Download - Virtual Network Management Center 2.0
Cisco Confidential 1© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Virtual Network Management Center (VNMC)Device and Policy Management of Cisco Virtual Services
Technical Information
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda Virtual Network Service Framework
VNMC Overview
VNMC Solution Deployment
VSG (Compute Firewall) Use Case
ASA1000V (Edge Firewall) Use Case
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3
Virtual Network Service Framework
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Virtual Network Management Center
Virtual Appliance
VSM
VEM-1
vPath
VEM-2
vPath
Hypervisor Hypervisor
VSGASA 1000V
VNMC
Single integrated access to manage Cisco virtual services in the cloud
Part of Cisco Cloud management eco-system
Integral part of the N1K architecture
Model-driven policy management
Common model to enable federated development
Easy operational management through XML APIs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco Nexus 1000V Accelerate virtualization and multi-
tenant cloud deployments
Integrated into Vmware vSphere hypervisor
Provides advanced virtual machine switching using .1Q switching technology
vPath and VXLAN technologies
Built on Cisco NX-OS
Provides: policy based VM connection, mobile virtual machine security and network policy, and a non-disruptive operational model
vSphere
1000VVEM
1000V VSM
VM VM VM VM
Server
Physical Switches
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Hypervisor Hypervisor Hypervisor
Modular Switch
…Linecard-N
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Bac
k P
lane
Nexus 1000V Architecture
VSM1
VSM2
Virtual Appliance
VSM: Virtual Supervisor Module
VEM-NVEM-1 VEM-2
L2 M
ode
L3 M
ode
Supervisors – Virtual Supervisor Modules (VSMs)
Line cards – Virtual Ethernet Modules (VEMs)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Embedding Intelligence for Virtual Services vPath – Virtual Service Datapath
Virtual Appliance
VSM
VEM-1
vPath
VEM-2
vPath
L2 M
ode
L3 M
ode
Hypervisor Hypervisor
vPath• Virtual Service Datapath
VSG
• Virtual Security Gateway
ASA 1000V
• Virtual Edge Firewall
vWAAS
• Virtual Wide Area Application Services
vWAAS VSG
vPath• Traffic Steering• Flexible Deployments• Network Service
Acceleration
ASA 1000V
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Virtual Network Service FrameworkA framework to build network services for virtualized infrastructure
VC
VSM
ESX VEM vPathVM Management
Virtual Network Management
Center (VNMC)
Packets
Policies,Profiles,VM Attributes
Port Profiles
VMAttributes
Centralized Run-Time StateService Processing e.g. Policy Engine, Stateful FirewallVSNs – VSG, ASA1000VMulti-Instance
Virtual Service Node (VSN)
Traffic Interception / Redirection / ChainingFast-Path in HypervisorvPath API – re-usable for multiple servicesMulti-Tenant
vPath
Policy ManagementMulti-Device ManagementvCenter Integration – VM AttributesNorth Bound XML APIMulti-Tenant
Virtual Network Management Center (VNMC)
VN-ServiceAgent
VM Notifications
VSN VSN
VSN
PA
sPath
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 9
VNMC Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Virtual Network Management CenterSimple yet powerful network virtual services management
XML API3rd party integration ready
Multi TenantDifferent Customers, different needs
Role Based Access ControlsDifferent users, different privileges
Dynamic provisioningOne stop configuration of network & security
Security ProfilesSimple, policy based security config
Scalable
Stateless
Expandable
Partitionable
Integrated
Automated
Nexus 1000V & vCenterPort profiles refer to security profiles
VNMC GUI
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
VNMC 2.0 Solution Scope
Proven Cisco Security…Virtualized
Physical – virtual consistency
Collaborative Security Model
VSG for intra-tenant secure zones
ASA 1000V for tenant edge controls
Seamless Integration
With Nexus 1000V & vPath
Scales with Cloud Demand
Multi-instance deployment for
horizontal scale-out deployment
Tenant BTenant AVDC
vApp
vApp
Hypervisor
Nexus 1000VvPath
VDC
Virtual Network Management Center (VNMC)
vCenter
VSG VSG VSG
VSG
ASA 1000VASA 1000V
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Network Admin Security Admin
Non-Disruptive Administration
Server Admin
vCenter Nexus 1KV VNMC
Mitigate Operational errors between teams
Security team defines security policies
Networking team binds port-profile to security policies
Server team Assigns VMs to Nexus 1000V port-profiles
Port Group Port Profile Security Profile
