Using Cisco VNMC to assign a VSG to a tenant

Ok, it is time to continue to build our virtual infrastructure. These several blogs are targeting networking and security. There are lots of virtualization topics that we won’t talk about, because the universe would collapse before one can finish a story about virtualization.

To recap, we talked about networking stuff:

and security stuff:

At this point we have a virtual infrastructure (VI) that comprises of four ESXi 5.x hosts belonging to one cluster within a datacenter. We also have Nexus1000KV as a virtual switch that connects all VMs and appliances to a real world. This Nexus has two VSMs in a HA cluster and four VEMs. We have one VNMC that now controls two VSGs: one for each of our tenants that we will host in this lab. And there are four VMs, two for each tenant. There are of course a vCenter appliance and an update manager. The vCenter view would look like this:

image

Now we will create two tenants within our VNMC, assign a VSG to each tenant, and create some security policies.  All security policies will permit/deny traffic within a tenant. Cisco VSG is used for INTRA-tenant traffic, not the INTER-tenant. For inter-tenant we will use “Cisco ASA 1000V Cloud Firewall” in some later blog post.

Let’s recall that we have to have vCenter, VSM and VSGs registered within our VNMC. From previous blogs we know where to find these screen shots:

vCenter

image

 

VSM

image

 

VSG-NOVABANKA

image

 

VSG-STARABANKA

image

 

First, let’s create two tenants. Under the “Tenant Management” we right click the “root” node and select “Create Tenant”. We only need to provide a tenant name:

image

After creating both tenants, we have the following situation:

image

Now we need to assign a VSG to each tenant. In VNMC, a VSG is called “Compute Firewall”. But before we do that, let’s talk about “Data Interface” and “Data IP Address”.  When we were installing a VSG, we have dealt with three network adapters: Data, Management and HA. Something like this:

image

At this point we have two fresh installations of VSG and let’s see a partial running configuration:

! Lines omitted

interface mgmt0
  ip address 10.x.y.141/24

interface data0
line vty
  exec-timeout 5
line console
  exec-timeout 5

 

We can see that the Mgmt0 has an IP address and by this address we manage the VSG. This IP address we assigned during the installation/setup of the VSG. But the Data0 interface has no IP address. Yet! This interface will get its IP address once we assign a VSG to a tenant. In the process of assigning a VSG to a tenant we specify the data IP address. Because our current setup is L2 based, we have to have a L2 communication between a VSG and VEMs. This is because when a first packet of a flow comes into VEM, a VEM needs VSGs MAC address. VEM obtains a MAC address by doing an ARP request for a data IP address of a specific VSG.

So, let’s assign a VSG to our first tenant.  Under the “Resource Management->Managed Resources->root->TENANT-NOVABANKA” we right click “Compute Firewalls” and click “Add Compute Firewall”.

image

We then fill in a simple dialog form. Please note the IP address of the data interface. Our VEMs have the IP addresses from 10.x.y.0/24 tange, so VEM IP addresses (these are actually vmkernel IP addresses on our ESXi hosts) are within the same segment as VSG data interface and L2 communication is possible. Also notice the management host name. This is what our VSG is going to have as a host name.

image 

By now we just created a VSG inside of VNMC. Now we have to assign it to a tenant. At this moment, the configuration state of VSG is “not-applied”. We select the VSG name we just created and click “Assign VSG”. In installing a VSG blog, we installed two VSGs, one for each of our tenants. Now we select first VSG for first tenant and click OK.

image

Now after a while, the prompt in VSG console changes and now we have the IP address for our data interface:

NOVABANKA-VSG#
NOVABANKA-VSG# show run int m0

!Command: show running-config interface mgmt0
!Time: Mon Feb 11 03:58:38 2013

version 4.2(1)VSG1(4.1)

interface mgmt0
  ip address 10.x.y.141/24

NOVABANKA-VSG#
NOVABANKA-VSG# show run int d0

!Command: show running-config interface data0
!Time: Mon Feb 11 03:58:43 2013

version 4.2(1)VSG1(4.1)

interface data0
  ip address 10.x.y.142/24

NOVABANKA-VSG#

From the VNMC, under the “Resource Management->Managed Resources->root->TENANT-NOVABANKA->Compute Firewalls->NOVABANKA-VSG” we have the following status screen:

image

Most important for now are “Config State: applied” and “Association State: associated”.

We may now proceed and register second VSG with our second tenant, and hopefully have the same result:

STARABANKA-VSG#
STARABANKA-VSG# show run int m0

!Command: show running-config interface mgmt0
!Time: Mon Feb 11 04:11:03 2013

version 4.2(1)VSG1(4.1)

interface mgmt0
  ip address 10.x.y.143/24

STARABANKA-VSG#
STARABANKA-VSG# show run int d0

!Command: show running-config interface data0
!Time: Mon Feb 11 04:11:07 2013

version 4.2(1)VSG1(4.1)

interface data0
  ip address 10.x.y.144/24

STARABANKA-VSG#

image

We are now ready to create and apply some policies. But, guess what? This blog is long enough. Let’s do policies some other time.

 

Thanks for reading!

Advertisements
This entry was posted in Cisco, Cloud, Security, Virtualization, VMWare and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s