Cisco “Virtual Services Gateway” (VSG) Isn’t A Gateway……..It’s A Next Generation Firewall

Virtualisation of physical servers in virtual machines (Vms), presents a number of challenges. Large chassis blade servers from IBM or Cisco, in a virtualised data center, often run a hypervisor on a per blade basis.

If you place many VMs on 1 ESXi instance, for example, that’s a lot of VMs to manage. What if those VMs belong to different customers or departments or need separation inside a virtual application?

The designers of the VSG have provided an impressive amount of flexibility in the product, even within a strict model……but more on that later….

In the diagram…you can see there is a “tenant” this represents customer/department/other, and they may need to be separated from each other, but they may also require more separation, inside  the “container” already defined, (the tenant)…….. a bit like a series of Russian dolls that fit inside each other .

The VSG provides granular separation “inside” the even bigger “Russian Doll” of the vMware or Hyperv Hypervisor servers……and all of this, is at the “compute layer”………a long way from any enterprise type firewall. The question is……would you send traffic from your compute layer Northwards to your network access layer, through your Nexus 5Ks (aggregate layer) and up to the first Layer 3 point (Core…..in the Cisco Data Centre Model. This is the only location for a L3 firewall, to provide traditional firewalling, and back down through the data center, back to the VM it wants to communicate with?

Of course not…..and so the VSG was devised.

Applying policies to virtual ports on a Nexus 1000v switch via the VSG……..it’s still a relatively quirky product, it’s a new approach to firewalling…..and it throws up some challenging questions……VSG commands to master as well as the Nexus 1000v, and which commands to learn, use and have ready…….

Instant Command Recall……..stay tuned for more!

Neil Meadows