The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides information about the Cisco Virtual Security Gateway (VSG) related commands on the Cisco Nexus 1000V Series switch and the Cisco Nexus 1010 networking appliance.
To clear Cisco VSG connections, use the clear vsn connection command.
clear vsn connection [module module-number]
module |
(Optional) Clears a specific module. |
module-number |
Module number. The range is from 3 to 66. |
None
EXEC
Global configuration (config)
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to clear Cisco VSG connections:
vsm# clear vsn connection
|
|
---|---|
show vsn |
Displays Cisco VSG information. |
To clear Cisco VSG statistics, use the clear vsn statistics command.
clear vsn statistics [module module-number | vlan vlan-number ip ip-address [module module-number]]
None
EXEC
Global configuration (config)
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to clear Cisco VSG statistics:
vsm# clear vsn statistics
|
|
---|---|
show vsn |
Displays Cisco VSG information. |
To set the port mode of an interface, use the switchport mode command. To remove the port mode configuration, use the no form of this command.
switchport mode {access | private-vlan {host | promiscuous} | trunk}
no switchport mode {access | private-vlan {host | promiscuous} | trunk}
Switchport mode is not set.
Interface configuration (config-if)
Port profile configuration (config-port-prof)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to set the port mode of an interface:
vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# switchport mode private-vlan host
vsm(config-if)#
This example shows how to remove the mode configuration:
vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# no switchport mode private-vlan host
vsm(config-if)#
|
|
---|---|
show interface |
Displays interface information. |
To set the access mode of an interface, use the switchport access vlan command. To remove the access mode configuration, use the no form of this command.
switchport access vlan vlan-id
no switchport access vlan vlan-id
vlan-id |
VLAN identification number. The range of values is from 1 to 3967. |
Access mode is not set.
Interface configuration (config-if)
Port profile configuration (config-port-prof)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to set the access mode of an interface:
vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# switchport access vlan 100
vsm(config-if)#
This example shows how to remove the access mode configuration:
vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# no switchport access vlan
vsm(config-if)#
|
|
---|---|
show interface |
Displays interface information. |
To enable the operational state of a port profile, use the state command. To disable the operational state of a port profile, use the no form of the command.
state enabled
no state enabled
enabled |
Enables or disables the port profile. |
Disabled
Port profile configuration (config-port-prof)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to enable the operational state of a port profile:
vsm# configure
vsm(config)# port-profile testprofile
vsm(config-port-prof)# state enabled
vsm(config-port-prof)#
|
|
---|---|
show port-profile |
Displays port profile information. |
To copy the running configuration to the startup configuration, use the copy running-config startup-config command.
copy running-config startup-config
This command has no arguments or keywords.
None
Any command mode
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
Use this command to save configuration changes in the running configuration to the startup configuration in persistent memory. When a device reload or switchover occurs, the saved configuration is applied.
This example shows how to save the running configuration to the startup configuration:
vsm# copy running-config startup-config
[########################################] 100%
To enter Cisco Virtual Network Management Center (VNMC) policy agent mode, use the vnm-policy-agent command.
vnm-policy-agent
This command has no arguments or keywords.
None
Global configuration (config)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
Use the Cisco VNMC policy agent configuration mode to configure policy agents.
This example shows how enter policy agent mode:
vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)#
|
|
---|---|
configure |
Enters global configuration mode. |
To set logging severity levels for the Cisco Virtual Network Management Center (VNMC) policy agent, use the log-level command. To reset logging levels, use the no form of this command.
log-level {critical | debug0 | debug1 | debug2 | debug3 | debug4 | info | major | minor | warn}
no {critical | debug0 | debug1 | debug2 | debug3 | debug4 | info | major | minor | warn}
None
Cisco VNMC policy agent configuration (config-vnm-policy-agent)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to set the logging level to critical:
vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# log-level critical
|
|
---|---|
vnm-policy-agent |
Enables the Cisco VNMC policy agent configuration mode. |
To ping the virtual service nodes (VSN) (including the Cisco VSG) from the vPath, use the ping vsn command. There is no no form of this command.
ping vsn {ip vsn-ip-addr [vlan vsn-vlan-num] | all} {src-module {module-num | all | vpath-all} [timeout secs] [count count]
None
EXEC
network-admin
|
|
---|---|
4.2(1)VSG1(2) |
This command was introduced. |
There is no no form of this command.
