Step 7: Create NSX-V Security Group and Security Policy

An NSX-V security group and security policy must be created to redirect network traffic to the Gigamon Traffic Visibility service. A security group defines which VMs will be monitored. The security policy associates the Gigamon Traffic Visibility service and map profile to the security group. The cloud tenant user should create the security group and security policy.

Create Security Group

A security group should be created that contains the VMs to forward NSX-V network traffic to the Gigamon Traffic Visibility service.

To create the security group, do the following in the vCenter UI:

1.   In vCenter, select Networking & Security > Service Composer > Security Groups > + Add.
2. Enter the Name and description.
3. Click Next.
4. Click Select Objects to include.
5. For the Object Type, select an Object Type from the drop-down list.
6. Move the desired Objects from the Available Objects column to the Selected Objects Column.
7. Click Finish.

The monitored Objects can also be selected using dynamic membership or any of the available object types.

For additional details on creating security groups, Refer to the “Service Composer” chapter of the NSX-V Administration Guide.

Create Security Policy

The steps presented in this section create a security policy with the source leader in a bidirectional clock relationship (formerly master) virtual machines defined as the virtual machines in the applied security groups. Additional configurations of the security policy are available. For additional details on creating security policies, refer to the “Service Composer” chapter of the NSX-V Administration Guide.

To create the security policy, do the following in the vCenter UI:

  1. In vCenter, select Networking & Security > Service Composer.
  2. Select the Security Policies tab, and then click + Add. Before you proceed to the next step, make sure that you specify the Guest Introspection and Firewall Rules.
  3. On the new Security Policy page, do the following.
    1. In the Name and Description fields, enter name and description for the security policy, respectively.
    2. Click Network Introspection Services to select the Network Introspection Services tab.
    3. Click + Add Network Introspection Service.
    4. In the Name and Description fields, enter a name and description.
    5. For Action, select Redirect to service.
    6. For Service Name, select Gigamon Traffic Visibility.
    7. For Profile, select the profile corresponding to the desired virtual map. A profile is created for each virtual map.
    8. Based on the required traffic type, select the Source and Destination as described in the following table.

      Traffic

      Source

      Destination

      IncomingAnyPolicy's Security Groups
      OutgoingPolicy's Security GroupsAny
    9. For Service, If filtering based on ports is desired, click Change to select the service to filter on. A service defines tcp/udp ports to filter.
    10. For State, select Enabled.
    11. For Log, select Do not log.
    12. Click OK.
  4. On the New Security Policy page, click Finish.

Map Security Policy to Security Group

The security policy is mapped to a security group by applying the security policy to one or more security groups. The steps presented in this section configure the Visibility Fabric to allow monitored traffic to flow to the H-Series chassis with GigaSMART. Monitored traffic can be observed using a tool that is connected to a tool port of the H-Series device.

To map the security policy to the security group, do the following in the vCenter UI:

1.   In vCenter, select Networking & Security > Service Composer.
2. Select the Security Policies tab.
3. Select a Security Policy and click Apply.
4. Select the security groups to apply the security policy.
5. Click OK.