-instantiated and then configured on demand

◦Devices can be allocated and deallocated dynamically across commissioned and noncommissioned pools

• A distributed management-plane function that uses an embedded management agent on each device that allows for a scalable management framework.

Cisco Prime NSC Architecture

The Cisco Prime NSC architecture includes the components in the following figure:

Figure 5: Cisco Prime NSC Components

Overview Cisco Prime NSC Components

(19)

Cisco Prime NSC Security

Cisco Prime NSC uses security profiles for tenant-centric template-based configuration of security policies.

A security profile is a collection of security policies that are predefined and applied on an on-demand basis at the time of Virtual Machine (VM) instantiation. These profiles simplify authoring, deployment, and management of security policies in a dense multi-tenant environment, reduce administrative errors, and simplify audits.

Cisco Prime NSC API

The Cisco Prime NSC API allows you to coordinate with third-party provisioning tools for programmatic provisioning and management of Cisco VSGs. This feature allows you to simplify data center operational processes and reduce the cost of infrastructure management.

Cisco Prime NSC and VSG

Cisco Prime NSC operates with the Cisco Nexus 1000V Series VSM to achieve the following scenarios:

• Security administrators who author and manage security profiles as well as manage Cisco VSG instances.

Security profiles are referenced in Cisco Nexus 1000V Series port profiles through Cisco Prime NSC interface.

• Network administrators who author and manage port profiles as well as manage Cisco Nexus 1000V Series switches. Port profiles are referenced in Microsoft SCVMM through the Cisco Nexus 1000V Series VSM interface.

• Server administrators who select the appropriate port profiles in Microsoft SCVMM when instantiating a virtual machine.

System Requirements

System requirements for Cisco Prime NSC are as follows:

• Microsoft Windows Server with SCVMM 2012 SP1 or SCVMM 2012 R2.

• Intel VT that is enabled in the BIOS.

• 4 GB RAM for Prime NSC ISO installation.

• 40 GB on shared NFS or SAN, and configured on two hard disks as follows:

◦Disk 1: 20 GB

◦Disk 2: 20 GB

• Adobe Flash Player plugin 11.2 or higher.

• Any of the following browsers:

◦Internet Explorer 9.0 or higher

Overview

System Requirements

(20)

◦Mozilla Firefox 23.0 or higher

◦Google Chrome 29.0 or higher

Access to Cisco Prime NSC application using a Web browser and the following ports (if the deployment uses a firewall, make sure to permit the following ports):

◦443 (HTTPs)

◦80 (HTTP/TCP)

◦843 (Adobe Flash)

If you are running Firefox or IE and do not have Flash, or you have a version of Flash that is older than 11.2, a message displays asking you to install Flash and provides a link to the Adobe website.

Note

Overview System Requirements

(21)

C H A P T E R

2

Installing the Cisco Prime NSC and Cisco VSG-Quick Start

This chapter contains the following sections:

• Information About Installing Cisco Prime NSC and Cisco VSG, page 11

• Task 1: Installing the Cisco Prime NSC from an ISO Image, page 19

• Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent, page 23

• Task 3: On the VSM, Preparing Cisco VSG Port Profiles, page 25

• Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts, page 27

• Task 5: Installing Cisco VSG from an ISO Image, page 28

• Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent, page 32

• Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status, page 33

• Task 8: On Cisco Prime NSC, Configuring a Tenant, Security Profile, Compute Firewall, and Assigning Cisco VSG to the Compute Firewall, page 34

• Task 9: On the Prime NSC, Configuring a Permit-All Rule, page 37

• Task 10: On Cisco VSG, Verifying the Permit-All Rule, page 37

• Task 11: Enabling Logging, page 38

• Task 12: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG, page 39

• Task 13: Installing Microsoft Service Provider Foundation, page 42

• Task 14: Sending Traffic Flow and on Cisco VSG Verifying Statistics and Logs, page 44

Information About Installing Cisco Prime NSC and Cisco VSG

This chapter describes how to install and set up a basic working configuration of Cisco Prime Network Services Controller (Cisco Prime NSC) and Cisco Virtual Security Gateway (Cisco VSG). The example in this chapter

(22)

uses the ISO files of the software for installation. The steps assume that Cisco Nexus 1000V Series switch is operational, and endpoint VMs are already installed.