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Multitenant Org Structure
Tier Level
vApp Level
vDC
LevelTenant Level
RootTenant A
DC 1
DC 2App 1
Tier 1
Tier 2
Tier 3App 2DC 3Tenant
B
Single Tenant can have up to 3 sub-levels of orgs
Each sub-Level can have multiple orgs
Overlapping Network Addresses across Tenants are supported
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Administrative Roles
1. VNMC Admin Roles 2. Tenant Level AccessTenant Level RBAC Access for Security Admin
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
VMware ESXi 4.1 or 5.0
RAM: 3 GB
Hard Disk: 25 GB
Processors (vCPU) : 1
Browsers supported
Mozilla Firefox 11.0
Internet Explorer 9.0
Chrome 18.0
Flash Player plug-in: version 11.2
Firewall ports requiring access
80 (HTTP/TCP)
443 (HTTPS)
843 (TCP)
Controller
System Requirements
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 16
VNMC Solution Deployment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Solution Deployment Steps1) Install VNMC
2) Connect VNMC to vCenter
3) Connect VSM to VNMC
4) Connect VSG to VNMC
5) Connect ASA1000V to VNMC
VMWarevCenter
VSM
Virtual Network Management Center (VNMC)
VSG
1
2
3 5
ASA1000V
4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Deployment Step 1: VNMC Installation Install VNMC as a
Virtual Appliance in vCenter using OVA or ISO image
Power on the VNMC virtual appliance after the OVA is deployed
Access VNMC WebUI using: “https://<Fully qualified VNMC hostname or IP Address”
Username – “admin”
Password – whatever set during installation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Deployment Step 2: Connect VNMC to vCenterExport vCenter Extension file
Connection to the vCenter is certificate based (no password)
Click on “Export vCenter Extension” and save extension to a file
Using vCenter “Plug-ins Manage Plug-ins” wizard create a new plug-in using the extension file
Click on “Add VM Manager” to add a vCenter server to VNMC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Deployment Step 3: Connect VSM to VNMCSetup Policy Agent in VSM
Login to Nexus 1000V Virtual Supervisor Module (VSM)
Configure vnm-policy-agent using VNMC IP address, shared secret and policy agent image
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Deployment Step 3: Connect VSM to VNMCVerify VSM is connected and reachable from VNMC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Deployment Step 4: Connect VSG to VNMC
As part of VSG OVA deployment specify the VNMC IP address, shared secret and policy agent information
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Deployment Step 4: Connect VSG to VNMC (contd.) Once the VSG is powered ON, it will register with VNMC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Deployment Step 5: Connect ASA 1000V to VNMC
Login to ASA1000V
Configure VNMC IP address and shared-secret
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Deployment Step 5: Connect ASA 1000V to VNMC (contd.)
Verify ASA1000V registered with VNMC
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 26
VSG (Compute Firewall) Use Case
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Compute Firewall Creation Compute Firewall controls
Inter-VM (East-West) traffic
VLAN-agnostic policy based operation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Assign VSG to Compute Firewall
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Compute Firewall Policy: Rule Construct
Source
ConditionDestination Condition Action
Rule
VM Attributes
VM Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
VM DNS Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Attribute Type
Network
VM
User Defined
vZone
Condition
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
VSG
Access Policy Network Attributes – Allow Ping
192.168.1.1
Server A Server B
192.168.1.2
Compute Firewall – Use Case 1aAccess Policy based on Network Attributes
Source Condition
Destination Condition
Action
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
VSG
Access Policy VM Attributes – Allow Ping
Web Server
Server A Server B
Database Server
Compute Firewall – Use Case 1bAccess Policy based on VM Attributes
Source Condition
Destination Condition
Action
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Zones are defined by a condition leveraging the attributes e.g. Network, VM or User Defined Attributes
Compute Firewall – Use Case 1cAccess Policy based on Zones
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
VSG
Access Policy Zone Based Policy – Allow Ping
Web Server Zone
Server B
Database Server Zone
Compute Firewall – Use Case 1bAccess Policy based on Zones (contd.)
