Cisco Cisco Virtual Security Gateway for Nexus 1000V Series Switch Hoja De Datos

Page 3 of 9

Cisco vPath technology steers traffic, whether inbound or traveling from virtual machine to virtual machine, to the

designated Cisco VSGs. A split-processing model is applied in which initial packet processing occurs in the Cisco

VSG for policy evaluation and enforcement. Subsequent policy enforcement for packets is offloaded directly to

Cisco vPath. Cisco vPath provides:

●

Intelligent traffic steering: Flow classification and redirection to associated Cisco VSGs

●

Fast path offload: Policy enforcement of flows offloaded by Cisco VSG to Cisco vPath

●

Service chaining: Insertion of Cisco VSG along with other network services in the traffic path

Cisco vPath is designed for multitenancy, providing traffic steering and fast path offload on a per-tenant basis.

Together, the Cisco VSG and Cisco Nexus 1000V VEM provide the following deployment benefits:

●

Efficient deployment: Each Cisco VSG can provide protection across multiple physical servers, eliminating

the need to deploy one virtual appliance per physical server.

●

High performance: By offloading enforcement to Cisco Nexus 1000V VEM vPath modules, Cisco VSG

architecture boosts performance.

●

Operational simplicity: Cisco VSG can be transparently inserted in one-arm mode without the need to create

multiple switches or to temporarily migrate virtual machines to different switches or servers. Zone scaling is

based on security profiles, not on virtual network interface cards (vNICs), which are limited for virtual

appliances. These features simplify physical server upgrades without compromising security or incurring

application outages.

●

High availability: Cisco VSG can be deployed in active-standby mode to help ensure a highly available

operating environment, with Cisco vPath redirecting packets to the standby Cisco VSG if the active Cisco

VSG becomes unavailable.

●

Independent capacity planning: Cisco VSG can be placed on a dedicated server controlled by the security

operations team so that appropriate computing capacity can be allocated to application workloads; capacity

planning can occur independently across server and security teams; and operation segregation can be

maintained across security, network, and server teams.

Trusted Access

Cisco VSG allows IT departments to segment their data center and cloud environments with strong security

boundaries. Multiple instances of Cisco VSG can secure entire data centers or divide lines of business or tenants,

allowing large-scale deployments. Security segments are isolated, and traffic cannot cross segment boundaries.

Cisco VSG can be deployed at the line-of-business or tenant level, at the virtual data center (vDC) level, or at the

virtual application (vApp) level.

As virtual machines are instantiated for trust zones, their security profiles and zone memberships are assigned

immediately through binding with Cisco Nexus 1000V port profiles, as shown in Figure 2. A security profile contains

context-aware rule sets that specify access policies for traffic entering and exiting each zone. In addition to defining

virtual machine and network contexts, custom attributes provide a flexible and extensible way to define trust zones.

Controls are applied to zone-to-zone traffic as well as to external area-to-zone (and zone-to-external area) traffic.

Zone-based enforcement also can occur within a VLAN, because a VLAN often identifies a segment or tenant

boundary. Cisco VSG evaluates access control rules and subsequently offloads enforcement to the Cisco Nexus

1000V VEM vPath for performance acceleration. Enforcement can trigger permit or deny actions and optional

access logs. Cisco VSG also provides policy-based traffic monitoring capabilities with access logs.