Cisco VSG and Cisco Prime NSC Installation Planning Checklists

Planning the arrangement and architecture of your network and equipment is essential for a successful operation of Cisco Prime NSC and Cisco VSG.

Basic Hardware and Software Requirements

The following table lists the basic hardware and software requirements for Cisco VSG and Cisco Prime NSC installation.

Description Requirement

• Cisco VSG: 1 (1.5 GHz)

• Cisco Prime NSC: 4 (1.8 GHz each) Virtual CPUs

• Cisco VSG: 2GB RAM

• Cisco Prime NSC: 4GB RAM Memory

Cisco VSG: 3 GB

Cisco Prime NSC: Without InterCloud functionality, 40 GB on shared NFS or SAN, and configured on two disks as follows:

• Disk 1: 20 GB

• Disk 2: 20 GB Disk Space

x86 Intel or AMD server with a 64-bit processor.

Processor

• Cisco VSG: 3

• Cisco Prime NSC: 1 Network Interfaces

SCVMM 2012 SP1 or SCVMM 2012 R2 Microsoft SCVMM

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Cisco VSG and Cisco Prime NSC Installation Planning Checklists

(23)

Description Requirement

Any of the following browsers:

• Internet Explorer 9.0 or higher

• Mozilla Firefox 23.0 or higher

• Google Chrome 29.0 or higher

If you are running Firefox or IE and do not have Flash, or you have a version of Flash that is older than 11.2, a message displays asking you to install Flash and provides a link to the Adobe website.

Note

Before using Google Chrome with Cisco Prime NSC, you must disable the Adobe Flash Players that are installed by default with Chrome. For more information, see Configuring Chrome for Use with Cisco Prime NSC.

Note Browser

Access to the Cisco Prime NSC application using a web browser and the following ports (if the deployment uses a firewall, make sure to permit the following ports):

• 443 (HTTPS)

• 80 (HTTP/TCP)

• 843 (Adobe Flash) Ports

Adobe Flash Player plugin 11.2 or higher Flash Player

The Cisco VSG software is available for download athttp://www.cisco.com/en/US/products/ps13095/

index.htmland the Cisco Prime NSC software is available for download athttp://www.cisco.com/en/US/

products/ps13213/index.html.

Note

License Requirements

Cisco VSG license is integrated with the Nexus1000V Multi-Hypervisor License. You need to install the Nexus1000V Multi-Hypervisor License for Cisco VSG for Microsoft Hyper-V. The Cisco N1kv VSM is available in two modes: essential and advanced. VSG functionality is available only in the advanced mode.

You need to install the Nexus1000V Multi-Hypervisor License and change the VSM mode to advanced mode.

When the Nexus1000V Multi-Hypervisor License is installed, the license for Cisco VSG is automatically included.

Installing the Cisco Prime NSC and Cisco VSG-Quick Start

Cisco VSG and Cisco Prime NSC Installation Planning Checklists

(24)

If you try to access VSG services with VSM in essential mode, an error message is generated on VSM console indicating that the Nexus1000V Multi-Hypervisor License is required for VSG.

Note

The Nexus1000V Multi-Hypervisor License in the Release 5.2(1)SM1(5.2) is available in three different types:

• Default: The Nexus 1000v switch may be configured in Essential or Advanced mode.

◦Essential Mode: Not Supported.

◦Advanced Mode: After upgrade to Software Release 5.2(1)SM(5.2) - Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires in 60 days.

You must install either the evaluation or the permanent (MSFT PKG) license prior to upgrading to the Software Release 5.2(1)SM(5.2).

Note

• Evaluation: The Nexus 1000V switch should be in Advanced mode. After upgrading to Software Release 5.2(1)SM (5.2) - Nexus1000V Multi-Hypervisor License is available with1024 Socket Count and expires in 60 days.

