Cisco Blogs


Cisco Blog > Data Center

VSG: Vive la difference! A Tutorial for HP

One of the things I admire about Cisco marketing, and I think generates a lot of respect for us from our customers, is how we approach competitive marketing. Most importantly, we hardly ever do it. Sure, we arm our sales teams with specific comparison data, but it’s rare we feel the need to compare ourselves publically or to bash competitors. When you bash a competitor, it really only serves to give them credibility, and highlights that they must be doing something important to occupy your mindshare, or that of your customer’s.  Occasionally though, we are faced with not only having to take the gloves off a little more, but responding to the inevitable FUD that gets thrown our way.

This brings us to a blog post written by HP about Cisco’s Virtual Security Gateway (VSG), which unfortunately contains a number of inaccuracies and misrepresentations of our product that we have to clear up.

Let’s start with this example:

Cisco has a product called the Virtual Security Gateway (VSG) for the Nexus 1000V Series. It is a virtual firewall that lets you enforce policy and segmentation virtual environments. All associated security profiles are configured to include trust-zone definitions and access control lists (ACLs) or rules. They also support VM mobility when properly configured. If there’s one thing the company is good at, it is those good-old ACLs developed back in the early 90s!

The strength of VSG’s firewall capabilities is its awareness of the virtual machine environment, and specifically the ability to write firewall rules based on the attributes of the virtual machine, attributes such as the NAME of the VM. This gives tremendous power to establish policies in virtual environments, such as logically isolating tenants running on the same machine, or separating VMs based on operating system or application type in virtual desktop environments, a use case I wrote about earlier. To imply VSG is enforcing good-old ACL’s from the 90’s is disingenuous at best. Read More »

Tags: , , , ,

UNS Spotlight on VM-ready Security Solutions with VSG

The Unified Network Services (UNS) portfolio of Layer 4-7 services (such as ACE and WAAS) also includes Cisco’s data center security solutions. A critical part of that security portfolio is our virtualization-aware firewall solution, Virtual Security Gateway (VSG). In a series of upcoming blog posts, I’ll be sharing a few use case scenarios that our customers are implementing with VSG.

For those of you new to VSG, I’ll point out that VSG’s role is to act as a virtual firewall between zones of virtual machines. Isolating traffic between VM zones has been very challenging prior to VSG because: 1) security policies have to be enforced between VMs running on the same server or same virtual switch (where there’s no place to put a firewall), 2) VMs move all around the network and the security policies (as enforced in the firewall) must follow the VM, and 3) the need to maintain segregation of duties for compliance purposes between the security and application server teams, where security is potentially enforced inside the virtual server.

Read More »

Tags: , , , , , , , , , , , ,

Virtual Desktops are Special….

I, just like my colleague Tony Paikeday, am somewhat preoccupied these days with the fast changing world of the desktop and its impact on data center infrastructures. I wanted to pick up on Tony’s desktop virtualization “just another workload” blog back in November because it is a subject of growing discussion, especially with “cloud” being all the buzz. While desktops are an increasingly popular workload to get started with private cloud initiatives, does that mean that data center architects are mixing desktops with more traditional data center workloads?

Talking to our system engineers who are helping plan and design desktop virtualization deployments day in day out…..the more I learn there are very good reasons for treating this workload as special and separate.

The first thing I hear about is sizing of the desktop workload. A “desktop” is not a “desktop”. You can’t just characterize a generic Win 7 desktop for compute, memory, I/O and storage IOPS. You need to be able to customize the infrastructure profile to the specific user type being deployed. Therein lays the danger of mixing these virtual desktops with production workloads, where desktops could end up capturing valuable resources of mission critical services.  For example consolidating a company procurement application on the same compute pool as your desktop workloads could result in a lot of unproductive – or even worse –unhappy employees.

Read More »

Tags: , , , , , , , , ,

Are You Going to EMC World? Some great VXI content awaits…

My $0.02: Skip the buffet, Celine, Cirque, and the slots, but don’t skip learning about Cisco Virtualization Experience Infrastructure (VXI) with EMC. Read More »

Tags: , , , , , , , , , , ,