Cisco Cisco Virtual Security Gateway for Nexus 1000V Series Switch Libro blanco
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 12 of 33
The following commands define the Cisco VSG firewall feature on the VSM:
Nexus1000V (config)# vservice node VSG_Node-Name type vsg
Nexus1000V(config-vservice-node)# ip address VSG_DATA_IP
Nexus1000V(config-vservice-node)# adjacency {l2/l3} vlan VSG_Service_VLAN
Nexus1000V(config-vservice-node)# fail-mode {open/close}
The first command defines virtual service instance of node type Cisco VSG. The second and third commands
provide information for vPath communication with Cisco VSG, including the mode of adjacency, Cisco VSG data
interface IP address, and Cisco VSG service VLAN.
The following commands turn on the firewall feature under the port profile on the VSM:
Nexus1000V (config-port-prof)# org root/ATenant
Nexus1000V (config-port-prof)# vservice node VSG_Node-Name profile
VSG_TenantA_Security_Profile
VSG_TenantA_Security_Profile
The first command specifies the tenant in which the firewall is enabled. The second command binds a specific
Cisco VSG and security profile to the port profile. It enables vPath to redirect the traffic to the Cisco VSG in the
service VLAN.
The following example shows the port-profile configuration with Cisco VSG firewall protection enabled:
port-profile type vethernet Secure-ATenant-VM
vmware port-group
switchport access vlan 10
switchport mode access
vservice node vsg profile Secure-ATenant
no shutdown
state enabled
License Requirements
Starting with Cisco Nexus 2.1 Release, Cisco VSG and Cisco Prime Network Services Controller license is
bundled with Cisco Nexus 1000V Advanced Edition licenses.
A Cisco Nexus 1000V advanced edition license is required for each CPU socket, and VSG licensing follows the
same model as licensing for the Cisco Nexus 1000V Series. Each CPU requires one license, and there is no limit
on the number of cores per CPU. The main point to note is that the licenses need to be installed on the VSM.
Because the licenses are based on physical host sockets, you can instantiate Cisco VSGs in a scale-out model
without worrying about licenses.
You must purchase enough licensing capacity to cover all installed CPUs. Licenses are not applied to a VEM
unless the existing license has the capacity to cover all its CPUs. Please refer to the
licensing guide
at for the
steps you need to take to install the licenses.
The Cisco Nexus 1000V Series Release 2.1 software comes with a 60-day evaluation license of Advanced Edition.
Network Segmentation
Cisco VSG is a transparent firewall inserted at Layer 2 and acts like a “bump in the wire”; it is not seen as a Layer
3 hop to connected devices. Insertion of a Cisco VSG into the network does not require any reengineering of the
existing network.