• Like

Virtual Network Management Center 2.0

  • 1,728 views
Uploaded on

 

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Thank you
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
1,728
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
84
Comments
1
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cisco Virtual NetworkManagement Center(VNMC)Device and Policy Management of Cisco VirtualServicesTechnical Information© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. Agenda Virtual Network Service Framework VNMC Overview VNMC Solution Deployment VSG (Compute Firewall) Use Case ASA1000V (Edge Firewall) Use Case© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Virtual Network ServiceFramework© 2012 Cisco and/or its affiliates. All rights reserved. 2010 Cisco Confidential 3 3
  • 4. Virtual Network Management Center Single integrated access Virtual Appliance to manage Cisco virtual services in the cloud VSM Part of Cisco Cloud management eco-system ASA 1000V VSG VNMC Integral part of the N1K architecture Model-driven policy management Common model to enable federated development Easy operational VEM-1 VEM-2 vPath vPath management through XML APIs Hypervisor Hypervisor© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Cisco Nexus 1000V  Accelerate virtualization and multi- tenant cloud deployments VM VM VM VM  Integrated into Vmware vSphere hypervisor  Provides advanced virtual machine 1000V switching using .1Q switching VEM technology vSphere  vPath and VXLAN technologies  Built on Cisco NX-OS Server  Provides: policy based VM connection, mobile virtual machine security and network policy, and a 1000V VSM non-disruptive operational model Physical Switches© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Nexus 1000V Architecture  Supervisors – Virtual Supervisor Modules Virtual Appliance (VSMs) VSM1  Line cards – Virtual Ethernet Modules (VEMs) VSM2 Modular Switch Supervisor-1 L2 Mode L3 Mode Supervisor-2 Back Plane Linecard-1 Linecard-2 … Linecard-N VEM-1 VEM-2 VEM-N Hypervisor Hypervisor HypervisorVSM: Virtual Supervisor Module © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Embedding Intelligence for Virtual ServicesvPath – Virtual Service Datapath Virtual Appliance ASA 1000V vWAAS VSG VSM vPath • Virtual Service Datapath VSG • Virtual Security Gateway L2 Mode L3 Mode ASA 1000V • Virtual Edge Firewall vWAAS • Virtual Wide Area Application Services vPath • Traffic Steering VEM-1 VEM-2 vPath vPath • Flexible Deployments • Network Service Hypervisor Hypervisor Acceleration© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. Virtual Network Service FrameworkA framework to build network services for virtualized infrastructure Virtual Network Management Center (VNMC) Policy Management Multi-Device Management VM Virtual Network Attributes vCenter Integration – VM AttributesVC Management North Bound XML API Center (VNMC) Multi-Tenant Policies, VM Notifications Profiles, VM Attributes Virtual Service Node (VSN) Centralized Run-Time State Service Processing e.g. Policy Engine, VN- VSN Stateful Firewall VSM Service VSN VSNs – VSG, ASA1000V Agent P A VSN Multi-Instance sPath Port Profiles Packets vPath Traffic Interception / Redirection / Chaining ESX VEM vPath Fast-Path in Hypervisor VM Management vPath API – re-usable for multiple services Multi-Tenant© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. VNMC Overview© 2012 Cisco and/or its affiliates. All rights reserved. 2010 Cisco Confidential 9 9
  • 10. Virtual Network Management CenterSimple yet powerful network virtual services management Scalable Multi Tenant Different Customers, different needs Stateless Security Profiles Expandable Simple, policy based security config Partitionable XML API 3rd party integration ready Integrated Automated Role Based Access Controls Different users, different privileges Nexus 1000V & vCenter Port profiles refer to security profiles Dynamic provisioning One stop configuration of network & security VNMC GUI© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. VNMC 2.0 Solution Scope vCenter Proven Cisco Security…VirtualizedPhysical – virtual consistency Virtual Network Management Center (VNMC) Tenant A Tenant B Collaborative Security Model VDC VDC vAppVSG for intra-tenant secure zonesASA 1000V for tenant edge controls VSG VSG VSG vApp Seamless IntegrationWith Nexus 1000V & vPath VSG ASA 1000V ASA 1000V Scales with Cloud Demand vPath Nexus 1000VMulti-instance deployment for horizontal Hypervisorscale-out deployment© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Non-Disruptive AdministrationMitigate Operational errors between teams Security team defines security policies Networking team binds port-profile to security policies Server team Assigns VMs to Nexus 1000V port-profiles vCenter Nexus 1KV VNMC Port Group Port Profile Security Profile Server Admin Network Admin Security Admin© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. Multitenant Org Structure  Single Tenant can have up to 3 sub-levels of orgs  Each sub-Level can have multiple orgs  Overlapping Network Addresses across Tenants are supported© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. Administrative Roles Tenant Level RBAC Access for Security Admin 1. VNMC Admin Roles 2. Tenant Level Access© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. System Requirements  VMware ESXi 4.1 or 5.0  RAM: 3 GB  Hard Disk: 25 GB  Processors (vCPU) : 1  Browsers supported Mozilla Firefox 11.0 Internet Explorer 9.0 Chrome 18.0  Flash Player plug-in: version 11.2 Controller  Firewall ports requiring access 80 (HTTP/TCP) 443 (HTTPS) 843 (TCP)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  • 16. VNMC Solution Deployment© 2012 Cisco and/or its affiliates. All rights reserved. 2010 Cisco Confidential 16 16
