The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Note | The Cisco Virtual Security Gateway works within the PNSC. |
Designed for multi-tenant operation, PNSC provides seamless, scalable, and automation-centric management for virtualized data center and cloud environments. Multi-tenancy refers to the architectural principle that calls for a single instance of the software to run on a Software-as-a-Service (SaaS) server, serving multiple client organizations or tenants. Multi-tenancy is contrasted with a multi-instance architecture, where separate instances are set up for different client organizations. With a multi-tenant architecture, a software application is designed to virtually partition data and configurations, so that each tenant works with a customized virtual application instance.
You can also use Cisco UCS Director to manage your VSGs.
Note | In order to see your PNSC configuration, you should download the vCenter extension file from the PNSC and import that into your vSphere client application. After completing that download, execute a PNSC inventory from within Cisco UCS Director. The VM Manager report (under PNSC) will display the corresponding vCenter information. |
Cisco Prime Network Services Controller (Cisco Prime NSC) is a virtual appliance, based on Red Hat Enterprise Linux, that provides centralized device and security policy management of Cisco virtual services. Designed for multiple-tenant operation, Cisco Prime NSC provides seamless, scalable, and automation-centric management for virtualized data center and cloud environments. The PNSC essentially provides the security component (firewall) to your VSG and application container and separates the VMs from each other. The Cisco Prime Network Services Controller enables the centralized management of Cisco virtual services to be performed by an administrator through Cisco UCS Director .
Note | PNSCs are not tied to any specific POD. |
After creating a PNSC you can view related reports using Cisco UCS Director.
The following reports are available under the menu.Step 1 | On the menu
bar, choose
.
The All Pods screen appears. |
Step 2 | In the left-hand
pane, click the
Multi-domain Manager.
The PNSC account entry appears. |
Step 3 | Click the Network Accounts tab. You can view PNSC accounts that were added under either the Default datacenter or the Multi-domain Manager accounts. |
Step 4 | Click on a PNSC entry to view the available reports. |
You can use Cisco UCS Director to configure a Prime Network Services Controller (PNSC) in addition to its internal firewall (Cisco Virtual Security Gateway), which is then integrated into an application container.
The integration process consists of several stages:
Create a PNSC firewall policy (used to create a container with a PNSC).
The Cisco Virtual Security Gateway (VSG) is a virtual firewall appliance that provides trusted access to virtual data center and cloud environments. The Cisco VSG enables a broad set of multi-tenant workloads that have varied security profiles, so that they can share a common compute infrastructure in a virtual data center private cloud or in a public cloud. By associating one or more virtual machines (VMs) into distinct trust zones, the Cisco VSG ensures that access to trust zones is controlled and monitored through established security policies.
Note | Group administrators and end users are the only types with privileges to upload OVA files. |
Ensure that you have the proper access rights.
Step 1 | On the menu bar, choose the Administration tab. | ||||||||||
Step 2 | Click the Upload Files tab. | ||||||||||
Step 3 | Click Upload File. | ||||||||||
Step 4 | In the
Upload
File dialog box, complete the following fields:
| ||||||||||
Step 5 | Click Submit. | ||||||||||
Step 6 | When the Once Submit Result - Upload Successfully dialog box appears, click OK. Uploaded files are accessible under the Upload Files tab. |
You use a firewall policy to enforce network traffic on a Cisco VSG. The Cisco VSG is the internal firewall used as part of PNSC. A key component of the Cisco VSG is the policy engine. The policy engine uses the policy as a configuration that filters the network traffic that is received on the Cisco VSG.
