The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Information About Network Segmentation Manager
Network Segmentation Manager has the following prerequisites:
Network Segmentation feature has the following configuration guidelines and limitations:
Parameters | Default |
---|---|
VLAN policy (port-profile template) |
default_vlan_template |
segmentation policy (port-profile template) |
default_segmentation_template |
The default port-profiles default_vlan_template and default_segmentation_template are created automatically.
Note |
If a network creation request comes with a tenant ID and backing type that does not match a network segmentation policy, the default_vlan_template or default_segmentation_template is used during network creation from vCloud Director. For more information, see the Cisco Nexus 1000V VXLAN Configuration Guide. See the Cisco Nexus 1000V and VMware Compatibility Information for information on the supported network pool in vCloud Director with Cisco Nexus 1000V. |
The following section guides you through the NSM configuration process shown in the following figure. After completing each procedure, return to this section to make sure that you have completed all required procedures in the correct sequence.
Step 1 | Enable the NSM feature. See Enabling the NSM Feature. |
Step 2 |
Create a port profile for network segmentation policies. See Creating a Port Profile for Network Segmentation Policies. When you enable the NSM feature, the default port profiles are created automatically. This step is not required if you use the default port-profiles (default_vlan_template and default_segmentation_template). |
Step 3 |
Create network segmentation policies. See Creating Network Segmentation Policies. When you enable the NSM feature, the default network segmentation policies are created automatically. This step is required only if the port profiles created in the previous step need to be inherited to the network segmentation policies for specific tenant IDs. |
Step 4 | Register NSM with vShield Manager. See Registering vShield Manager with Network Segmentation Manager. |
You must be logged in to the CLI in EXEC mode.
This example shows how to enable the NSM feature and show the output:
switch# configure terminal switch(config)# feature network-segmentation-manager switch# show feature Feature Name Instance State -------------------- -------- -------- cts 1 disabled dhcp-snooping 1 disabled http-server 1 enabled lacp 1 disabled netflow 1 disabled network-segmentation 1 enabled port-profile-roles 1 disabled private-vlan 1 disabled segmentation 1 disabled sshServer 1 enabled tacacs 1 disabled telnetServer 1 disabled vtracker 1 disabled switch(config)#
You can create a port profile to use features of Cisco Nexus 1000V for network segmentation policies.
This example shows how to create a segmentation type port profile and display the output:
switch# configure terminal switch(config)# port-profile type vethernet ABC_profile_segmentation switch(config-port-prof)# no shutdown switch(config-port-prof)# state enabled switch(config-port-prof)# show running-config port-profile ABC_profile_segmentation !Command: show running-config port-profile ABC_profile_segmentation !Time: Thu Dec 1 19:58:44 2011 version 4.2(1)SV1(5.1) port-profile type vethernet ABC_profile_segmentation no shutdown state enabled switch(config-port-prof)#
Network segmentation policies are a set of policies that inherit customized port profiles. The policy type can be either VLAN or Segmentation. This policy type corresponds to the network pool type in the vCloud Director. VLAN network segmentation policies are used for networks created from VLAN-backed network pools. Segmentation network segmentation policies are used for networks created from network isolation-backed network pools in the vCloud Director 1.5 and VXLAN-backed network pools in the vCloud Director 5.1.
The network segmentation policies also contains a tenant ID and a reference to a port profile that may contain other policies for Cisco Nexus 1000V features. Each tenant ID is unique and can be associated with only one Segmentation and one VLAN network segmentation policy. The tenant ID correlates to the Organization Universally Unique Identifier (UUID) in the vCloud Director. For more information on retrieving the organization UUID from VMware vCloud Director, see 2012943.