This example show how to ping a Cisco VSG.
vsm# ping ?
<CR>
A.B.C.D or Hostname IP address of remote system
WORD Enter Hostname
mpls Ping an MPLS network
multicast Multicast ping
vsn VSNs to be pinged
vsm# ping vsn
Input parameters:
· vsn : VSNs to be pinged.
o all : All VSNs that are currently associated to at least one VM. In other words, all VSNs specified in port-profiles that are bound to at least one VM.
o ip-addr <ip-addr> : All VSNs configured with this IP address.
o vlan <vlan-num> : All VSNs configured on this VLAN.
· src-module : Source modules to orginate ping request from.
o all : All online modules.
o vpath-all : All modules having VMs associated to port-profiles that has vn-service defined.
o <module-num> : A online module number.
· timeout <secs> : Time to wait for response from VSNs, in seconds. Default is 1 sec.
· count : Number of ping packets to be sent.
o <count> : Sepcifies number of ping packets to be sent. Default is 5. Min 1, Max 2147483647.
o unlimited : Send ping packets until command is stopped.
Specify both ip-addr and vlan if the VSN to be ping is not associated to any VMs yet.
In the output, status of ping request for each VSN for each module is shown. On success, round-trip-time of ping request/response for a VSN, is shown in micro-seconds next to module number. On failure, failure message is shown next to module number.
Various forms:
ping vsn all src-module all (Ping all VSNs from all modules)
ping vsn all src-module vpath-all (Ping all VSNs from all modules having
VMs associated to VSNs)
ping vsn all src-module 3 (Ping all VSNs from the specified module)
ping vsn ip 106.1.1.1 src-module all (Ping specified VSN from all modules)
ping vsn ip 106.1.1.1 vlan 54 src-module all (Ping specified VSN from all modules)
ping vsn ip 106.1.1.1 src-module vpath-all (Ping specified VSN from all modules
having VMs associated to VSNs)
ping vsn ip 106.1.1.1 vlan 54 src-module 3 (Ping specified VSN from specified
module)
Options timeout & count are applicable to all of the above commands:
ping vsn all src-vpath all timeout 2 count 10
ping vsn all ip 106.1.1.1 count unlimited
ping vsn ip 106.1.1.1 vlan 54 src-vpath 3 count 10
Errors:
VSN response timeout - VSN is down, not reachable or not responding.
VSN ARP not resolved - VEM couldn't resolve MAC address of VSN.
no response from VEM - VEM is not sending ping response to VSM. Can happen when VEM
is down and VSM not detected it yet.
The following example shows the ping vsn command being used to display all of the source module traffic.
vsm# ping vsn all src-module all
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
module(usec) : 3(156) 5(160)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
module(usec) : 3(230) 5(151)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
module(usec) : 3(239) 5(131)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
module(usec) : 3(248) 5(153)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
module(usec) : 3(259) 5(126)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
module(failed) : 3(VSN ARP not resolved) 5(VSN ARP not resolved)
|
|
---|---|
ping |
Activates a signal to verify connections with other devices on a path. |
To designate the policy agent image local URL as bootflash, use the policy-agent-image command. To remove the designation, use the no form of the command.
policy-agent-image bootflash:
no policy-agent-image bootflash:
bootflash: |
Designates the policy agent image local URL as bootflash. |
None
VNMC policy agent configuration (config-vnm-policy-agent)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to designate the local URL that contains the policy agent image:
vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# policy-agent-image bootflash:
|
|
---|---|
vnm-policy-agent |
Enables the VNM policy agent configuration mode. |
To pop a mode off the stack or to restore a mode, use the pop command.
pop file-name
file-name |
File name. |
None
EXEC
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to restore from a file called file1:
vsm# pop file1
|
|
---|---|
push |
Pushes the current mode onto the stack. |
To push the current mode onto stack or to save it, use the push command.