• Permanent: The Nexus 1000V switch should be in Advanced mode. After upgrading to Software Release 5.2(1)SM(5.2) - Nexus1000V Multi-Hypervisor License is available with 1024 Socket Count and expires in 60 days.

You have to request for an evaluation or permanent Nexus1000V Multi-Hypervisor License.

Note

For more information about the Cisco Nexus 1000V for Microsoft Hyper-V licenses, see the Cisco Nexus 1000V for Microsoft Hyper-V License Configuration Guide.

VLAN Configuration Requirements for VSG

You must have two port-profiles configured on two different VLANs in the VSM:

• Service interface VLAN

• HA interface VLAN

Required Cisco Prime NSC and Cisco VSG Information

The following information can be used during the Cisco Prime NSC and Cisco VSG installation.

(25)

Your Information Type

Hostname—Where the Cisco VSG will be installed in the inventory folder

ISOs—Managed within SCVMM library, if stored at C:\ProgramData\Virtual Machine Manager Library Files\ISO to manage. Refresh the SCVMM library after saving the ISO file to the specified location.

Cisco VSG management IP address VSM management IP address Cisco Prime NSC instance IP address

• Standalone

• HA primary

• HA secondary Mode for installing the Cisco VSG

Cisco VSG VLAN number

• Service (1)

• Management (2)

• High availability (HA) (3)

Cisco VSG port profile name

• Data (1)

• Management (2)

• High availability (HA) (3)

The numbers indicate the Cisco VSG port profile that must be associated with the Cisco VSG VLAN number.

Note

HA pair ID (HA domain ID) Cisco VSG admin password Cisco Prime NSC admin password Cisco VSM admin password

Shared secret password (Cisco Prime NSC, Cisco VSG policy agent, Cisco VSM policy agent)

(26)

Your Information Type

NSC DNS IP address NSC NTP IP address

Tasks and Prerequisites Checklist

Prerequisites Tasks

Make sure that you know the following:

• Verified that the Hyper-V host on which to deploy Cisco Prime NSC VM is available in SCVMM.

• Copied the Cisco Prime NSC 3.2 ISO image to the SCVMM library location on the file system. To make this image available in SCVMM, choose Library > Library Servers, right-click the library location, and then refresh.

• NTP server information.

Task 1: Installing the Cisco Prime NSC from an ISO Image, on page 19

• Cisco Prime NSC policy-agent image on the VSM (for example, vsmhv-pa.3.2.1c.bin)

The string vsmhv-pa must appear in the image name as highlighted.

Note

• The IP address of Cisco Prime NSC

• The shared secret password you defined during Cisco Prime NSC installation

• IP connectivity between the VSM and Cisco Prime NSC is working

If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image. This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.

Note Task 2: On the VSM, Configuring Cisco

Prime NSC Policy Agent, on page 23

(27)

• Logical Switch name (Network Uplink port-profile name).

• VLAN ID for the Cisco VSG data interface (for example,100).

• VLAN ID for the Cisco VSG-ha interface (for example, 200).

• Management VLAN (management).

None of these VLANs need to be system VLANs.

Note Task 3: On the VSM, Preparing Cisco VSG

Port Profiles, on page 25

• Cisco VSG port-profile configured on VSM.

Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts, on page 27

• Installed Microsoft SCVMM SP1 or SCVMM R2.

• Downloaded the Cisco VSG ISO image and uploaded it to the server (C:\ProgramData\Virtual Machine Manager Library Files\ISO). Refresh the library server under the Library tab.

• Cisco VSG-Data port profile: VSG-Data.

• Cisco VSG-ha port profile: VSG-ha.

• HA ID.

• IP/subnet mask/gateway information for Cisco VSG

• Administrator password

• Minimum of 2 GB RAM and 2 GB hard disk space, recommended space is 4 GB RAM and 4 GB hard disk.

• Cisco Prime NSC IP address.

• The shared secret password.

• IP connectivity between Cisco VSG and Cisco Prime NSC is okay.

• Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin) is available.

Task 5: Installing Cisco VSG from an ISO Image, on page 28

(28)

• The Cisco Prime NSC policy-agent image on Cisco VSG (for example, vsghv-pa.2.1.1e.bin).

