Cisco® Virtual Network Management Center (VNMC) is a virtual appliance that provides centralized device and security policy management for Cisco Virtual Security Gateway (VSG) for Cisco Nexus® 1000V Series Switches. Designed for enterprise and multi-tenant cloud deployments, Cisco VNMC offers transparent, scalable, and automation-centric management for securing virtualized data center and cloud environments (Figure 1). With both a built-in GUI and an XML API, centralized management of Cisco VSG can be performed by an administrator or programmatically. Cisco VNMC is built on an information-model architecture in which each managed device is represented by its subcomponents (or objects), which are parametrically defined. This model-based approach enables a flexible and simple mechanism for securing virtualized infrastructure with Cisco VSG.
Cisco VNMC provides the following main benefits:
• Rapid and scalable deployment through dynamic, template-based policy management based on security profiles
• Transparent operation management through an XML API that enables programmatic integration with third-party management and orchestration tools
• Collaboration across security and server teams while maintaining administrative separation and reducing errors through a consistent and repeatable deployment model
Figure 1. Cisco VNMC Provides Centralized Device and Policy Management of Cisco VSG in Virtual Data Centers and Multi-Tenant Private and Public Clouds
Cisco VNMC uses security profiles for template-based configuration of security policies. A security profile is a collection of security policies that can be predefined and applied on demand at the time of virtual machine instantiation. This profile-based approach significantly simplifies authoring, deployment, and management of security policies, including in a dense multi-tenant environment, while enhancing deployment agility and scaling. Security profiles also help reduce administrative errors and simplify audits.
The XML API for Cisco VNMC facilitates coordination with third-party provisioning tools for programmatic provisioning and management of Cisco VSG. The option of programmatic control of Cisco VSG can greatly simplify operation processes and reduce infrastructure management costs.
By providing visual and programmatic controls, Cisco VNMC enables the security operations team to author and manage security policies for virtualized infrastructure and enhances collaboration with the server and network operations teams (Figure 2). This nondisruptive administration model helps ensure administrative segregation of duties to reduce administrative errors and simplify regulatory compliance and auditing. Cisco VNMC operates in conjunction with the Cisco Nexus 1000V Series Virtual Supervisor Module (VSM) to achieve the following workflow:
• Security administrators can author and manage security profiles as well as manage VSG instances. Security profiles are referenced in Cisco Nexus 1000V Series port profiles.
• Network administrators can author and manage port profiles as well as manage Cisco Nexus 1000V Series distributed virtual switches. Port profiles with referenced security profiles are available in VMware vCenter through the Cisco Nexus 1000V Series VSM's programmatic interface with VMware vCenter.
• Server administrators can select an appropriate port profile in VMware vCenter when instantiating a virtual machine.
Figure 2. GUI Screen Illustrating Security Policy Management and Management of Multiple Data Center Segments, Lines of Business (LoBs), and Tenants
Cisco VNMC implements an information-model architecture in which each managed device, such as Cisco VSG, is represented by the device's object-information model. The model-based architecture helps enable the use of:
• Stateless managed devices: Security policies (security templates) and object configurations are abstracted into a centralized repository.
• Dynamic device allocation: A centralized resource management function manages pools of devices that are commissioned (deployed) in service and a pool of devices that are available for commissioning. This approach simplifies large-scale deployments because managed devices can be preinstantiated and then configured on demand, and devices can be allocated and deallocated dynamically across commissioned and noncommissioned pools.
• Scalable management: A distributed management-plane function is implemented using an embedded agent on each managed device that helps enable greater scalability.
Features and Benefits
Table 1 lists the main features and benefits of Cisco VNMC.
Table 1. Features and Benefits
Feature
Description
Benefit
Multiple-device management
Cisco VNMC provides central management of Cisco VSG for Cisco Nexus 1000V Series Switches.
Simplifies provisioning and troubleshooting in a scaled-out data center.
Security profiles
A security profile represents Cisco VSG's security policy configuration in a profile (template).
Simplifies provisioning, reduces administrative errors during security policy changes, reduces audit complexities, and enables a highly scaled-out data center environment.
Stateless device provisioning
The management agent in Cisco VSG is stateless, receiving information from Cisco VNMC.
• Enhances scalability.
• Provides robust endpoint failure recovery without loss of configuration state.
Security policy management
Security policies are authored, edited, and provisioned centrally.
• Simplifies operation and management of security policies.
• Helps ensure that security intent is accurately represented in the associated security policies.
Context-aware security policies
Cisco VNMC obtains virtual machine contexts from VMware vCenter.
Allows security administrators to institute highly specific policy controls across the entire virtual infrastructure.
