I was talking about Cisco’s VSG in numerous webinars and presentations, but never managed to write a blog post about this interesting product. Let’s fix that, starting with a short video from the Cloud Computing Networking webinar.
- VSG is a NIC-level firewall. It’s (logically) inserted between a VM NIC and a vSwitch.
- Being a NIC-level firewall, VSG has to be a transparent (layer-2) firewall. It has no routing or NAT functionality.
- VSG is running in a VM (or two of them for redundancy) that can be deployed on vSphere or on Nexus 1010 appliance.
- The VSG VM doesn’t have to be running in the same hypervisor as the VM it’s protecting (VMware’s vShield App or Juniper’s vGW require a per-hypervisor VM).
- VSG depends on Nexus 1000V – Nexus 1000V is the only hypervisor switch (at this moment) that can insert a remote service between a VM NIC and a port group to which the VM NIC is connected.
- The technology used to insert a service offered by a remote VM between a VM NIC and a port group is called vPath.
- vPath 1.0 uses layer-2 transport and thus requires a dedicated VLAN between the hypervisor switches and the service VM. vPath 2.0 supposedly runs over VXLAN as well.
- Initial packets of every session are always redirected to the service VM. After inspecting and approving the session, the service VM can install a 5-tuple shortcut into the hypervisor switch. Subsequent packets of the same session no longer traverse the service VM.
- vPath service insertion is configured on a Nexus 1000V port-profile (equivalent to vSwitch port group) with the vn-service configuration command.
- vPath is Cisco’s proprietary technology. It seemed Cisco started to make the technology available to third parties, but let’s wait to see whether Imperva WAF uses vPath or not.
Check out my virtualization webinars (all of them are included in the yearly subscription) and VSG blog posts on Cisco’s web site. Also, three Packet Pushers podcasts covered VSG or vPath: Show 49 (Nexus 1000V), Show 74 (Cisco ASA 1000V) and PQ Show 12 (vPath 2.0)