push file-name
file-name |
File name. |
None
EXEC
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to push file1 onto the stack:
vsm# push file1
|
|
---|---|
pop |
Pops the current mode off the stack. |
To set the service registry IP address, use the registration-ip command. To discard the service registry IP address, use the no form of this command.
registration-ip ip-address
no registration-ip ip-address
ip-address |
Service registry IP address. The format is A.B.C.D. |
None
Cisco VNMC policy agent configuration mode (config-vnm-policy-agent)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to set the service registry IP address:
vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# registration-ip 209.165.200.233
vsm(config-vnm-policy-agent)#
|
|
---|---|
vnm-policy-agent |
Enters the Cisco VNMC policy agent configuration mode. |
To set the shared secret password for communication between the Cisco Virtual Security Gateway (VSG), the Virtual Supervisor Module (VSM), and the Cisco Virtual Network Management Center (VNMC), use the shared-secret command. To discard the shared secret password, use the no form of this command.
shared-secret shared-secret-password
no shared-secret shared-secret-password
shared-secret-password |
Shared secret password. The range of valid values is from 1 to 64. You must use at least one uppercase character. |
None
Cisco VNMC policy agent configuration mode (config-vnm-policy-agent)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
This example shows how to set the shared secret password:
vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# shared-secret Password123
vsm(config-vnm-policy-agent)#
|
|
---|---|
vnm-policy-agent |
Enters VNM policy agent configuration mode. |
To display the installation status of a policy agent, use the show vnm-pa status command.
show vnm-pa status
This command has no arguments or keywords.
None
Global configuration (config)
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show vnm-pa status command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display the installation status of the policy agent:
vsm# configure
vsm(config)# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 1.0(0.512)-vsm
vsm(config)#
|
|
---|---|
vnm-policy-agent |
Enters the Cisco VNMC policy agent configuration mode. |
To create a port profile and enter port profile configuration mode, use the port-profile command. To remove the port profile configuration, use the no form of this command.
port-profile profile-name
no port-profile profile-name
profile-name |
Port profile name. The range of valid values is from 1 to 80. |
None
Global configuration (config)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
The port profile name must be unique for each port profile.
This example shows how to create a port profile called AccessProf:
vsm# configure
vsm(config)# port-profile AccessProf
vsm(config-port-prof)#
This example shows how to remove the port profile called AccessProf:
vsm# configure
vsm(config)# no port-profile AccessProf
vsm(config)#
|
|
---|---|
show port-profile |
Displays information about the port profiles. |
To display the running configuration, use the show running-config command.
show running-config [aaa | aclmgr | all | am | arp | cdp | diff | exclude | expand-port-profile | icmpv6 | igmp | interface | ip | ipqos | ipv6 | l3vm | license | monitor | ntp | port-profile | port-security | radius | rpm | security | snmp | vdc-all | vlan | vshd]
None
EXEC
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show running-config command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display the running configuration:
vsm# show running-config
!Command: show running-config
!Time: Tue Jan 4 17:20:05 2011
version 4.2(1)SV1(4)
no feature telnet
username admin password 5 $1$z3M0/3no$j77mpF9f/mqmd7/mEZ6RR1 role network-admin
username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na. role network-operator
banner motd #Nexus 1000v Switch#
ip domain-lookup
ip domain-lookup
switchname vsm
vem 3
host vmware id 765186a7-eb7c-11de-b059-8843e1389748
vem 4
host vmware id 90a97ac6-31d7-11df-ad65-68efbdf622ca
vem 5
host vmware id 833fe152-3f8b-11df-bd70-68efbdf64970
snmp-server user admin network-admin auth md5 0x5ed3cfea7c44550ac3d18475f28b118b
priv 0x5ed3cfea7c44550ac3d18475f28b118b localizedkey
vrf context management
ip route 0.0.0.0/0 10.193.72.1
vlan 1,61-65
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile default port-binding static
port-profile type vethernet vm-clear
