Skip navigation

This is second part of vShield. We will spend some time on vShield zone about Installation and configuration, of course, understanding as well.

Installation of vSheild Manager

Like what I have mentioned in the last post, vShield control module is vShield manager. And vShield Zone is it’s back bone which provides platform all other applications can run on it.

1.Download and Install

You can download evaluation version of vShield from Vmware as ova format. It’s a 500MB ova file and use vClient to deploy this ova into your vmware environment. You don’t need to worry about this vManager too much as it can be freely vMotion to any hosts in your cluster.

vshield-21

Once you imported the ova, you can file it up and use username “admin” and password as “default” to log in.

vshield-22

Type enable into cmd window and run setup

2. Configure IP and gateway.

 

vshield-23

You should be able to ping vManager.

3. Connect vManager with Internet Browser

vshield-24

vshield-25

4. Restart vClient and log in

After giving information to vManager, you should be able to see a new tab on vClient.

vshield-26

By now, vSheild Manager has been installed. But vZone or any other real vShield components haven’t been installed on any hosts. What you have done is merely a frame.

You can choose to configure all other aspects if you want.

vshield-27

Install vShield Zone

The next step is to install vShield Zone. vShield Zone is vShield App basic version. It shares same theory as vApp.

When you deploy vShield Zone from vManager, vManager will ask you to provide which host you want to install and a new set of IP for vShield Zone VM.

Each host will be bond with a new Linux VM and that VM will be fixed on that host and can’t be vMotion to other host since this VM will talk directly to a special module running in that host as same method of vSwitch.

In other word, that new VM will in charge all filtering jobs specific targeting on one host.

Notice: if you are running cluster, vShield Zone will only protect VMs running on host which as vZone installed. For example, you have host A, B. VM C,D. VM C running on host A and VM D running on host B. If you install vZone on Host B. Only VM D will be effected by vZone setting. If  you vMotion VM C from host A to B, then, VM C will be effected too.

vshield-38

However, if you are running a cluster (Host A, B), then by installing vZone on Host B won’t protect any VM until you install vZone on all Hosts in the cluster.

1. go to vShield tab and select a host to install

vshield-29

2. Provide a vZone VM IP set and Install

vshield-30

 

3.  System will deploy a new VM on that host

vshield-31

Apart from deploying a new VM, there are other couple of things this installing script has done.

  • Install a new module in the host.
  • Modify vmx belong to that host
  • Create a new vSwitch for firewall

 

Install a new module in the host

vshield-32

Modify vmx belong to that host

vshield-33

Create a new vSwitch for firewall

vshield-34

vshield-37

 

Let’s see a diagram and understand how it works at logic level.

vshield-28

All network traffic can be considered with a special detour before they reach to VM.

In the host level, we can use VMSafe diagram to understand since they share similar structure. It’s similar as VMsafe Net but it use it’s own filter (vShiled-dvfilter).

vshield-35

 

 

Management of vZone

vZone management is very similar as ISA. It has divided into multiple levels.

Hierarchy of Zones Firewall Rules
Each vShield Zones instance enforces Zones Firewall rules in top-to-bottom ordering. A vShield Zones instance checks each traffic session against the top rule in the Zones Firewall table before moving down thesubsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.
Zones Firewall rules are enforced in the following hierarchy:
1. Data Center High Precedence Rules
2. Cluster Level Rules
3. Data Center Low Precedence Rules (seen as Rules below this level have lower precedence than cluster level rules when a datacenter resource is selected)
4. Secure Port Group Rules
5. Default Rules
vshield-36

 

Few things you need to know:

1. Make sure vManager, vZone VM are all pingable to each other.

2. If you are using cluster, make sure all hosts are installed vZone.

3. If you try to uninstall vZone, a restart of host is involved!!

4. No restart involved when you install vZone on host.

5. vZone VM can’t be montioned.

6. How much overhead will be consumed by vShield in prod is unknown.

7. How much impact on network traffic by vShield is unknown.

Reference:

vShield Administration Guide

About these ads

2 Comments

  1. Just want to ask, with vShield 4.1 for vDS environment. I know the process pretty straight forward for vSS environment whereby vShield wizard will do everything for you (create vSwitch & etc) during installation. But fo vDS environment, do we need to create a second vDS (unprotected) just like vShield 1.0U1?

    • I haven’t done too much field test. But judge by tests I have done so far. looks like you don’t need to have secondary vDS and there were any issues to take vm out of protection group and put them back. However, it may not be bad idea from strategy point of view to have another one.


3 Trackbacks/Pingbacks

  1. [...] GeekSilver's Blog http://www.geeksilverblog.com About « VMware vSphere vShield 4.1 Understanding vShield Zones Part 2 [...]

  2. [...] What is VMWare vShield Zones? vShield Zones provides firewall protection for traffic between virtual machines. For each Zones Firewall rule, you can specify the source IP, destination IP, source port, destination port, and service.  Click here to view and understand how to install VMWare vShield Zones [...]

  3. By VMWare vShield Zones – NetAppSky on 19 Jan 2011 at 12:02 pm

    [...] For more information on vShield Zones, Please Click Here vShield Zones Administration Guide provides information on firewall protection for traffic between virtual machines. For each Zones Firewall rule, you can specify the source IP, destination IP, source port, destination port, and service.  Click here to view and understand.   For more information on vShield Zone in general, Please Click Here install VMWare vShield Zones [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 123 other followers

%d bloggers like this: