Hi,
I am trying complete the initial configuration of vShield Edge but having problems finding documentation that covers the initial configuration. Seems to be a hole in the documentation provided here. My vSphere version is 5 and ESXi version is 4.1 update 2.
I have vShield Manager deployed, vShield app installed on my host, and vShield edge installed on my network.
NOW WHAT? haha
My end goal is to be able to create port group isolations to be able to segragate groups of VMs from being able to talk to each other.
Also I want to use the firewall, VPN, and load balancer
I am a little lost on what to do next.
Thank you for all your help.
hypercloud wrote:
Hi,
I am trying complete the initial configuration of vShield Edge but having problems finding documentation that covers the initial configuration. Seems to be a hole in the documentation provided here. My vSphere version is 5 and ESXi version is 4.1 update 2.
I have vShield Manager deployed, vShield app installed on my host, and vShield edge installed on my network.
NOW WHAT? haha
My end goal is to be able to create port group isolations to be able to segragate groups of VMs from being able to talk to each other.
Also I want to use the firewall, VPN, and load balancer
I am a little lost on what to do next.
Thank you for all your help.
Portgroup isolation can be done using vshield manager.
Firewall: where are you planing to use.
Load balancer?
Firewall will be used for individual VMs in a security group or for the security group as a whole.
Load balancing will be used between VMs in a security group only.
VPN will be used for the security group as a whole.
I hope that is enough information.
Hi
You are right, you need vShield Edge to do the port-group isolation.
1. Compatability -- vShield Edge 5.0.1 works with ESXi 4. [ Check -- http://www.vmware.com/resources/compatibility/sim/interop_matrix.php]
2. For Edge Installation. [Assuming Shield Manager is configured and to VC & vShield plug-in is registered]
Just Select the port-group from the vSphere Networking View
- Define Internal/External network Settings + Deployment location for edge appliance
- After edge installation you can configure firewall, VPN & load-balancer.
For details refer to:
# Quick Start Guide for Edge Installation - Page 26 [https://www.vmware.com/pdf/vshield_501_quickstart.pdf]
# Admin Guide for vShield Edge Managment - Page 35 [https://www.vmware.com/pdf/vshield_501_admin.pdf]
If you get stuck at any particular point, do share.
HTH
Thank you for reply.
I am redoing my test environment but was wondering, if I need vShield App at all to achieve these things?
I will let you know how edge configuration goes.
Based on my understanding of your requirements vShield App is not required.
In simple words:
vShield APP is vNic level firewall & need to be installed on all hosts.
& VShield Edge is interface/portgroup level firewall where traffic direction also needs to be defined (inbound/outbound).
Thanks again for the info.
I dont see anyway to setup port group or group isoloation with vshield Edge only.
When I try to make a firewall rule I cannot select a port group or group, only IP addresses, subnet or range. I must be missing something here.
Also is this possible to do without using a vDS?
Yes, you can install vShield Edge on a port group, vNetwork Distributed Switch (vDS) port group, or a Cisco® Nexus 1000V.
For details: check these free courses:
VMware vShield Fundamentals [V5.X]
http://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu&a=one&id_subject=31783
http://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu&a=one&id_subject=31786
I just found those course this morning. They were helpful but seems the environment I inherited is not Enterprise so I cannot create vDSs. Sux!
I also cannot do isolation with vlans. Is there another way besides vlans?
Thank you
My issue is that i cannot use vlans. Any other way to do this?
You need isolation at layer 2 that can be achieved by VLAN only in vSphere / enterprise environment.
Edge act as a router between two portgroups unless the packets reach edge interface no blocking/firewall is possible.
On a side note:
In VCD (vCloud Director) isolation is done via VCDNI but not in vSphere 5.x.
This is the only error in the logs that I can find.