vmware port-group
switchport mode access
switchport access vlan 63
no shutdown
state enabled
port-profile type vethernet vsn-service
vmware port-group
switchport mode access
switchport access vlan 64
no shutdown
max-ports 1024
state enabled
port-profile type ethernet system-uplink
vmware port-group
switchport trunk allowed vlan 61-70
switchport mode trunk
no shutdown
system vlan 61-62
state enabled
port-profile type vethernet vsg129-2
vmware port-group
switchport mode access
switchport access vlan 63
org root/Canon
vn-service ip-address 10.10.129.2 vlan 64 security-profile sp-vsg2-1
no shutdown
state enabled
port-profile type vethernet vsg134-1
vmware port-group
switchport mode access
switchport access vlan 63
vn-service ip-address 10.10.134.1 vlan 64 mgmt-ip-address 10.10.73.132 security-profile sp1
no shutdown
state enabled
port-profile type vethernet vsg136-1
vmware port-group
switchport mode access
switchport access vlan 63
vn-service ip-address 10.10.136.1 vlan 64 mgmt-ip-address 10.10.73.137 security-profile sp1
no shutdown
state enabled
port-profile type vethernet vsg129_2-svc-vlan65
vmware port-group
switchport mode access
switchport access vlan 65
vn-service ip-address 10.10.129.2 vlan 64 mgmt-ip-address 10.10.73.131 security-profile sp1
no shutdown
state enabled
port-profile type vethernet vm-clear-vlan65
vmware port-group
switchport mode access
switchport access vlan 65
no shutdown
state enabled
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet vm-clear-vlan63
vmware port-group
switchport mode access
switchport access vlan 63
no shutdown
state enabled
vdc vsm id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 32 maximum 32
limit-resource u6route-mem minimum 16 maximum 16
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
interface mgmt0
ip address 10.10.73.130/21
interface Vethernet1
inherit port-profile vm-clear-vlan63
description UD134-1,Network Adapter 2
vmware dvport 7489 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.0029
interface Vethernet2
inherit port-profile vsg136-1
description UD136-1,Network Adapter 2
vmware dvport 7458 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.0032
interface Vethernet3
inherit port-profile vm-clear-vlan63
description US136-1,Network Adapter 2
vmware dvport 7492 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.0030
interface Vethernet4
inherit port-profile vsg129-2
description US129-1,Network Adapter 2
vmware dvport 6563 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.003E
interface Vethernet5
inherit port-profile vm-clear-vlan63
description US129-2,Network Adapter 2
vmware dvport 7491 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.0040
interface Vethernet6
inherit port-profile vsn-service
description VSG134-1,Network Adapter 1
vmware dvport 3683 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.002C
interface Vethernet7
inherit port-profile vsn-service
description VSG129-2,Network Adapter 1
vmware dvport 3686 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.0037
interface Vethernet8
inherit port-profile vsn-service
description VSG136-1,Network Adapter 1
vmware dvport 3684 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
vmware vm mac 0050.56BB.0034
interface Ethernet3/2
inherit port-profile system-uplink
interface Ethernet4/6
inherit port-profile system-uplink
interface Ethernet5/6
inherit port-profile system-uplink
interface control0
line console
boot kickstart bootflash:/ks.bin sup-1
boot system bootflash:/sys.bin sup-1
boot kickstart bootflash:/ks.bin sup-2
boot system bootflash:/sys.bin sup-2
svs-domain
domain id 61
control vlan 61
packet vlan 62
svs mode L2
svs connection vcenter
protocol vmware-vim
remote ip address 10.10.79.32 port 80
vmware dvs uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c" datacenter-name NAME/S
connect
vnm-policy-agent
registration-ip 10.193.73.144
shared-secret **********
policy-agent-image bootflash:/vnmc-vsmpa.1.0.0.512.bin
log-level
vsm#
|
|
---|---|
show aaa |
Displays AAA information. |
To configure the switch to perform TCP state checks, use the tcp state-checks command. To disable TCP state checks, use the no form of this command.
tcp state-checks
no tcp state-checks
This command has no arguments or keywords.
TCP state checks are enabled.
Global configuration (config)
network-admin
system-admin
|
|
---|---|
4.2(1)VSG1(2) |
This command was introduced. |
Because TCP state checks in vPath are enabled by default, use the no form of the tcp state-checks command to disable the state checks.
This example shows how to enter the TCP statechecks submode:
vsm# config
vsm(config)# vsn type vsg global
vsm(config-vsn)#
|
|
---|---|
tcp state-checks |
Enables tcp state checks in the vPath. |
To assign a data IP address, a VLAN number, and a profile to a Cisco VSG, use the vn-service ip-address command. To disable the data IP address, use the no form of the command.
vn-service ip-address ip-address vlan vlan-number [fail {close | open} | security-profile profile-name]
no vn-service ip-address ip-address vlan vlan-number [fail {close | open} | security-profile profile-name]
Fail close
Port profile configuration (config-port-prof)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
Use the vn-service ip-address command to configure the IP address, VLAN, and security profile for the Cisco VSG, and optionally to allow for a fail-safe configuration.
The fail mode specifies what the behavior is when the virtual ethernet module (VEM) does not have connectivity to the Cisco VSG. The default fail mode is close, which means that the packets are dropped. The open fail mode means that packets are passed.
The security profile name must match one of the security profiles created on the Cisco VSG.
The IP address must match the data interface IP address on the Cisco VSG.
This example shows how to assign the IP address and VLAN number and how to specify that packets are to be passed when the Cisco VSG fails:
vsm# configure
Enter configuration commands, one per line. End with CNTL/Z.
vsm(config)# port-profile pP1
vsm(config-port-prof)# vn-service ip-address 209.165.200.236 vlan 2 fail open
vsm(config-port-prof)#
|
|
---|---|
show virtual-service-domain |
Displays virtual service domain information. |
To create a Cisco VNMC organization (domain), use the org command. To delete a Cisco VNMC organization, use the no form of the command.
org organization-name
no org [organization-name]
organization-name |
Organization name. The range of values is from 1 to 251. |
None
Port profile configuration (config-port-prof)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
Cisco VNMC organizations are Cisco VNMC domains.
You can hierarchically manage Cisco VNMC organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an engineering organization can contain a software engineering organization and a hardware engineering organization. A locale containing only the software engineering organization has access to system resources only within that organization. However, a locale that contains the engineering organization has access to the resources for both the software engineering and hardware engineering organizations.
This example shows how to create an organization:
vsm# configure
Enter configuration commands, one per line. End with CNTL/Z.
vsm(config)# port-profile pP1
vsm(config-port-prof)# org orgpP1
vsm(config-port-prof)#
|
|
---|---|
vn-service |
Sets the IP address for a virtual firewall. |
To display a brief amount of information about the Cisco Virtual Security Gateway (VSG), use the show vsn brief command.
show vsn brief
This command has no arguments or keywords.
None
EXEC
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show vsn brief command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display information about Cisco VSGs:
vsm# show vsn brief
VLAN IP-ADDR MAC-ADDR FAIL-MODE STATE MODULE
64 192.168.136.1 00:50:56:bb:00:34 Close Up 5
64 192.168.129.2 00:50:56:bb:00:37 Close Up 3
vsm#
|
|
---|---|
show vsn port vethernet |
Displays information about the Cisco VSG. |
To display Cisco VSG connections, use the show vsn connection command.
show vsn connection [vlan vlan-num | ip ip-addr | module module-num]
None
EXEC
network-admin
network-operator
|
|
---|---|
4.2(1)VSG1(2) |
This command was modified to show more organized and explained output. |
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show vsn connection command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display Cisco VSG connections:
vsm# show vsn connection
Flags:
P - policy at src p - policy at dst
O - conn offloaded to vPath at src o - conn offloaded to vPath at dst
S - seen syn from src s - seen syn from dst
A - seen ack for syn/fin from src a - seen ack for syn/fin from dst
F - seen fin from src f - seen fin from dst
R - seen rst from src r - seen rst from dst
E - tcp conn established (SasA done) T - tcp conn torn down (FafA done)
VSG IP 106.1.1.1 VLAN 54
#Module 5
Proto SrcIP[:Port] DstIP[:Port] VLAN Action Flags Bytes
tcp 100.1.1.70:32785 100.1.1.80:80 53 permit PpOoE 452
udp 100.1.1.70:5636 100.1.1.80:4525 53 permit PpOo 4324
icmp 100.1.1.70 100.1.1.80 53 permit PpOo 5432
VWAAS IP 110.1.1.1 VLAN 54
#Module 3
Proto SrcIP[:Port] DstIP[:Port] VLAN Action Flags Bytes
tcp 100.1.1.70:32785 100.1.1.80:80 53 permit PpOoE 543
udp 100.1.1.70:4785 100.1.1.80:4553 53 permit PpOo 2343
vsm#
|
|
---|---|
show vsn port vethernet |
Displays port information. |
To display detailed information about the Cisco Virtual Security Gateway (VSG), use the show vsn detail command.