  • 17. Solution Deployment Steps1) Install VNMC VMWare vCenter2) Connect VNMC to vCenter3) Connect VSM to VNMC 24) Connect VSG to VNMC Virtual Network5) Connect ASA1000V to VNMC Management Center 1 (VNMC) 3 5 4 VSM VSG ASA1000V© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 18. Deployment Step 1: VNMC Installation  Install VNMC as a Virtual Appliance in vCenter using OVA or ISO image  Power on the VNMC virtual appliance after the OVA is deployed  Access VNMC WebUI using: “https://<Fully qualified VNMC hostname or IP Address” Username – “admin” Password – whatever set during installation© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  • 19. Deployment Step 2: Connect VNMC to vCenterExport vCenter Extension file  Connection to the vCenter is certificate based (no password)  Click on “Export vCenter Extension” and save extension to a file  Using vCenter “Plug-ins  Manage Plug-ins” wizard create a new plug-in using the extension file  Click on “Add VM Manager” to add a vCenter server to VNMC© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  • 20. Deployment Step 3: Connect VSM to VNMCSetup Policy Agent in VSM  Login to Nexus 1000V Virtual Supervisor Module (VSM)  Configure vnm-policy-agent using VNMC IP address, shared secret and policy agent image© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  • 21. Deployment Step 3: Connect VSM to VNMCVerify VSM is connected and reachable from VNMC© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  • 22. Deployment Step 4: Connect VSG to VNMC  As part of VSG OVA deployment specify the VNMC IP address, shared secret and policy agent information© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  • 23. Deployment Step 4: Connect VSG to VNMC(contd.) Once the VSG is powered ON, it will register with VNMC© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  • 24. Deployment Step 5: Connect ASA 1000V toVNMC  Login to ASA1000V  Configure VNMC IP address and shared-secret© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  • 25. Deployment Step 5: Connect ASA 1000V toVNMC (contd.)  Verify ASA1000V registered with VNMC© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  • 26. VSG (Compute Firewall)Use Case© 2012 Cisco and/or its affiliates. All rights reserved. 2010 Cisco Confidential 26 26
  • 27. Compute Firewall Creation Compute Firewall controls Inter-VM (East-West) traffic VLAN-agnostic policy based operation© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  • 28. Assign VSG to Compute Firewall© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  • 29. Compute Firewall Policy: Rule Construct Rule   Source Destination Action Condition Condition Attribute Type NetworkCondition VM User Defined vZoneVM Attributes Network Attributes Operator OperatorVM Name IP Address member eqGuest OS full name Not-member Network Port neqZone Name Contains gtParent App Name ltPort Profile Name rangeCluster NameHypervisor Name Not-in-rangeVM DNS Name Prefix© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  • 30. Compute Firewall – Use Case 1aAccess Policy based on Network Attributes Access Policy Network Attributes – Allow Ping Server A Server B 192.168.1.1 VSG 192.168.1.2 Source Destination Action Condition Condition© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  • 31. Compute Firewall – Use Case 1bAccess Policy based on VM Attributes Access Policy VM Attributes – Allow Ping Server A Server B Web Server VSG Database Server Source Destination Action Condition Condition© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  • 32. Compute Firewall – Use Case 1cAccess Policy based on Zones Zones are defined by a condition leveraging the attributes e.g. Network, VM or User Defined Attributes© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
  • 33. Compute Firewall – Use Case 1bAccess Policy based on Zones (contd.) Access Policy Zone Based Policy – Allow Ping Server A Server A Server B Server B Web Server VSG Database Server Zone Zone Source Destination Action Condition Condition© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  • 34. Use Case 2: Content Hosting Policy W eb Client Permit Only Port 22 (SSH) to Block all external access to Permit Only Port 80(HTTP) of Web application servers database servers Servers Web App DB Web App DB server Server Server Server Server server Web-zone Application-zone Database-zone Only Permit Web servers Only Permit Application servers access to Application servers access to Database servers Policy – Content Hosting© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
  • 35. Use Case 2: Policy Rules with Zones  Leveraging Zones in Rule Conditions© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
