57
Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Virtual Network Management Center (VNMC) Device and Policy Management of Cisco Virtual Services Technical Information

Virtual Network Management Center 2.0

Embed Size (px)

Citation preview

Page 1: Virtual Network Management Center 2.0

Cisco Confidential 1© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Virtual Network Management Center (VNMC)Device and Policy Management of Cisco Virtual Services

Technical Information

Page 2: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Agenda Virtual Network Service Framework

VNMC Overview

VNMC Solution Deployment

VSG (Compute Firewall) Use Case

ASA1000V (Edge Firewall) Use Case

Page 3: Virtual Network Management Center 2.0

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3

Virtual Network Service Framework

Page 4: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Virtual Network Management Center

Virtual Appliance

VSM

VEM-1

vPath

VEM-2

vPath

Hypervisor Hypervisor

VSGASA 1000V

VNMC

Single integrated access to manage Cisco virtual services in the cloud

Part of Cisco Cloud management eco-system

Integral part of the N1K architecture

Model-driven policy management

Common model to enable federated development

Easy operational management through XML APIs

Page 5: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Cisco Nexus 1000V Accelerate virtualization and multi-

tenant cloud deployments

Integrated into Vmware vSphere hypervisor

Provides advanced virtual machine switching using .1Q switching technology

vPath and VXLAN technologies

Built on Cisco NX-OS

Provides: policy based VM connection, mobile virtual machine security and network policy, and a non-disruptive operational model

vSphere

1000VVEM

1000V VSM

VM VM VM VM

Server

Physical Switches

Page 6: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Hypervisor Hypervisor Hypervisor

Modular Switch

…Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Bac

k P

lane

Nexus 1000V Architecture

VSM1

VSM2

Virtual Appliance

VSM: Virtual Supervisor Module

VEM-NVEM-1 VEM-2

L2 M

ode

L3 M

ode

Supervisors – Virtual Supervisor Modules (VSMs)

Line cards – Virtual Ethernet Modules (VEMs)

Page 7: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Embedding Intelligence for Virtual Services vPath – Virtual Service Datapath

Virtual Appliance

VSM

VEM-1

vPath

VEM-2

vPath

L2 M

ode

L3 M

ode

Hypervisor Hypervisor

vPath• Virtual Service Datapath

VSG

• Virtual Security Gateway

ASA 1000V

• Virtual Edge Firewall

vWAAS

• Virtual Wide Area Application Services

vWAAS VSG

vPath• Traffic Steering• Flexible Deployments• Network Service

Acceleration

ASA 1000V

Page 8: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Virtual Network Service FrameworkA framework to build network services for virtualized infrastructure

VC

VSM

ESX VEM vPathVM Management

Virtual Network Management

Center (VNMC)

Packets

Policies,Profiles,VM Attributes

Port Profiles

VMAttributes

Centralized Run-Time StateService Processing e.g. Policy Engine, Stateful FirewallVSNs – VSG, ASA1000VMulti-Instance

Virtual Service Node (VSN)

Traffic Interception / Redirection / ChainingFast-Path in HypervisorvPath API – re-usable for multiple servicesMulti-Tenant

vPath

Policy ManagementMulti-Device ManagementvCenter Integration – VM AttributesNorth Bound XML APIMulti-Tenant

Virtual Network Management Center (VNMC)

VN-ServiceAgent

VM Notifications

VSN VSN

VSN

PA

sPath

Page 9: Virtual Network Management Center 2.0

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 9

VNMC Overview

Page 10: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

Virtual Network Management CenterSimple yet powerful network virtual services management

XML API3rd party integration ready

Multi TenantDifferent Customers, different needs

Role Based Access ControlsDifferent users, different privileges

Dynamic provisioningOne stop configuration of network & security

Security ProfilesSimple, policy based security config

Scalable

Stateless

Expandable

Partitionable

Integrated

Automated

Nexus 1000V & vCenterPort profiles refer to security profiles

VNMC GUI

Page 11: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

VNMC 2.0 Solution Scope

Proven Cisco Security…Virtualized

Physical – virtual consistency

Collaborative Security Model

VSG for intra-tenant secure zones

ASA 1000V for tenant edge controls

Seamless Integration

With Nexus 1000V & vPath

Scales with Cloud Demand

Multi-instance deployment for

horizontal scale-out deployment

Tenant BTenant AVDC

vApp

vApp

Hypervisor

Nexus 1000VvPath

VDC

Virtual Network Management Center (VNMC)

vCenter

VSG VSG VSG

VSG

ASA 1000VASA 1000V

Page 12: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Network Admin Security Admin