Dynamic security policy and zone provisioning
Cisco VNMC interacts with the Cisco Nexus 1000V Series VSM to bind the security profile to the corresponding Cisco Nexus 1000V Series port profile. When virtual machines are dynamically instantiated by server administrators and appropriate port profiles applied, their association with trust zones is also established.
Helps enable security profiles stay aligned with rapid changes in the virtual data center.
Multi-tenant (scale-out) management
Cisco VNMC is designed to manage Cisco VSG and security policies in a dense multi-tenant environment so that administrators can rapidly add and delete tenants and update tenant-specific configurations and security policies.
Reduces administrative errors, helps ensure segregation of duties in administrative teams, and simplifies audit procedures.
Role-based access control (RBAC)
RBAC simplifies operation tasks across different types of administrators, while allowing subject-matter experts to continue with their normal procedures.
• Reduces administrative errors.
• Enables detailed control of user privileges.
• Simplifies auditing requirements.
XML-based API
Cisco VNMC XML API allows external system management and orchestration tools to programmatically provision Cisco VSG.
• Allows use of best-in-class management software.
• Offers transparent and scalable operation management.
Software Packaging and Installation
Table 2 describes how to obtain the software for Cisco VNMC.
Table 2. Software Packaging and Installation
Package
Description
Open Virtualization Format (OVF)
• Downloadable OVF virtual appliance in the form of a single file with the .ova extension
• Deployed with OVF templates and packages
ISO format
• Downloadable ISO file that can be mounted on a virtual machine
System Requirements
Table 3 lists the system requirements for deploying Cisco VNMC.
Table 3. Cisco VNMC Deployment Requirements
Component
Specification
Cisco VNMC virtual appliance
• 1 virtual CPU at 1.5 GHz
• RAM: 2 GB
• Hard disk (vDisk): 25 GB
• Network interfaces: 1 (management)
Hypervisor and hypervisor manager
• VMware vSphere 4.0.1, 4.0.2, 4.1.0, and 5.0 with VMware ESX or ESXi
• VMware vCenter 4.0.1, 4.0.2, 4.1.0, and 5.0
Web browser (client)
Internet Explorer 8.0 and 9.0; Mozilla Firefox 8.0.1, and 9.0.1
Interfaces and protocols
XML API, HTTP/HTTPS, Lightweight Directory Access Protocol (LDAP), and syslog
Licensing and Ordering Information
Cisco VNMC is licensed based on the number of physical server CPU sockets protected by Cisco VSG. A Cisco VNMC license is required for each Cisco VSG license.
For an introductory promotional period, Cisco VSG and VNMC can be ordered as bundles with 4, 16, and 32 CPU licenses as shown in Tables 4 and 5.
Table 4. Cisco VNMC and VSG Promotional Ordering Information (eDelivery of Licenses)
Part Number
Description
Initial Order of Base Image and Licenses
L-VSG-VNMC-BASE
VSG and VNMC eDelivery plus one CPU License (Base)
Incremental Order of Licenses
L-VSG-VNMC-04-P2=
VSG and VNMC eDelivery CPU License Promo2 Qty 4 (Increment)
L-VSG-VNMC-16-P2=
VSG and VNMC eDelivery CPU License Promo2 Qty 16 (Increment)
L-VSG-VNMC-32-P2=
VSG and VNMC eDelivery CPU License Promo2 Qty 32 (Increment)
Cisco VSG and VNMC on CD (No Licenses)
VSG-VNMCP1K9-CD
VSG and VNMC software on a CD
Software Application Support plus Upgrades (SASU): 1 Year
Cisco Software Application Support plus Upgrades (SASU) is a comprehensive support service that helps you maintain and enhance the availability, security, and performance of your business-critical applications. Cisco SASU includes the following resources:
• Software updates and upgrades: The Cisco SASU service provides timely, uninterrupted access to software updates and upgrades to help you keep existing systems stable and network release levels current. Update releases, including major upgrade releases that may include significant architectural changes and new capabilities for your licensed feature set, are available by software download from Cisco.com or by CD-ROM shipment.
• Cisco Technical Assistance Center (TAC): Cisco TAC engineers provide accurate, rapid diagnosis and resolution of software application problems to help you reduce outages and performance degradation. These specialized software application experts are trained to support Cisco VNMC. Their expertise is available to you 24 hours a day, 365 days a year, by telephone, fax, email, or the Internet.
• Online support: Cisco SASU provides access to a wide range of online tools and communities to help you resolve problems quickly, support business continuity, and improve competitiveness.
For More Information
• For additional information and a free evaluation of Cisco Virtual Network Management Center, visit http://www.cisco.com/go/vnmc.
• For additional information and a free evaluation of the Cisco Virtual Security Gateway, visit http://www.cisco.com/go/vsg.