show vsn detail
This command has no arguments or keywords.
None
EXEC
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show vsn detail command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display detailed information about Cisco VSGs:
vsm# show vsn detail
#VSN VLAN: 64, IP-ADDR: 192.168.136.1
Module: 5
#VSN VLAN: 64, IP-ADDR: 192.168.129.2
Module: 3
ankaa-vsm-master# show vsn detail
#VSN VLAN: 64, IP-ADDR: 192.168.136.1
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
5 00:50:56:bb:00:34 Close No-License
#VSN VLAN: 64, IP-ADDR: 192.168.129.2
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
3 00:50:56:bb:00:37 Close No-License
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN VLAN: 64, IP-ADDR: 192.168.136.1
Port-Profile: vsg136-1, Security-Profile: default, Org: Not-Available
Module Vethernet
5 2
#VSN VLAN: 64, IP-ADDR: 192.168.129.2
Port-Profile: vsg129-2, Security-Profile: default, Org: Not-Available
Module Vethernet
3 10, 4
vsm#
|
|
---|---|
show vsn port vethernet |
Displays information about the Cisco VSG. |
To display information about virtual Ethernet (vEth) ports, use the show vsn port vethernet command.
show vsn port vethernet port-number
port-number |
Port number. The range is from 1 to 1048575. |
None
EXEC
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show vsn port vethernet command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display information about vEth port 2:
vsm# show vsn port vethernet 2
Veth : Veth2
VM Name : UD136-1
VM uuid : 42 3b e1 60 17 e6 92 c4-3b 47 f4 b7 4c a0 be 1b
DV Port : 7458
DVS uuid : 90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c
Flags : 0x148
VSN Data IP : 192.168.136.1
Security Profile : sp1
Org : Not set
VNSP id : 1
IP addresses:
vsm#
|
|
---|---|
show vsn statistics |
Displays Cisco VSG statistics. |
To display Cisco VSG statistics, use the show vsn statistics command.
show vsn statistics [ip | module | vlan]
ip |
(Optional) Displays IP statistics. |
mode |
(Optional) Displays module statistics. |
vlan |
(Optional) Displays VLAN statistics. |
None
EXEC
network-admin
network-operator
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
You can use the following operators with the show vsn statistics command:
•>—Redirects the output to a file.
•>>—Redirects the output to a file in append mode.
•|—Pipes the command output to a filter.