The string vsghv-pa must appear in the image name as highlighted.

Note

• IP address of the Cisco Prime NSC.

• Shared secret password you defined during the Cisco Prime NSC installation.

• IP connectivity between the VSG and the Cisco Prime NSC.

If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image. This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.

Note Task 6: On the VSG, Configuring the Cisco

Prime NSC Policy Agent, on page 32

— Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status, on page 33

• Adobe Flash Player (version 11.2 or later) has been installed

• The IP address of the Cisco Prime NSC

• The admin user password Task 8: On Cisco Prime NSC, Configuring

a Tenant, Security Profile, Compute Firewall, and Assigning Cisco VSG to the Compute Firewall, on page 34

— Task 13: Installing Microsoft Service

Provider Foundation, on page 42

— Task 9: On Cisco Prime NSC, Assigning Cisco VSG to the Compute Firewall

— Task 9: On the Prime NSC, Configuring a Permit-All Rule, on page 37

— Task 10: On Cisco VSG, Verifying the Permit-All Rule, on page 37

— Task 11: Enabling Logging, on page 38

(29)

• The server VM that runs with an access port profile (for example, web server)

• The Cisco VSG data IP address (for example, 10.10.10.200) and VLAN ID (for example, 100)

• The security profile name (for example, sp-web)

• The organization (Org) name (for example, root/Tenant-A)

• The port profile that you would like to edit to enable firewall protection

• That one active port in the port-profile with Cisco vPath configuration has been set up

Task 12: Enabling the Traffic VM Port-Profile for Firewall Protection and Verifying the Communication Between the VSM, VEM, and VSG, on page 39

— Task 14: Sending Traffic Flow and on

Cisco VSG Verifying Statistics and Logs, on page 44

Host Requirements

• Microsoft SCVMM SP1 or SCVMM R2

• Microsoft Windows Server 2012 or Windows Server 2012 R2

• 6 GB RAM

Obtaining Cisco Prime NSC and Cisco VSG Software

Cisco VSG software is available for download at the following URL:

http://software.cisco.com/download/navigator.html

Cisco Prime NSC software is available for download at the following URL:

http://software.cisco.com/download/navigator.html

Task 1: Installing the Cisco Prime NSC from an ISO Image

Before You Begin Ensure that you have:

• Verified that the Hyper-V host on which to deploy Cisco Prime NSC VM is available in SCVMM.

• Copied the Cisco Prime NSC 3.2 ISO image to the SCVMM library location on the file system. To make this image available in SCVMM, choose Library > Library Servers, right-click the library location, and then refresh.

Task 1: Installing the Cisco Prime NSC from an ISO Image

(30)

• NTP server information.

SUMMARY STEPS

1. Launch the SCVMM.

2. In the VMs and Services pane, choose the Hyper-V host on which to deploy the Cisco Prime NSC VM.

3. Right-click the Hyper-V host and choose Create Virtual Machine.

4. In the Create Virtual Machine wizard, from the Select Source screen, choose the Create the new virtual machine with a blank virtual hard disk radio button, and then click Next.

5. In the Specify Virtual Machine Identity screen, Specify the name and description for the virtual machine, and then click Next.

6. In the Configure Hardware screen, do the following:

7. In the Select Destination screen, do the following:

8. In the Select Host screen, choose the destination, and then click Next.

9. In the Configure Settings screen, click Browse and navigate to the storage location of virtual machine file, and then click Next.

10. In the Add properties screen, choose the Red Hat Enterprise Linux 5 (64 bit) operating system, and then click Next.

11. In the Summary screen, do the following:

12. After the VM is successfully created, right-click the new Virtual Machine and choose Connect or View

> Connect Via Console.

13. Launch the console and install Cisco Prime NSC.

14. After Cisco Prime NSC is successfully deployed, click Close and power on the Cisco Prime NSC VM.

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Task 1: Installing the Cisco Prime NSC from an ISO Image

(31)

DETAILED STEPS

Step 1 Launch the SCVMM.

Figure 6: Create Virtual Machine Wizard - Select Source

Step 2 In the VMs and Services pane, choose the Hyper-V host on which to deploy the Cisco Prime NSC VM.

Step 3 Right-click the Hyper-V host and choose Create Virtual Machine.

Step 4 In the Create Virtual Machine wizard, from the Select Source screen, choose the Create the new virtual machine with a blank virtual hard disk radio button, and then click Next.

Step 5 In the Specify Virtual Machine Identity screen, Specify the name and description for the virtual machine, and then click Next.

Step 6 In the Configure Hardware screen, do the following:

a) From General, do the following:

• Choose Processor and set the number of processors.

• Choose Memory and choose the required memory value. You will need a minimum 4 GB of memory.

b) From Bus Configuration > IDE Devices, do the following:

Task 1: Installing the Cisco Prime NSC from an ISO Image

(32)

• Choose the hard disk with the virtual machine name you specified and enter the required size of the hard disk.

You will need at least 20 GB.

• Click New > Disk to add a new hard disk, enter hard disk name in the File Name field, set the hard disk size to 20 GB and click Ok.

• Choose Virtual DVD Drive, choose the Existing ISO image file radio button, and browse to select the Cisco Prime NSC 3.2 ISO image file from the library in the Select ISO dialog box.

c) Choose Network Adapters > Network Adapter 1, select the Connect to a VM Network radio button, and browse to select a VM Network.

d) Click Next.

Step 7 In the Select Destination screen, do the following:

a) Choose the Place the virtual machine on a host radio button.

b) Ffrom the Destination drop-down list, choose All hosts.

c) Click Next.

Step 8 In the Select Host screen, choose the destination, and then click Next.

Step 9 In the Configure Settings screen, click Browse and navigate to the storage location of virtual machine file, and then click Next.

Step 10 In the Add properties screen, choose the Red Hat Enterprise Linux 5 (64 bit) operating system, and then click Next.

Step 11 In the Summary screen, do the following:

a) Verify the settings.

b) Check the Start the virtual machine after deploying it check box.

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Task 1: Installing the Cisco Prime NSC from an ISO Image

(33)

c) Click Create.

Figure 7: Create Virtual Machine Wizard - Summary

The job Create VM starts. You can see the status of this job in the Recent Jobs window. Ensure that the job completes without any errors.

Step 12 After the VM is successfully created, right-click the new Virtual Machine and choose Connect or View > Connect Via Console.

Step 13 Launch the console and install Cisco Prime NSC.

Before the final Cisco Prime NSC installation step, before you reboot, launch SCVMM again, and right-click the Virtual machine and choose Properties > Hardware Configuration > Bus Configuration > Virtual DVD Drive > no media, so that Cisco Prime NSC does not use the ISO image at boot time.

Note

Step 14 After Cisco Prime NSC is successfully deployed, click Close and power on the Cisco Prime NSC VM.

Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent

Once Cisco Prime NSC is installed, you must register the VSM with Cisco Prime NSC.

Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent

(34)

• Cisco Prime NSC policy-agent image on the VSM (for example, vsmhv-pa.3.2.1c.bin)

The string vsmhv-pa must appear in the image name as highlighted.

Note

• The IP address of Cisco Prime NSC

• The shared secret password you defined during Cisco Prime NSC installation

• IP connectivity between the VSM and Cisco Prime NSC is working

If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image.

This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.

Note

VSM clock should be synchronized with Cisco Prime NSC clock.

Note

SUMMARY STEPS

1. On the VSM, enter the following commands:

2. Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:

DETAILED STEPS

Step 1 On the VSM, enter the following commands:

vsm# configure terminal vsm(config)# nsc-policy-agent

vsm(config-nsc-policy-agent)# registration-ip 10.193.75.95 vsm(config-nsc-policy-agent)# shared-secret Example_Secret123

vsm(config-nsc-policy-agent)# policy-agent-image vsmhv-pa.3.2.1c.bin vsm(config-nsc-policy-agent)# exit

vsm(config)# copy running-config startup-config vsm(config)# exit

Step 2

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Task 2: On the VSM, Configuring Cisco Prime NSC Policy Agent

(35)

The VSM is now registered with Cisco Prime NSC.

This example shows that Cisco Prime NSC is unreachable or an incorrect IP is configured:

vsm# show nsc-pa status

nsc Policy-Agent status is - Installation Failure Cisco Prime NSC not reachable.

vsm#

This example shows that the NSC policy-agent is not configured or installed:

vsm# show nsc-pa status

NSC Policy-Agent status is - Not Installed

Task 3: On the VSM, Preparing Cisco VSG Port Profiles

To prepare Cisco VSG port profiles, you must create the VLANs and use the VLANs in Cisco VSG data port profile and the Cisco VSG-ha port profile.

• Logical Switch name (Network Uplink port-profile name).

• VLAN ID for the Cisco VSG data interface (for example,100).

• VLAN ID for the Cisco VSG-ha interface (for example, 200).

• Management VLAN (management).

None of these VLANs need to be system VLANs.

Note

SUMMARY STEPS

1. Create a Cisco VSG data port profile and a Cisco VSG-ha port profile by first enabling the Cisco VSG data port-profile configuration mode. Cisco VSG data interface should be in the system VLAN. To configure VSG data interface in the system VLAN, you need a system network segment, a system port-profile, and an uplink configured as a system uplink. Use the configure command to enter global configuration mode.

2. Create Network Uplink port-profile and use it in the Logical Switch.

3. Create the network segment and port-profile for the Data VLAN.

4. Create the network segment and port-profile for the HA VLAN.

DETAILED STEPS

Step 1 Create a Cisco VSG data port profile and a Cisco VSG-ha port profile by first enabling the Cisco VSG data port-profile configuration mode. Cisco VSG data interface should be in the system VLAN. To configure VSG data interface in the system VLAN, you need a system network segment, a system port-profile, and an uplink configured as a system uplink.

Use the configure command to enter global configuration mode.

Task 3: On the VSM, Preparing Cisco VSG Port Profiles

(36)

Ensure that all the critical VMs are configured in the system VLANs.

Important vsm# configure

Step 2 Create Network Uplink port-profile and use it in the Logical Switch.

vsm(config)# nsm logical network vsm_LogicalNet vsm(config-logical-net)# exit

vsm(config)# nsm network segment pool vsm_NetworkSite

vsm(config-net-seg-pool)# member-of logical network vsm_LogicalNet vsm(config-net-seg-pool)# exit

vsm(config)# nsm ip pool template VM_IP_Pool

vsm(config-ip-pool-template)# ip address 10.0.0.2 10.0.0.255 vsm(config-ip-pool-template)# network 255.255.255.0 10.0.0.1 vsm(config-ip-pool-template)# exit

vsm(config)#port-profile type ethernet sys-uplink vsm(config-port-prof)#channel-group auto

vsm(config-port-prof)#no shutdown

vsm(config-port-prof)#system port-profile vsm(config-port-prof)#state enabled vsm(config-port-prof)#exit

vsm(config)# nsm network uplink vsm_Uplink

vsm(config-uplink-net)# allow network segment pool vsm_NetworkSite vsm(config-uplink-net)# import port-profile sys_Uplink

vsm(config-uplink-net)# system network uplink vsm(config-uplink-net)# publish uplink-network vsm(config-uplink-net)# exit

Step 3 Create the network segment and port-profile for the Data VLAN.

vsm(config)# nsm network segment VMAccess_502

vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite vsm(config-net-seg)# system network segment

vsm(config-net-seg)# switchport access vlan 502

vsm(config-net-seg)# ip pool import template VM_IP_Pool vsm(config-net-seg)# publish network-segment

vsm(config-net-seg)# exit

vsm(config)# port-profile type vethernet VSG_Data vsm(config-port-prof)# no shutdown

vsm(config-port-prof)# state enabled vsm(config-port-prof)# system port-profile vsm(config-port-prof)# publish port-profile vsm(config-port-prof)# exit

Step 4 Create the network segment and port-profile for the HA VLAN.

vsm(config)# nsm network segment VMAccess_503

vsm(config-net-seg)# member-of network segment pool vsm_NetworkSite

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Task 3: On the VSM, Preparing Cisco VSG Port Profiles

(37)

vsm(config-port-prof)# state enabled vsm(config-port-prof)# publish port-profile vsm(config-port-prof)# exit

Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts

Now that you have prepared Cisco VSG port profiles on VSM, you should configure virtual network adapters on the hosts.

This task includes the following subtasks:

•Create Port-profile for the Virtual Network Adapter, on page 27

•Creating Virtual Network Adapter, on page 28 Before You Begin

Ensure that you have:

• Cisco VSG port-profile configured on VSM.

Create Port-profile for the Virtual Network Adapter

You need to log in to VSM to create port-profile for the virtual network adapter.

SUMMARY STEPS

1. Create port-profile for the virtual network adapter in VSM.

DETAILED STEPS

Create port-profile for the virtual network adapter in VSM.

Example:

vsm#configure terminal

vsm(config)#port-profile type vethernet Virtual-Net-PP vsm(config-port-prof)#capability l3-vservice

vsm(config-port-prof)#no shutdown vsm(config-port-prof)#state enabled vsm(config-port-prof)#publish port-profile vsm(config-port-prof)#exit

vsm#copy running-config startup-config Installing the Cisco Prime NSC and Cisco VSG-Quick Start

Task 4: On the VSM, Configuring Virtual Network Adapters on the Hosts

(38)

Creating Virtual Network Adapter

Before You Begin

• Port-profile for virtual network adapter is created.

Step 1 Launch SCVMM.

Step 2 In the VMs and Services tab, click All Hosts.

Step 3 Choose the host on which you want to add the virtual network adapter.

Step 4 Right-click the host and choose Properties from the pop-up menu.

Step 5 In the Properties window, click Virtual Switches.

Step 6 On the Virtual Switches tab, click New Virtual Network Adapter.

Step 7 In the Name field, enter name of virtual network adapter.

Step 8 Under the Connectivity, in the VM Network field, choose an appropriate VM network.

Step 9 Under Port profile, select L3 service enabled port-profile that you created from the Classification drop-down list.

Step 10 Under IP address configuration, check Static radio-button and do the following:

a) Choose IP-pool for virtual network adapter from the IPv4 pool drop-down list.

b) In the IPv4 address field, enter IP address for virtual network adapter.

Step 11 Click Ok.

Step 12 The VM manager warning message appears, click Ok.

What to Do Next

Add a physical router between VSG and virtual network adapter.

Task 5: Installing Cisco VSG from an ISO Image

Cisco VSG is supported as VSB on Nexus Cloud Services platform only.

Note

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Creating Virtual Network Adapter

(39)

• Cisco VSG-ha port profile: VSG-ha.

• HA ID.

• IP/subnet mask/gateway information for Cisco VSG

• Administrator password

• Minimum of 2 GB RAM and 2 GB hard disk space, recommended space is 4 GB RAM and 4 GB hard disk.

• Cisco Prime NSC IP address.

• The shared secret password.

• IP connectivity between Cisco VSG and Cisco Prime NSC is okay.

Task 5: Installing Cisco VSG from an ISO Image

(40)

• Cisco VSG NSC-PA image name (vsghv-pa.2.1.1e.bin) is available.

Step 1 Launch SCVMM.

Step 2 On the VMs and Services tab, click Create Virtual Machine.

Step 3 In the Create Virtual Machine Wizard, in the Select Source screen, check the Create the new virtual machine with a blank virtual hard disk radio button, and click Next.

Step 4 In the Specify Virtual Machine Identity screen, enter the name for the Cisco VSG in the Virtual machine name field and click Next.

Figure 8: Create Virtual Machine Wizard - Specify Virtual Machine Identity

Step 5 In the Configure Hardware section, do the following:

a) Under General, choose Memory, choose the Static option, and enter 2048 MB in the Virtual machine memory field.

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Task 5: Installing Cisco VSG from an ISO Image

(41)

• Under the Network Adapters section, choose Network Adapter 1, and then choose Connected to a VM network and browse for the appropriate network that corresponds to the network segment for the VSG's data interface.