Note | The PNSC firewall policy supports both standalone and high availability (HA) modes. |
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||||||||||||
Step 2 | Click the tab. | ||||||||||||||||||||||||||||||||||||
Step 3 | Click on the PNSC account. | ||||||||||||||||||||||||||||||||||||
Step 4 | Click on the PNSC Firewall Policies tab. | ||||||||||||||||||||||||||||||||||||
Step 5 | Click Add. | ||||||||||||||||||||||||||||||||||||
Step 6 | In the
Create a
firewall policy dialog box, complete the following fields:
| ||||||||||||||||||||||||||||||||||||
Step 7 | Click Next. | ||||||||||||||||||||||||||||||||||||
Step 8 | Click Add (+) to create a zone. | ||||||||||||||||||||||||||||||||||||
Step 9 | In the
Add
Entry to PNSC Zones
dialog box, complete the following fields:
| ||||||||||||||||||||||||||||||||||||
Step 10 | Click Submit. | ||||||||||||||||||||||||||||||||||||
Step 11 | Click OK. | ||||||||||||||||||||||||||||||||||||
Step 12 | Click Next. | ||||||||||||||||||||||||||||||||||||
Step 13 | Click Add (+) to create a PNSC ACL rule entry. | ||||||||||||||||||||||||||||||||||||
Step 14 | In the
Add
Entry to PNSC ACL Rules dialog box, complete the following fields:
| ||||||||||||||||||||||||||||||||||||
Step 15 | Click Submit. | ||||||||||||||||||||||||||||||||||||
Step 16 | Click Next. | ||||||||||||||||||||||||||||||||||||
Step 17 | In the
PNSC-VSG Configuration pane, complete the following
fields:
| ||||||||||||||||||||||||||||||||||||
Step 18 | Click Submit. | ||||||||||||||||||||||||||||||||||||
Step 19 | Click OK. |
Note | Any gateway-related Linux based VM image parameters can be added to this policy. |
Step 1 | On the menu bar, choose . | ||||||||||||||||||||
Step 2 | Click the Virtual Infrastructure Policies tab. | ||||||||||||||||||||
Step 3 | click (+) Add Policy. | ||||||||||||||||||||
Step 4 | In the
Create a
virtual infrastructure policy screen, complete the following fields:
| ||||||||||||||||||||
Step 5 | Click Next. | ||||||||||||||||||||
Step 6 | In the
Modify
Virtual Infrastructure policy screen, complete the following fields:
| ||||||||||||||||||||
Step 7 | Click Next. | ||||||||||||||||||||
Step 8 | In the
Virtual Infrastructure Policy - Fencing
Gateway screen, complete the following fields:
| ||||||||||||||||||||
Step 9 | Click Submit. |
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||||||||
Step 2 | Click the Application Container Templates tab. | ||||||||||||||||||||||||||||||||
Step 3 | Click
Add
Template. The
Create a
Application Container Template screen appears. Complete the
following fields:
| ||||||||||||||||||||||||||||||||
Step 4 | Click Next. The
Application Container Template - Select a Virtual Infrastructure
policy screen appears. In this section you choose the cloud on which
the application container is deployed. Complete the following field:
| ||||||||||||||||||||||||||||||||
Step 5 | Click Next. The
Application Container: Template - Internal Networks
screen appears.
| ||||||||||||||||||||||||||||||||
Step 6 | Click the
(+) Add
icon to add a network. The
Add
Entry to Networks dialog box appears. Complete the following
fields:
| ||||||||||||||||||||||||||||||||
Step 7 | Click
Submit.
Next, you can add and configure the gateway VM that will be provisioned in the application container. | ||||||||||||||||||||||||||||||||
Step 8 | Click OK. | ||||||||||||||||||||||||||||||||
Step 9 | Click Next. The VMs screen appears. | ||||||||||||||||||||||||||||||||
Step 10 | Click
Add
(+)
to add a VM. Complete the following fields:
| ||||||||||||||||||||||||||||||||
Step 11 | (Optional)Click
Add
(+) to add a new (multiple) VM network interface. Complete the
following fields:
| ||||||||||||||||||||||||||||||||
Step 12 | Click Next. | ||||||||||||||||||||||||||||||||
Step 13 | Click Ok. The Application Container: Template - Security Configuration screen appears. You can specify the security configuration components, such as port mapping and outbound access control lists (ACLs). | ||||||||||||||||||||||||||||||||
Step 14 | Click the
Add
(+) icon to add a port mapping. Complete the following fields:
| ||||||||||||||||||||||||||||||||
Step 15 | Click Submit. | ||||||||||||||||||||||||||||||||
Step 16 | Click OK. | ||||||||||||||||||||||||||||||||
Step 17 | Click
the Add
(+) icon to add an Outbound ACL. The
Application Container: Template - Security Configuration
dialog box appears. Complete the following fields:
| ||||||||||||||||||||||||||||||||
Step 18 | Click Submit. | ||||||||||||||||||||||||||||||||
Step 19 | Click OK. | ||||||||||||||||||||||||||||||||
Step 20 | Click Next. | ||||||||||||||||||||||||||||||||
Step 21 | In the
Application Container Template - Deployment Policies
page, complete the following fields:
| ||||||||||||||||||||||||||||||||
Step 22 | Click Next. | ||||||||||||||||||||||||||||||||
Step 23 | In the
Application Container Template - Options screen,
complete the following fields:
| ||||||||||||||||||||||||||||||||
Step 24 | Click Next. | ||||||||||||||||||||||||||||||||
Step 25 | Choose a workflow to setup the container. | ||||||||||||||||||||||||||||||||
Step 26 | In
the
Select table choose a workflow (for example, Workflow Id 431 Fenced
Container Setup - VSG).
| ||||||||||||||||||||||||||||||||
Step 27 | Click Select. | ||||||||||||||||||||||||||||||||
Step 28 | Click Submit. |