Note |
If a network segmentation policy with a tenant ID is not created, the default_vlan_template or default_segmentation_template is used during network creation from vCloud Director. For more information, see the Cisco Nexus 1000V VXLAN Configuration Guide. See the Cisco Nexus 1000V and VMware Compatibility Information for information on the supported network pool in vCloud Director with Cisco Nexus 1000V. |
This example shows how to create a NSM policy for ABC Inc. for VXLAN networks.
switch# configure terminal
switch(config)# network-segment policy abc-policy-vxlan
switch(config-network-segment-policy)# description network segmentation policy for ABC for
VXLAN networks
switch(config-network-segment-policy)# type segmentation
switch(config-network-segment-policy)# id f5dcf127-cdb0-4bdd-8df5-9515d6dc8170
switch(config-network-segment-policy)# import port-profile ABC_profile_segmentation
switch(config-network-segment-policy)# show running-config network-segment policy abc-policy-vxlan
!Command: show running-config network-segment policy abc-policy-vxlan
!Time: Fri Aug 26 18:34:50 2011
version 4.2(1)SV1(5.1)
feature network-segmentation-manager
network-segment policy abc-policy-vxlan
description network segmentation policy for ABC for VXLAN networks
id f5dcf127-cdb0-4bdd-8df5-9515d6dc8170
type segmentation
import port-profile port-profile ABC_profile_segmentation
switch(config-network-segment-policy)#
This example shows how to create a NSM policy for ABC Inc. for VLAN networks:
switch# configure terminal switch(config)# network-segment policy abc-policy-vlan switch(config-network-segment-policy)# description network segmentation policy for ABC for VLAN networks switch(config-network-segment-policy)# type vlan switch(config-network-segment-policy)# id f5dcf127-cdb0-4bdd-8df5-9515d6dc8170 switch(config-network-segment-policy)# import port-profile ABC_profile_vlan switch(config-network-segment-policy)#
Note |
As a best practice, if a tenant specific policy is defined through network segmentation policies, you should define it for both segmentation and VLAN types. |
Use the following commands to verify the Network Segment Manager configuration:
Command | Purpose |
---|---|
show network-segment manager switch |
Displays the Cisco Nexus 1000V configured with NSM. |
show running-config port-profile |
Displays the port profile configuration. |
show vlan private-vlan [ type ] |
Displays the NSM policy configuration. |
During a network creation in the vCloud Director, network segmentation policies are created on the NSM and these network segmentation policies are inherited on a port profile. In order to associate a different port profile with the deployed network, you can change the port profile associated with the network segmentation policy.
To change the port profile associated with the network segmentation policy perform the following steps:
Step 1 | Identify all the networks associated with the network segmentation policy. See Identifying the Networks Associated with the Network Segmentation Policy. |
Step 2 | Manually remove the inheritance for the existing port profile. See section "Removing Inherited Policies from a Port Profile" in the Cisco Nexus 1000V Port Profile Configuration Guide for more information. |
Step 3 | Manually inherit the new port profile that will be associated with the network segmentation policy. See section "Inheriting a Configuration from a Port Profile" in the Cisco Nexus 1000V Port Profile Configuration Guide for more information. |
Step 4 | Update the network segmentation policy. For more information, see Updating the Network Segmentation Policy. |
You can identify the networks associated with the network segmentation policy.
This example shows how to identify the networks that are associated with a network segmentation policy.
switch(config)# show network-segment policy usage network-segment policy default_segmentation_template dvs.VCDVSint-org-cn2-e46e9686-2327-49df-ad5c-a3f89c00cfb8 network-segment policy default_vlan_template network-segment policy abc-policy-vxlan dvs.VCDVSint-org-nexus-6141babd-bdc8-4e86-8f16-1ac786fb377f network-segment policy abc-policy-vlan switch(config)#
You can update a network segmentation policy.
