This is second part of vShield. We will spend some time on vShield zone about Installation and configuration, of course, understanding as well.
Installation of vSheild Manager
Like what I have mentioned in the last post, vShield control module is vShield manager. And vShield Zone is it’s back bone which provides platform all other applications can run on it.
1.Download and Install
You can download evaluation version of vShield from Vmware as ova format. It’s a 500MB ova file and use vClient to deploy this ova into your vmware environment. You don’t need to worry about this vManager too much as it can be freely vMotion to any hosts in your cluster.
Once you imported the ova, you can file it up and use username “admin” and password as “default” to log in.
Type enable into cmd window and run setup
2. Configure IP and gateway.
You should be able to ping vManager.
3. Connect vManager with Internet Browser
4. Restart vClient and log in
After giving information to vManager, you should be able to see a new tab on vClient.
By now, vSheild Manager has been installed. But vZone or any other real vShield components haven’t been installed on any hosts. What you have done is merely a frame.
You can choose to configure all other aspects if you want.
Install vShield Zone
The next step is to install vShield Zone. vShield Zone is vShield App basic version. It shares same theory as vApp.
When you deploy vShield Zone from vManager, vManager will ask you to provide which host you want to install and a new set of IP for vShield Zone VM.
Each host will be bond with a new Linux VM and that VM will be fixed on that host and can’t be vMotion to other host since this VM will talk directly to a special module running in that host as same method of vSwitch.
In other word, that new VM will in charge all filtering jobs specific targeting on one host.
Notice: if you are running cluster, vShield Zone will only protect VMs running on host which as vZone installed. For example, you have host A, B. VM C,D. VM C running on host A and VM D running on host B. If you install vZone on Host B. Only VM D will be effected by vZone setting. If you vMotion VM C from host A to B, then, VM C will be effected too.
However, if you are running a cluster (Host A, B), then by installing vZone on Host B won’t protect any VM until you install vZone on all Hosts in the cluster.
1. go to vShield tab and select a host to install
2. Provide a vZone VM IP set and Install
3. System will deploy a new VM on that host
Apart from deploying a new VM, there are other couple of things this installing script has done.
- Install a new module in the host.
- Modify vmx belong to that host
- Create a new vSwitch for firewall
Install a new module in the host
Modify vmx belong to that host
Create a new vSwitch for firewall
Let’s see a diagram and understand how it works at logic level.
All network traffic can be considered with a special detour before they reach to VM.
In the host level, we can use VMSafe diagram to understand since they share similar structure. It’s similar as VMsafe Net but it use it’s own filter (vShiled-dvfilter).
Management of vZone
vZone management is very similar as ISA. It has divided into multiple levels.
Hierarchy of Zones Firewall Rules
Each vShield Zones instance enforces Zones Firewall rules in top-to-bottom ordering. A vShield Zones instance checks each traffic session against the top rule in the Zones Firewall table before moving down thesubsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.
Zones Firewall rules are enforced in the following hierarchy:
1. Data Center High Precedence Rules
2. Cluster Level Rules
3. Data Center Low Precedence Rules (seen as Rules below this level have lower precedence than cluster level rules when a datacenter resource is selected)
4. Secure Port Group Rules
5. Default Rules
Few things you need to know:
1. Make sure vManager, vZone VM are all pingable to each other.
2. If you are using cluster, make sure all hosts are installed vZone.
3. If you try to uninstall vZone, a restart of host is involved!!
4. No restart involved when you install vZone on host.
5. vZone VM can’t be montioned.
6. How much overhead will be consumed by vShield in prod is unknown.
7. How much impact on network traffic by vShield is unknown.
vShield Administration Guide