Non-Disruptive Administration

Server Admin

vCenter Nexus 1KV VNMC

Mitigate Operational errors between teams

Security team defines security policies

Networking team binds port-profile to security policies

Server team Assigns VMs to Nexus 1000V port-profiles

Port Group Port Profile Security Profile

Page 13: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

Multitenant Org Structure

Tier Level

vApp Level

vDC

LevelTenant Level

RootTenant A

DC 1

DC 2App 1

Tier 1

Tier 2

Tier 3App 2DC 3Tenant

B

Single Tenant can have up to 3 sub-levels of orgs

Each sub-Level can have multiple orgs

Overlapping Network Addresses across Tenants are supported

Page 14: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Administrative Roles

1. VNMC Admin Roles 2. Tenant Level AccessTenant Level RBAC Access for Security Admin

Page 15: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

VMware ESXi 4.1 or 5.0

RAM: 3 GB

Hard Disk: 25 GB

Processors (vCPU) : 1

Browsers supported

Mozilla Firefox 11.0

Internet Explorer 9.0

Chrome 18.0

Flash Player plug-in: version 11.2

Firewall ports requiring access

80 (HTTP/TCP)

443 (HTTPS)

843 (TCP)

Controller

System Requirements

Page 16: Virtual Network Management Center 2.0

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 16

VNMC Solution Deployment

Page 17: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

Solution Deployment Steps1) Install VNMC

2) Connect VNMC to vCenter

3) Connect VSM to VNMC

4) Connect VSG to VNMC

5) Connect ASA1000V to VNMC

VMWarevCenter

VSM

Virtual Network Management Center (VNMC)

VSG

1

2

3 5

ASA1000V

4

Page 18: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Deployment Step 1: VNMC Installation Install VNMC as a

Virtual Appliance in vCenter using OVA or ISO image

Power on the VNMC virtual appliance after the OVA is deployed

Access VNMC WebUI using: “https://<Fully qualified VNMC hostname or IP Address”

Username – “admin”

Password – whatever set during installation

Page 19: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Deployment Step 2: Connect VNMC to vCenterExport vCenter Extension file

Connection to the vCenter is certificate based (no password)

Click on “Export vCenter Extension” and save extension to a file

Using vCenter “Plug-ins Manage Plug-ins” wizard create a new plug-in using the extension file

Click on “Add VM Manager” to add a vCenter server to VNMC

Page 20: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

Deployment Step 3: Connect VSM to VNMCSetup Policy Agent in VSM

Login to Nexus 1000V Virtual Supervisor Module (VSM)

Configure vnm-policy-agent using VNMC IP address, shared secret and policy agent image

Page 21: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

Deployment Step 3: Connect VSM to VNMCVerify VSM is connected and reachable from VNMC

Page 22: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Deployment Step 4: Connect VSG to VNMC

As part of VSG OVA deployment specify the VNMC IP address, shared secret and policy agent information

Page 23: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Deployment Step 4: Connect VSG to VNMC (contd.) Once the VSG is powered ON, it will register with VNMC

Page 24: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

Deployment Step 5: Connect ASA 1000V to VNMC

Login to ASA1000V

Configure VNMC IP address and shared-secret

Page 25: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

Deployment Step 5: Connect ASA 1000V to VNMC (contd.)

Verify ASA1000V registered with VNMC

Page 26: Virtual Network Management Center 2.0

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 26

VSG (Compute Firewall) Use Case

Page 27: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Compute Firewall Creation Compute Firewall controls

Inter-VM (East-West) traffic

VLAN-agnostic policy based operation

Page 28: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Assign VSG to Compute Firewall

Page 29: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

Compute Firewall Policy: Rule Construct

Source

ConditionDestination Condition Action

Rule

VM Attributes

VM Name

Guest OS full name

Zone Name

Parent App Name

Port Profile Name

Cluster Name

Hypervisor Name

VM DNS Name

Network Attributes

IP Address

Network Port

Operator

eq

neq

gt

lt

range

Not-in-range

Prefix

Operator

member

Not-member

Contains

Attribute Type

Network

VM

User Defined

vZone

Condition

Page 30: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

VSG

Access Policy Network Attributes – Allow Ping

192.168.1.1

Server A Server B

192.168.1.2

Compute Firewall – Use Case 1aAccess Policy based on Network Attributes

Source Condition

Destination Condition

Action

Page 31: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

VSG

Access Policy VM Attributes – Allow Ping

Web Server

Server A Server B

Database Server

Compute Firewall – Use Case 1bAccess Policy based on VM Attributes

Source Condition

Destination Condition

Action

Page 32: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

Zones are defined by a condition leveraging the attributes e.g. Network, VM or User Defined Attributes

Compute Firewall – Use Case 1cAccess Policy based on Zones

Page 33: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

VSG

Access Policy Zone Based Policy – Allow Ping

Web Server Zone

Server B

Database Server Zone

Compute Firewall – Use Case 1bAccess Policy based on Zones (contd.)

