Cisco Cisco Virtual Security Gateway for Nexus 1000V Series Switch Libro blanco
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 33
Independent capacity planning: Cisco VSG can be placed on a dedicated server controlled by the security
operations team so that appropriate computing capacity can be allocated to application workloads, capacity
planning can occur independently across server and security teams, and operational segregation can be
maintained across security, network, and server teams.
vPath Intelligence: Cisco VSG leverage Nexus 1000V vPath intelligence for traffic redirection, fast path offload
with all policy enforcement of flows offloaded to vPath, and insertion of Cisco VSG along with other virtual network
services in the traffic path. vPath is designed for multi-tenancy, providing traffic steering and fast path offload on a
per-tenant basis.
Solution Architecture
Figure 3 shows the overall architecture of the Cisco VSG solution and the integration of the required components
in the solution. This section discusses the communication across these components.
Figure 3. Cisco VSG Solution Architecture
Solution Components
The following components are required to set up the Cisco VSG environment:
●
Cisco Prime Network Services Controller: Cisco Prime Network Services Controller is a virtual appliance
that provides centralized device and security policy management for Cisco VSG.
●
Cisco Virtual Security Gateway: Cisco VSG operates with the Cisco Nexus 1000V Series distributed virtual
switches in the VMware vSphere hypervisor, and it uses the vPath technology embedded in the Cisco
Nexus 1000V VEM.
●
Cisco Nexus 1000V Series Switches: Cisco Nexus 1000V Series Switches are virtual machine access
switches that are an intelligent software switch implementation for VMware vSphere environments running
Cisco NX-OS Software. To support the Cisco VSG solution, the Cisco Nexus 1000V Series must be
running Cisco NX-OS Release 1.4 or later.
●
VMware vCenter: The VMware vCenter server manages the VMware vSphere environment and provides
unified management of all the hosts and virtual machines in the data center from a single console.
Communication Between Cisco Prime Network Services Controller and VMware vCenter
Cisco Prime Network Services Controller registers with VMware vCenter for visibility into the VMware environment.
This registration allows the security administrator to define policies based on the VMware virtual machine
attributes. Cisco Prime Network Services Controller integrates through an XML plug-in. The integration process is
similar to that of the Cisco Nexus 1000V VSM with VMware vCenter. Cisco Prime Network Services Controller and
VMware vCenter communicate over an SSL connection on port 443 (Figure 4).