Sep 30

vShield for Dummies vSphere 4.1

Category: vSphere

Finally, I spent my whole day in the office just to test the latest vShield on vSphere 4.1 and to be honest there’s nothing much different on the setup prior to this release. The challenge now is, vShield will be installed and configured within Virtual Network Distributed Switch (vNDS) instead vSwitch. Unlike vShield + vSwitch which can be configured automatically using wizard, vShield configuration for Virtual Network Distributed Switch (vNDS) require us to do it manually. However for those who still want to know how to install and configure vShield for vSwitch, please refer to my previous post here.

Since this howto is ONLY for dummies, I’ll try to make all the steps simple as possible and easy for you to understand. However for better and deeper explanation, advisable you go through until finished the vShield documentation.

A. Minimum requirements

This is my minimum requirements and working very well with my current setup

  • 1x ESXi 4.1
  • 1x vCenter 4.1
  • vShield installer (.iso image or zip)
  • 1x IP for vShield Manager (vSM)
  • 1x IP for vShield Agent (vSA)
  • 1x vNDS + Port Group (protected) with 1x vmnic
  • 1x vNDS + Port Group (unprotected) without vmnic

My Setup will be :-

  • vSM management port group = vsmgmt
  • vNDS1 = dvDMZ
  • Protected Port Group = secDMZ
  • vNDS2 = dvDMZ2
  • Unprotected Port Group = insecDMZ

NOTES : vSHIELD INSTALL CONFIGURE for vNDS WILL REQUIRE DOWNTIME

B. STEPS

I summarized all the steps as below :-

  • Network Configuration for vShield
  • Deploy & Configure vShield Manager
  • Deploy vShield Agent
  • Setup vShield Agent
  • Add vShield Agent to vShield Manager
  • VMNIC migration

Once everything ready (ESXi, vCenter) you can proceed with further installation as below :-

B.1 Network Configuration for vShield

The obejctive is to have vSM port group, second vNDS and 2x port group :-

  • Create “vsmgmt” port group (I’ve created this on legacy vSwitch)
  • Create 1st vNDS (dvDMZ)
  • Create port group (secDMZ) - protected - vmnic1
  • Create 2ns vNDS (dvDMZ2)
  • Create port group (insecDMZ) - unprotected - without vmnic

Notes : vNDS1 (with vmnic) & vNDS2 (no vmnic)

vsm29.png

B.2 Deploy & Configure vShield Manager

You can perform these steps exactly as what have been done for vSwitch

  • Double click vShield installer (Extract)
  • Deploy vSM (do from vi-client)
  • Once finished, edit vSM network & point to “vsmgmt” PG
  • Power on
  • login user=admin & password=default
  • run command $setup
  • configure IP

Notes : I put vShield Manager under legacy vSwitch but vNDS PG also workable

vsm21.png vsm23.png

B.3 Deploy vShield Agent

  • Deploy vShield Agent OVF (vi-client)
  • Edit network setting for vSA
  • Power on vSA

Notes :  Remember vSA must able to ping vSM and virtual network setting for vSA must in correct order:-

  • VSmgmt -> vsmgmt - nic1
  • Protected -> secDMZ - nic2
  • Unprotected -> insecDMZ - nic3

vsm24.png

B.4 Setup vShield Agent

These steps will activate protect(p0) and unprotect(u0) vSA interfaces :-

  • run $setup
  • configure IP
  • run $exit
  • login back
  • try ping gateway
  • run $enable & give password (default)
  • run $configure terminal
  • run $interface p0
  • run $no shutdown –> activate p0 interface
  • run $interface u0
  • run $no shutdown –> activate u0 interface
  • exit session

Notes : Make sure you able to ping gateway or VSM at least.

vsm25.png vsm26.png

B.5 Add vShield Agent to vShield Manager

  • login to vSM https://ipaddress
  • enter vCenter info
  • Click “settings & reports” (left pane)
  • Click “manual Install” tab (right pane)
  • give vShield agent information
  • shutdown vSA

Notes : Shutdown vSA is necessary to avoid network connection issue when doing the next step.

vsm27.png vsm28.png

B.6 VMNIC Migration

The objective is to move vmnic from protected to unprotected vNDS :-

  • Click ESX,
  • Click “Configuration” Tab
  • Click “Networking”
  • Go to “dvDMZ”
  • Click “Manage Physical Adapter”
  • Click “remove” vmnic1
  • Go to “dvDMZ2″
  • Click “Manage Physical Adapter”
  • Click “add” vmnic1

Power on back vSA and from here onward, you can move all virtual machines that you want to protect to protected port group (secDMZ) and monitor, manage, configure firewall for all VMs traffic from vShield Manager.

vsm32.png
ariyossss

athlon_crazy 01/10/10 1:21AM

No Comments

Leave a comment