Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32011
Views
2
Helpful
1
Replies

all things 8

hando_gin
Level 1
Level 1

‎02-26-2014 09:14 AM

Hi Guys,

We have been working with PNSC 3.0(2e) and VSG  4.2(1)VSG2(1.1) running on top of 1000v switch 4.2(1)SV2(2.1a).

We are using VMWare 5.5.

Note: These are not Cisco Licenses, they are running in a Licensed VMWare Plus platform and we have downloaded these from Cisco Downloads - we are aware that this could be the problem but can't find any documentation specifically stating this.

This is a simple question, in the documentation it mentions that a limit of 10 conditions or attributes can be placed in a rule (this is give as 10 per rule) in Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(1) - Cisco Virtual…

We configured a rule with more than this and it caused the policy not apply to the VSG. The status in PNSC showed the failure and although everything continued to function it wouldn't work. So we modified our rules and split out the destination conditions into multiple rules and re-applied and it started to work. We found that the limit in the destination (ip address) field was 8 and at the time I think there were 2 in the source (port-groups).

Now however, we are finding that on a rule that only has 2 conditions where the source is a port-group and the destination is an IP, the 9th host that inherits that port-group (the port-group has max-ports set to 30), has all sorts of issues, doesn't get/keep dhcp, loses the will to live etc!

The config is as follows:

VSM:

port-profile type vethernet ten1-abcd-1

  vmware port-group

  switchport mode access

  switchport access vlan 424

  org root/tenant1/c1

  vservice node tenant1-vsg profile abc-c-abcd-profile

  no shutdown

  state enabled

PortProfile:ten1-abcd-1                    

Org:root/tenant1/c1

Node:tenant1-vsg(192.168.12.200)               Profile(Id):abc-c-abcd-profile(19)

Veth Mod VM-Name                              vNIC IP-Address

   7   6 abc-c-abcd006                           1 192.168.10.70

   8   4 abc-c-abcd008                           1 192.168.10.72

  23   5 abc-c-abcd004                           1 192.168.10.68

  24   3 abc-c-abcd009                           1 192.168.10.73

  25   6 abc-c-abcd005                           1 192.168.10.69

  30   4 abc-c-abcd011                           1 192.168.10.75

  31   3 abc-c-abcd012                           1

  35   3 abc-c-abcd010                           1 192.168.10.74

  36   6 abc-c-abcd007                           1 192.168.10.71

VSG/PNSC:

security-profile abc-c-abcd-profile@root/tenant1/c1

  policy abc-c-abcd@root/tenant1/c1

  custom-attribute vnsporg "root/tenant1/c1"

rule ten1-abcd-inbound/abcd-443@root/tenant1/c1 cond-match-criteria: match-all

  dst-attributes

    condition 10 dst.vm.portprofile-name eq ten1-abcd-2

    condition 12 dst.vm.portprofile-name eq ten1-abcd-1

  src-attributes

    condition 13 src.net.ip-address member-of poc-snat-ten1-t2@root/tenant1/c1

  service/protocol-attribute

    condition 11 net.service member-of ssl_port@root/tenant1/c1

  action permit

rule ten1-abcd-outbound/1025_port@root/tenant1/c1 cond-match-criteria: match-any

  dst-attributes

    condition 12 dst.net.ip-address member-of ababababab.dc.cert@root/tenant1/c1

  src-attributes

    condition 10 src.vm.portprofile-name eq ten1-abcd-2

    condition 13 src.vm.portprofile-name eq ten1-abcd-1

  service/protocol-attribute

    condition 11 net.service member-of 1025_port@root/tenant1/c1

  action permit

  action log

Policy abc-c-abcd@root/tenant1/c1

    rule ten1-abcd-inbound/abcd-443@root/tenant1/c1 order 1804

    rule ten1-abcd-outbound/1025_port@root/tenant1/c1 order 3105

Please note, I have replaced/removed all references to business specific architecture and IP ranges, however the construct remains the same. I have also removed the majority of rules for brevity and the point remains the same, for either inbound or outbound we are faced with the same issues.

I hope someone can give some guidance on these limits - are we actually limited by the attribute/condition barrier when related to port-profiles configured inside source/destination of a rule?

Thanks

Phil

Labels:
1 Reply 1

admin11111
Level 4
Level 4

‎06-10-2014 03:38 AM

Hi

I do hope I'm not mis-understanding your question.....a common issue in forums I know. However, if my interpretation is correct, you are asking how many IP addresses, can a rule match on. For example, inside policy1, you have a rule called rule, you then have a source condition, destination condition, service/protocol....among other things of course. If your question is how many IP addresses is it possible to have in lets say the destination condition? Then I have to say, that's not the way to configure it. To do that you would create an "Object group".....add all those IP addresses to that Object group and then add the object group as a destination condition.

Also, the power of the VSG is built on VM names....if those IP addresses you are adding as a destination, are also VMs then use the VMname attribute, if they aren't use the method I've just described.

I hope that helps and apologies if I have completely mis-understood your question....if I have reply with a diagram (i'm better with pictures!!!!), and i'll see if I can help.

Regards

Neil Meadows

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card