Source Condition
Destination Condition
Action
Server AServer A Server B
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
WebServerWeb
Server
Permit Only Port 80(HTTP) of Web Servers
Permit Only Port 22 (SSH) to application servers
Only Permit Web servers access to Application servers
Policy – Content Hosting
WebClient
Web-zone
DBserverDB
server
Database-zone
AppServerApp
Server
Application-zone
Only Permit Application servers access to Database servers
Block all external access to database servers
Use Case 2: Content Hosting Policy
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Use Case 2: Policy Rules with Zones Leveraging Zones in Rule Conditions
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Bind Compute Security Profile to a Port-Profile Define the service node using Nexus 1000V VSM
Define the Service Chain using Nexus 1000V VSM
Enable the Service Chain on Port-Profile using Nexus 1000V VSM
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 37
ASA 1000V (Edge Firewall) Use Case
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Edge Firewall – ASA 1000V Cisco ASA 1000V Edge Firewall complements Cisco VSG to provide
multitenant edge security and default gateway functionality, and protects against network-based attacks.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Edge Firewall – Static NAT Use Case
OutsideClient
Outside: 192.168.200.15
Inside: 192.168.100.15
TenantA
192.168.100.10 192.168.100.11
192.168.200.10
192.168.100.12192.168.100.20
Inside Client
Web Server
Db Server
VSG
ASA 1000V Static NAT
192.168.200.11
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Edge Security Profile – Static NAT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Edge Security Profile – Static NAT (2)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Edge Security Profile – Static NAT (3)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Edge Security Profile – Static NAT (4)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Edge Security Profile– Static NAT (5)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Bind Edge Security Profile to Port-Profile Define the service node in Nexus 1000V for ASA1000V
Define the Service Chain (Order is inside to outside)
Enable the Service Chain on Port-Profile
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Policy Enforcement Verification Syslog Messages
Verify NAT on ASA 1000V
Thank you.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Compute Firewall Profiles
Compute Security Profile
Apply to a specific VM’s using port profile binding
Compute Firewall
Device Profile
Apply to devices of any types like ASA 1000V and VSG
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Device Profile Includes policies that are global to the entire virtual appliance,
regardless of the type of appliance.
Multiple VSG instances can use the same device profile.
Same device profile can be shared between Cisco VSG and the ASA 1000V.
This profile type contains policies like NTP, syslog messages, etc.
Device profile is created for a tenant by using “Policy Management Device Configurations root <tenant> Device Profiles”
Device profiles created at root level (Policy Management Device Configurations root Device Profiles) can be shared across multiple tenants
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Device Profile (contd.)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Compute Security Profile
Includes policies that can be applied to port profiles or VMs.
Firewall policies defined in this type include ACL policies.
Compute Security Profile is created for a tenant by using “Policy Management Service Profiles root <tenant> Compute Firewall Compute Security Profiles”.
Compute Security Profiles created at root level (Policy Management Service Profiles root Compute Firewall Compute Security Profiles) can be shared across multiple tenants.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Compute Security Profile (contd.)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Edge Security Profile
Apply to edge firewall outside interface or VM’s using port profile binding
Edge Firewall Profiles
Edge Firewall
Edge Device Profile
Device Profile
Apply to the specific device type: ASA 1000V
Apply to devices of any types like ASA 1000V and VSG
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Edge Device Profile Global to the ASA1000V only.
Multiple ASA1000V instances can use the same edge device profile.
This profile type contains policies that are unique to the ASA 1000V only; for example, the DHCP server, routing policies that are not applicable to Cisco VSG, or other devices.
Edge Device Profile is created for a tenant by using “Policy Management Service Profiles root <tenant> Edge Firewall Edge Device Profiles”.
Edge Device Profiles created at root level (Policy Management Service Profiles root Edge Firewall Edge Device Profiles) can be shared across multiple tenants
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Edge Device Profile (contd.)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Edge Security Profile Includes policies that can be applied to port profiles or VMs.
Firewall policies defined in this type include ACLs, NAT, etc.
Edge Security Profile can also be applied to outside interface of the ASA 1000V e.g. to define the permit ACLs.
Edge Security Profile is created for a tenant by using “Policy Management Service Profiles root <tenant> Edge Firewall Edge Security Profiles”.
Edge Security Profiles created at root level (Policy Management Service Profiles root Edge Firewall Edge Security Profiles) can be shared across multiple tenants.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Edge Security Profile (contd.)