This example shows how to display statistics for a module:
vsm# show vsn statistics module 3
#VSN VLAN: 64, IP-ADDR: 192.168.129.2
Module: 3
#VPath Packet Statistics Ingress Egress Total
Total Seen 8249 24572 32821
Policy Redirects 7796 23260 31056
No-Policy Passthru 441 1267 1708
Policy-Permits Rcvd 7796 23260 31056
Policy-Denies Rcvd 0 0 0
Permit Hits 10 45 55
Deny Hits 0 0 0
Decapsulated 7796 23260 31056
Fail-Open 0 0 0
Badport Err 0 0 0
VSN Config Err 0 0 0
ARP Resolve Err 2 0 2
Encap Err 0 0 0
All-Drops 2 0 2
Total Rcvd From VSN 31056
Non-Cisco Encap Rcvd 0
VNS-Port Drops 0
Policy-Action Err 0
Decap Err 0
L2-Frag Sent 0
L2-Frag Rcvd 0
L2-Frag Coalesced 0
#VPath Flow Statistics
Active Flows 0 Active Connections 0
Forward Flow Create 7799 Forward Flow Destroy 7799
Reverse Flow Create 7799 Reverse Flow Destroy 7799
Flow ID Alloc 15598 Flow ID Free 15598
Connection ID Alloc 7799 Connection ID Free 7799
L2 Flow Create 0 L2 Flow Destroy 0
L3 Flow Create 4 L3 Flow Destroy 4
L4 TCP Flow Create 0 L4 TCP Flow Destroy 0
L4 UDP Flow Create 15594 L4 UDP Flow Destroy 15594
L4 Oth Flow Create 0 L4 Oth Flow Destroy 0
Embryonic Flow Create 0 Embryonic Flow Bloom 0
L2 Flow Timeout 0 L2 Flow Offload 0
L3 Flow Timeout 5 L3 Flow Offload 2
L4 TCP Flow Timeout 0 L4 TCP Flow Offload 0
L4 UDP Flow Timeout 23393 L4 UDP Flow Offload 31054
L4 Oth Flow Timeout 0 L4 Oth Flow Offload 0
Flow Lookup Hit 23314 Flow Lookup Miss 15598
Flow Dual Lookup 38912 L4 TCP Tuple-reuse 0
Flow Classify Err 0 Flow ID Alloc Err 0
Conn ID Alloc Err 0 Hash Alloc Err 0
Flow Exist 0 Flow Entry Exhaust 0
Flow Removal Err 0 Bad Flow ID Receive 0
Flow Entry Miss 0 Flow Full Match Err 0
Bad Action Receive 0 Invalid Flow Pair 0
Invalid Connection 0
Hash Alloc 0 Hash Free 0
InvalFID Lookup 0 InvalFID Lookup Err 0
Deferred Delete 0
vsm#
|
|
---|---|
show vsn port vethernet |
Displays information about the Cisco VSG. |
To create a VLAN and enter the VLAN configuration mode, use the vlan command. To remove a VLAN, use the no form of this command.
vlan {id | dot1Q tag native}
no vlan {id | dot1Q tag native}
id |
VLAN identification number. The range is from 1 to 4094. |
dot1Q tag native |
Specifies an IEEE 802.1Q virtual LAN. |
VLAN 1
Global configuration (config)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
Specify a VLAN range by using a dash. For example, 1-9 or 20-30.
This example shows how to create a VLAN and enter the VLAN configuration mode:
vsm# configure
vsm (config)# vlan 100
vsm (config-vlan)#
This example shows how to remove a VLAN:
switch# configure
switch(config)# no vlan 100
switch(config)#
|
|
---|---|
show vlan |
Displays the VTP VLAN status. |
To create a VMware port group, use the vmware port-group command. To remove the VMware port group, use the no form of this command.
vmware port-group name
no vmware port-group name
name |
Name of the VMware port group. |
None
Port profile configuration (config-port-prof)
network-admin
|
|
---|---|
4.0(4)SV1(1) |
This command was introduced. |
To create the VMware port group, you must be in port profile configuration mode.
This example shows how to create a VMware port group:
vsm# configure
vsm(config)# port-profile testprofile
vsm(config-port-prof)# vmware port-group testgroup
vsm(config-port-prof)#
The following example shows how to remove the VMware port group:
vsm# configure
vsm(config)# port-profile testprofile
vsm(config-port-prof)# no vmware port-group testgoup
vsm(config-port-prof)#
|
|
---|---|
show port-profile name |
Displays configuration information about a particular port profile. |
To enter the tcp state-checks configuration submode, use the vsn type vsg global command.
vsn type vsg global
This command has no arguments or keywords.
TCP state checks are enabled.
Global configuration (config)
network-admin
system-admin
|
|
---|---|
4.2(1)VSG1(2) |
This command was introduced. |
Because TCP state checks in vPath are enabled by default, use the no form of the tcp state-checks command to disable the state checks.
This example shows how to enter the VSN configuration submode:
vsm# config
vsm(config)# vsn type vsg global
vsm(config-vsn)#
|
|
---|---|
tcp state-checks |
Enables TCP state checks in the vPath. |