globalhawk wrote:
But, i thought Cisco VSG takes care of deploying gateways, not vSM ?
Below is a clear explained on the related, the gateway is still using vshield edge when any routed network is occur. The Cisco VSG is not doing the NAT/IP Gateway service for the organization network and it's provides port profile binding to the VMs.
• VMware vShield Manager and vCenter communication: This communication occurs when an organization requires a routed network. VMware vShield Manager instantiates a VMware vShield edge appliance dynamically to provide Network Address Translation (NAT) and IP gateway service for the organization network.
VMware vCloud Director and VMware vShield Manager communication: VMware vCloud Director provides network services to the cloud through VMware vShield Manager. VMware vShield Manager interacts with the Cisco Nexus 1000V Virtual Supervisor Module (VSM) to make the Cisco Nexus 1000V available to VMware vCloud Director to build any type of network when you are building a tenant cloud. Each VMware vCloud Director cell requires access to a VMware vShield Manager host, which provides network services to the cloud. You must have a unique instance of VMware vShield Manager for each VMware vCenter server you add to VMware vCloud Director.
• VMware vCenter and Cisco Nexus 1000V VSM communication: VMware vCenter provides centralized control and visibility to VMware vSphere virtual infrastructure. The Cisco Nexus 1000V is tightly integrated with VMware vCenter. This integration enables the network administrator and the server administrator to collaborate efficiently. The networking policies can be enforced in the virtual access layer just as in the physical network, but the Cisco Nexus 1000V helps maintain separation of duties for the network and server teams. There is no change in this integration for a VXLAN deployment.
• Cisco Virtual Network Management Center (VNMC) and Cisco VSG communication: Cisco VSG registers with Cisco VNMC through the policy agent configuration performed on Cisco VSG. Cisco VNMC then pushes the security and device polices to Cisco VSG. No policy configuration is performed through the Cisco VSG command-line interface (CLI) after Cisco VSG is registered with Cisco VNMC. The CLI is available to the administrator for monitoring and troubleshooting purposes.
• Cisco Nexus 1000V VSM and Cisco VNMC communication: VSM registers with Cisco VNMC through the policy agent configuration performed on the VSM. The steps for registration are similar to those for registering Cisco VSG with Cisco VNMC. After registration, the VSM can send the IP-to-virtual machine binding to Cisco VNMC. IP-to-virtual machine mapping is required by Cisco VSG to evaluate policies that are based on virtual machine attributes. The VSM also resolves the security profile ID using Cisco VNMC. This security profile ID is sent in every vPath packet to Cisco VSG and is used to identify the policy for evaluation.
• Cisco VNMC-to-VMware vCenter communication: Cisco VNMC registers with VMware vCenter for visibility into the VMware environment. This visibility allows the security administrator to define policies based on the VMware virtual machine attributes. Cisco VNMC integrates through an XML plug-in. The process is similar to the process for integration of the Cisco Nexus 1000V VSM with VMware vCenter.
Hope this will be clear for you more understanding of the Cisco VSG and Cisco VNMC doing, It's was not doing such as the vShield Edge, There are only protected port profile from the Nexus 1000V (which visible for it to secured the organization with the policy). You may no need the vShield Edge on the deployment when all the network you done is using External Network, without any organization network/internal network required. Then you may secured via the Cisco VSG/VNMC.
Just my one cents over here