Network Adapter 1 is Service/Data network, use it to connect to the Data network.

Note

Network Adapter 2 is the management network, connect it to the management network for the VSG.

Note

Network Adapter 3 is the HA network, connect it to the HA network.

Note

Figure 9: Create Virtual Machine Wizard - Configure Hardware

• From the Classification drop-down list, choose the port-profile corresponding to the VSG's data interface.

Repeat Step d to create network adapters for management and HA.

Note

Task 5: Installing Cisco VSG from an ISO Image

(42)

Step 6 In the Select Destination section, choose Place the virtual machine in a host, choose the host group on which you want to store the VSG from the drop-down list, and click Next.

Step 7 In the Select Host section, choose the host that you want to place the VSG on and click Next.

Step 8 In the Configure Settings section, review the virtual machine settings to ensure they are correct, and click Next.

Step 9 (Optional) In the Add Properties section, choose the Other Linux (64-bit) from the Operating System from the drop-down list, and then click Next.

Step 10 In the Summary section, click Create.

Step 11 Once the VSG is successfully installed, choose the VSG on the VMs and Services tab, and click Power On.

Step 12 Connect to the VSG using Connect or View > Connect via Console.

Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent

Once Cisco Prime NSC is installed, you must register Cisco VSG with Cisco Prime NSC.

• The Cisco Prime NSC policy-agent image on Cisco VSG (for example, vsghv-pa.2.1.1e.bin).

The string vsghv-pa must appear in the image name as highlighted.

Note

• IP address of the Cisco Prime NSC.

• Shared secret password you defined during the Cisco Prime NSC installation.

• IP connectivity between the VSG and the Cisco Prime NSC.

If you upgrade your VSG, you must also copy the latest Cisco VSG policy agent image.

This image is available in Cisco Prime NSC image bundle to boot from a flash drive and to complete registration with Cisco Prime NSC.

Note

VSG clock should be synchronized with Cisco Prime NSC clock.

Note

Installing the Cisco Prime NSC and Cisco VSG-Quick Start Task 6: On the VSG, Configuring the Cisco Prime NSC Policy Agent

(43)

SUMMARY STEPS

1. On Cisco VSG, configure the NSC policy agent:

2. Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:

DETAILED STEPS

Step 1 On Cisco VSG, configure the NSC policy agent:

VSG-Firewall# configure

Enter configuration commands, one per line. End with CNTL/Z.

VSG-Firewall(config)# nsc-policy-agent

VSG-Firewall(config-nsc-policy-agent)# registration-ip 10.193.72.242 VSG-Firewall(config-nsc-policy-agent)# shared-secret Sgate123

VSG-Firewall(config-nsc-policy-agent)# policy-agent-image vnmc-vsgpa.2.1.1b.bin VSG-Firewall(config-nsc-policy-agent)# copy running-config startup-config [########################################] 100%

Copy complete, now saving to disk (please wait)...

VSG-Firewall(config-nsc-policy-agent)# exit

Step 2 Check the status of the NSC policy agent configuration to verify that you have installed Cisco Prime NSC correctly and it is reachable by entering the show nsc-pa status command. This example shows that Cisco Prime NSC is reachable and the installation is correct:

VSG-Firewall(config)# show nsc-pa status

NSC Policy-Agent status is - Installed Successfully. Version 2.1(1b)-vsg

Cisco VSG is now registered with Cisco Prime NSC.

This example shows that Cisco Prime NSC is unreachable or an incorrect IP is configured:

vsg# show nsc-pa status

NSC Policy-Agent status is - Installation Failure Cisco Prime NSC not reachable.

vsg#

This example shows that the NSC policy-agent is not configured or installed:

vsg# show nsc-pa status

NSC Policy-Agent status is - Not Installed

Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status

You can use the show nsc-pa status command to verify the nsc policy-agent status on Cisco VSG, Cisco VSM, and Cisco Prime NSC (which can indicate that you have installed the policy-agent successfully).

Task 7: On Cisco VSG, Cisco VSM, and Cisco Prime NSC, Verifying the NSC Policy-Agent Status