Source Condition

Destination Condition

Action

Server AServer A Server B

Page 34: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

WebServerWeb

Server

Permit Only Port 80(HTTP) of Web Servers

Permit Only Port 22 (SSH) to application servers

Only Permit Web servers access to Application servers

Policy – Content Hosting

WebClient

Web-zone

DBserverDB

server

Database-zone

AppServerApp

Server

Application-zone

Only Permit Application servers access to Database servers

Block all external access to database servers

Use Case 2: Content Hosting Policy

Page 35: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

Use Case 2: Policy Rules with Zones Leveraging Zones in Rule Conditions

Page 36: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

Bind Compute Security Profile to a Port-Profile Define the service node using Nexus 1000V VSM

Define the Service Chain using Nexus 1000V VSM

Enable the Service Chain on Port-Profile using Nexus 1000V VSM

Page 37: Virtual Network Management Center 2.0

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 37

ASA 1000V (Edge Firewall) Use Case

Page 38: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

Edge Firewall – ASA 1000V Cisco ASA 1000V Edge Firewall complements Cisco VSG to provide

multitenant edge security and default gateway functionality, and protects against network-based attacks.

Page 39: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

Edge Firewall – Static NAT Use Case

OutsideClient

Outside: 192.168.200.15

Inside: 192.168.100.15

TenantA

192.168.100.10 192.168.100.11

192.168.200.10

192.168.100.12192.168.100.20

Inside Client

Web Server

Db Server

VSG

ASA 1000V Static NAT

192.168.200.11

Page 40: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

Edge Security Profile – Static NAT

Page 41: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41

Edge Security Profile – Static NAT (2)

Page 42: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

Edge Security Profile – Static NAT (3)

Page 43: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

Edge Security Profile – Static NAT (4)

Page 44: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

Edge Security Profile– Static NAT (5)

Page 45: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

Bind Edge Security Profile to Port-Profile Define the service node in Nexus 1000V for ASA1000V

Define the Service Chain (Order is inside to outside)

Enable the Service Chain on Port-Profile

Page 46: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

Policy Enforcement Verification Syslog Messages

Verify NAT on ASA 1000V

Page 47: Virtual Network Management Center 2.0

Thank you.

Page 48: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

Compute Firewall Profiles

Compute Security Profile

Apply to a specific VM’s using port profile binding

Compute Firewall

Device Profile

Apply to devices of any types like ASA 1000V and VSG

Page 49: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49

Device Profile Includes policies that are global to the entire virtual appliance,

regardless of the type of appliance.

Multiple VSG instances can use the same device profile.

Same device profile can be shared between Cisco VSG and the ASA 1000V.

This profile type contains policies like NTP, syslog messages, etc.

Device profile is created for a tenant by using “Policy Management Device Configurations root <tenant> Device Profiles”

Device profiles created at root level (Policy Management Device Configurations root Device Profiles) can be shared across multiple tenants

Page 50: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

Device Profile (contd.)

Page 51: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51

Compute Security Profile

Includes policies that can be applied to port profiles or VMs.

Firewall policies defined in this type include ACL policies.

Compute Security Profile is created for a tenant by using “Policy Management Service Profiles root <tenant> Compute Firewall Compute Security Profiles”.

Compute Security Profiles created at root level (Policy Management Service Profiles root Compute Firewall Compute Security Profiles) can be shared across multiple tenants.

Page 52: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52

Compute Security Profile (contd.)

Page 53: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53

Edge Security Profile

Apply to edge firewall outside interface or VM’s using port profile binding

Edge Firewall Profiles

Edge Firewall

Edge Device Profile

Device Profile

Apply to the specific device type: ASA 1000V

Apply to devices of any types like ASA 1000V and VSG

Page 54: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54

Edge Device Profile Global to the ASA1000V only.

Multiple ASA1000V instances can use the same edge device profile.

This profile type contains policies that are unique to the ASA 1000V only; for example, the DHCP server, routing policies that are not applicable to Cisco VSG, or other devices.

Edge Device Profile is created for a tenant by using “Policy Management Service Profiles root <tenant> Edge Firewall Edge Device Profiles”.

Edge Device Profiles created at root level (Policy Management Service Profiles root Edge Firewall Edge Device Profiles) can be shared across multiple tenants

Page 55: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55

Edge Device Profile (contd.)

Page 56: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56

Edge Security Profile Includes policies that can be applied to port profiles or VMs.

Firewall policies defined in this type include ACLs, NAT, etc.

Edge Security Profile can also be applied to outside interface of the ASA 1000V e.g. to define the permit ACLs.

Edge Security Profile is created for a tenant by using “Policy Management Service Profiles root <tenant> Edge Firewall Edge Security Profiles”.

Edge Security Profiles created at root level (Policy Management Service Profiles root Edge Firewall Edge Security Profiles) can be shared across multiple tenants.

Page 57: Virtual Network Management Center 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57

Edge Security Profile (contd.)