Cisco first impressed me with virtual data center technologies with their Nexus 1000V. This is a software replacement for the Distributed Virtual Switch (DVS) of VMware. The idea is to have Cisco engineers feel much more comfortable working with the network switch (although software-based) that the virtual machines are connecting to in software. The Nexus 1000V provides a consistent operating system and set of features that Cisco network engineers are completely comfortable with. In fact, Cisco even created a physical appliance, the Nexus 1010 to host the software powering the 1000V. This product has been replaced with the Nexus 1100. Now engineers feel very comfortable as they are actually connecting to a physical box for management and configuration of the virtual switch.
This was a very intriguing and successful initiative and was quickly followed up with the Cisco ASA 1000V Cloud Firewall. Yes, a software-based virtual firewall for cloud-based environments that features all of the goodies that a Cisco Security Engineer is excited about with the Adaptive Security Appliance appliances, not to mention the consistent interface for the operating system.
As I write this, the current version of the ASA 1000V Cloud Firewall is ASA 1000V Version 8.7(1). It provides edge features and functionality (including site-to-site VPN, NAT, and DHCP), acts as a default gateway, and secures the virtual machines (VMs) within the tenant against any network-based attacks. Certainly adding to the complexity of the installation of this product is the fact that it has so many dependencies. Of course, many of these may already be deployed and configured successfully in your environment.
The requirements for a successful ASA 1000V implementation are:
- Compatible hardware that runs the VMware vSphere Hypervisor software
- The VMware vSphere Hypervisor software itself
- vCenter Server software
- The Cisco Nexus 1000V
- The Cisco Virtual Network Management Center (VNMC) appliance
- The Cisco ASA 1000V itself
Optionally, you can also implement the Cisco Virtual Security Gateway (VSG). The Cisco VSG is a service appliance required to segment inter-VM traffic within a tenant. If implemented, this is also managed using the Cisco Virtual Network Management Center (VNMC) appliance.
Once the required products for the ASA 1000V are configured, Cisco Security Engineers will indeed feel right at home with their virtual ASA configurations. For example, here is a sample configuration in which connection limits and timeouts are configured for all traffic passing through the firewall. You should note that this configuration is precisely consistent with that I would make on a hardware-based ASA appliance:
ASA1000V(config)# class-map CONNS
ASA1000V(config-cmap)# match anyASA1000V(config-cmap)# policy-map CONNSASA1000V(config-pmap)# class CONNSASA1000V(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000ASA1000V(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcdFor more information on the Cisco 1000v Cloud Firewall, visit the homepage for the product here.
You might also be interested in the Getting Started Guide, which is located here.