Cisco Cisco Virtual Security Gateway for Nexus 1000V Series Switch Libro blanco
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 33
vmware port-group
switchport mode access
switchport access vlan 171
no shutdown
system vlan 171
state enabled
Cisco VSG evaluates policies on the first packet of each flow that is redirected by vPath. Cisco VSG then
transmits the policy evaluation results to vPath. vPath maintains the result in the flow table, and subsequent
packets of the flow are permitted or denied based on the result cached in the flow table (Figure 7).
Figure 7. Communication Between Cisco VSG and the VEM
vPath maintains the state of the TCP flows. In the event of a reset (RST) event or a finish (FIN) flag in the TCP
flow, vPath purges the entry of that flow from the table. Inactivity in any flow will also cause the entry to be cleared
from the flow table.
Cisco VSG supports stateful protocols, such as FTP, Trivial File Transfer Protocol (TFTP), and Remote Shell
(RSH) Protocol.
Communication Between the VSM and the VEM
There are two ways of connecting the VSM and the VEM (Figure 8):
●
Over Layer 2: If the VSM and VEM are in the same Layer 2 domain, They can connect using L2 mode.
However Layer 3 mode for VSM-VEM is recommended best practice.
●
Over Layer 3: If the VSM and VEM are in different Layer 2 domains, the Layer 3 connectivity mode should
be used. The Layer 3 mode will encapsulate the packet of the Layer 2 mode using Generic Routing
Encapsulation (GRE). All communication between the VSM and the VEM are encrypted using a 128-bit
algorithm. Cisco VSG implementation is independent of VSM-to-VEM communication (whether in Layer 2
or Layer 3 mode).