This example shows how to update the network segmentation policy:
switch# configure terminal switch(config)# show running-config network-segment policy abc-policy-vxlan network-segment policy abc-policy-vxlan description network segmentation policy for ABC for VXLAN networks type segmentation id f5dcf127-cdb0-4bdd-8df5-9515d6dc8170 import port-profile ABC_profile_segmentation switch(config)# network-segment policy abc-policy-vxlan switch(config-network-segment-policy)# import port-profile ABC_profile_segmentation_new force switch(config)# show running-config network-segment policy abc-policy-vxlan network-segment policy abc-policy-vxlan description network segmentation policy for ABC for VXLAN networks type segmentation id f5dcf127-cdb0-4bdd-8df5-9515d6dc8170 import port-profile ABC_profile_segmentation_new switch#
During a network creation in the vCloud Director, network segmentation policies are created on the NSM. In order to use other non default policies for any new or old networks associated with an Organization vDC in the vCloud Director, you must change the network segmentation policy associated with a network.
To change the network segmentation policy associated with a network, perform the following steps:
Step 1 | Identify all the networks that need to be migrated. See Identifying the Networks. |
Step 2 | Manually remove the inheritance of the port profile associated with the network segmentation policy from the network. See section "Removing Inherited Policies from a Port Profile" in the Cisco Nexus 1000V Port Profile Configuration Guide for more information. |
Step 3 | Manually inherit the new port profile that will be associated with the network segmentation policy on the network. See section "Inheriting a Configuration from a Port Profile" in the Cisco Nexus 1000V Port Profile Configuration Guide for more information. |
Step 4 | Migrate the networks from the default network segmentation policy to the non default network segmentation policy. See Migrating Networks to Non Default Network Segmentation Policy. |
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# show network-segment network | Displays the networks associated with a network segmentation policy. |
This example shows you how to display the networks associated with a network segmentation policy:
switch(config)# show network-segment network network dvs.VCDVSint-org-cn2-e46e9686-2327-49df-ad5c-a3f89c00cfb8 tenant id: 2b4ca1b2-ba8e-456c-b772-a4730af16e2e network-segment policy: default_segmentation_template segment id: 4107 multicast ip: 225.0.0.1 network dvs.VCDVSint-org-nexus-6141babd-bdc8-4e86-8f16-1ac786fb377f tenant id: 91e87e80-e18b-460f-a761-b978c0d28aea network-segment policy: seg-template-nexus-org segment id: 4108 multicast ip: 225.0.0.2 switch(config)#
You can migrate the networks from the default network segmentation policy to the non default network segmentation policy.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
||
Step 2 | switch(config)# network-segment policy migrate id isolation_id type nw_type dest-policy policy | Migrates the the networks from the default network segmentation policy to the nondefault destination network segmentation policy.
|
||
Step 3 | switch(config)# show network-segment network | (Optional) Displays the networks associated with a network segmentation policy. |
This example shows how to migrate networks to the non default segmentation policy:
switch(config)# show network-segment network network dvs.VCDVStenantid_vlan-74e36255-e588-4357-8abe-15d2cc7feaec tenant id: da5c49a8-dd1b-4326-9da0-3c5e6a2c1b87 network-segment policy: default_segmentation_template segment id: 4107 multicast ip: 225.0.0.1 switch(config)# network-segment policy migrate id da5c49a8-dd1b-4326-9da0-3c5e6a2c1b87 type segmentation dest-policy org_seg switch(config)#
Note |
In case a warning appears then, first manually remove the inheritance of the port profile associated with the network segmentation policy from the network. Then, manually inherit the new port profile that will be associated with the network segmentation policy on the network. See the Cisco Nexus 1000V Port Profile Configuration Guide for more information. |
switch(config)# show network-segment network network dvs.VCDVStenantid_vlan-74e36255-e588-4357-8abe-15d2cc7feaec tenant id: da5c49a8-dd1b-4326-9da0-3c5e6a2c1b87 network-segment policy: org_seg segment id: 4107 multicast ip: 225.0.0.1 switch(config)#
This table includes only the updates for those releases that have resulted in additions or changes to the feature.
Feature Name | Release | Feature Information |
---|---|---|
Network Segmentation Manager |
4.2(1)SV1(5.1) |
Introduced the Network Segmentation Manager (NSM) feature. |