  • 36. Bind Compute Security Profile to a Port-Profile  Define the service node using Nexus 1000V VSM  Define the Service Chain using Nexus 1000V VSM  Enable the Service Chain on Port-Profile using Nexus 1000V VSM© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
  • 37. ASA 1000V (Edge Firewall)Use Case© 2012 Cisco and/or its affiliates. All rights reserved. 2010 Cisco Confidential 37 37
  • 38. Edge Firewall – ASA 1000V Cisco ASA 1000V Edge Firewall complements Cisco VSG to provide multitenant edge security and default gateway functionality, and protects against network-based attacks.© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
  • 39. Edge Firewall – Static NAT Use Case 192.168.200.10 Outside Client TenantA 192.168.200.11 Outside: 192.168.200.15 ASA 1000V Static NAT Inside: 192.168.100.15 Inside Web Db VSG Client Server Server 192.168.100.20 192.168.100.10 192.168.100.11 192.168.100.12© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
  • 40. Edge Security Profile – Static NAT© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
  • 41. Edge Security Profile – Static NAT (2)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
  • 42. Edge Security Profile – Static NAT (3)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
  • 43. Edge Security Profile – Static NAT (4)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
  • 44. Edge Security Profile– Static NAT (5)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
  • 45. Bind Edge Security Profile to Port-Profile  Define the service node in Nexus 1000V for ASA1000V  Define the Service Chain (Order is inside to outside)  Enable the Service Chain on Port-Profile© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
  • 46. Policy Enforcement Verification  Syslog Messages Verify NAT on ASA 1000V© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
  • 47. Thank you.© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
  • 48. Compute Firewall Profiles Apply to devices Device of any types like ASA 1000V and Profile VSG Compute Firewall Compute Apply to a specific VM’s Security using port Profile profile binding© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
  • 49. Device Profile  Includes policies that are global to the entire virtual appliance, regardless of the type of appliance.  Multiple VSG instances can use the same device profile.  Same device profile can be shared between Cisco VSG and the ASA 1000V.  This profile type contains policies like NTP, syslog messages, etc.  Device profile is created for a tenant by using “Policy Management Device Configurations  root  <tenant>  Device Profiles”  Device profiles created at root level (Policy Management Device Configurations  root  Device Profiles) can be shared across multiple tenants© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
  • 50. Device Profile (contd.)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
  • 51. Compute Security Profile  Includes policies that can be applied to port profiles or VMs.  Firewall policies defined in this type include ACL policies.  Compute Security Profile is created for a tenant by using “Policy Management  Service Profiles  root  <tenant>  Compute Firewall  Compute Security Profiles”.  Compute Security Profiles created at root level (Policy Management  Service Profiles  root  Compute Firewall  Compute Security Profiles) can be shared across multiple tenants.© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
  • 52. Compute Security Profile (contd.)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
  • 53. Edge Firewall Profiles Device Apply to devices of any types like ASA Profile 1000V and VSG Edge Apply to the Edge Device specific device Firewall type: ASA 1000V Profile Apply to edge Edge firewall outside Security interface or VM’s Profile using port profile binding© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
  • 54. Edge Device Profile  Global to the ASA1000V only.  Multiple ASA1000V instances can use the same edge device profile.  This profile type contains policies that are unique to the ASA 1000V only; for example, the DHCP server, routing policies that are not applicable to Cisco VSG, or other devices.  Edge Device Profile is created for a tenant by using “Policy Management  Service Profiles  root  <tenant> Edge Firewall  Edge Device Profiles”.  Edge Device Profiles created at root level (Policy Management  Service Profiles  root  Edge Firewall  Edge Device Profiles) can be shared across multiple tenants© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
  • 55. Edge Device Profile (contd.)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
  • 56. Edge Security Profile  Includes policies that can be applied to port profiles or VMs.  Firewall policies defined in this type include ACLs, NAT, etc.  Edge Security Profile can also be applied to outside interface of the ASA 1000V e.g. to define the permit ACLs.  Edge Security Profile is created for a tenant by using “Policy Management  Service Profiles  root  <tenant> Edge Firewall  Edge Security Profiles”.  Edge Security Profiles created at root level (Policy Management  Service Profiles  root  Edge Firewall  Edge Security Profiles) can be shared across multiple tenants.© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
  • 57. Edge Security Profile (contd.)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57