Re: Configuring vShield Edge 5.0.1

hypercloud · ‎06-04-2012

Hi,

I am trying complete the initial configuration of vShield Edge but having problems finding documentation that covers the initial configuration. Seems to be a hole in the documentation provided here. My vSphere version is 5 and ESXi version is 4.1 update 2.

I have vShield Manager deployed, vShield app installed on my host, and vShield edge installed on my network.

NOW WHAT? haha

My end goal is to be able to create port group isolations to be able to segragate groups of VMs from being able to talk to each other.

Also I want to use the firewall, VPN, and load balancer

I am a little lost on what to do next.

Thank you for all your help.

beckham007fifa · ‎06-04-2012

hypercloud wrote:
Hi,
I am trying complete the initial configuration of vShield Edge but having problems finding documentation that covers the initial configuration. Seems to be a hole in the documentation provided here. My vSphere version is 5 and ESXi version is 4.1 update 2.
I have vShield Manager deployed, vShield app installed on my host, and vShield edge installed on my network.
NOW WHAT? haha
My end goal is to be able to create port group isolations to be able to segragate groups of VMs from being able to talk to each other.
Also I want to use the firewall, VPN, and load balancer
I am a little lost on what to do next.
Thank you for all your help.

Portgroup isolation can be done using vshield manager.

Firewall: where are you planing to use.

Load balancer?

Regards, ABFS

hypercloud · ‎06-05-2012

Firewall will be used for individual VMs in a security group or for the security group as a whole.

Load balancing will be used between VMs in a security group only.

VPN will be used for the security group as a whole.

I hope that is enough information.

sorabhk5 · ‎06-05-2012

Hi

You are right, you need vShield Edge to do the port-group isolation.

1. Compatability -- vShield Edge 5.0.1 works with ESXi 4. [ Check -- http://www.vmware.com/resources/compatibility/sim/interop_matrix.php]

2. For Edge Installation. [Assuming Shield Manager is configured and to VC & vShield plug-in is registered]

Just Select the port-group from the vSphere Networking View

- Define Internal/External network Settings + Deployment location for edge appliance

- After edge installation you can configure firewall, VPN & load-balancer.

For details refer to:

# Quick Start Guide for Edge Installation - Page 26 [https://www.vmware.com/pdf/vshield_501_quickstart.pdf]

# Admin Guide for vShield Edge Managment - Page 35 [https://www.vmware.com/pdf/vshield_501_admin.pdf]

If you get stuck at any particular point, do share.

HTH

All opinions expressed here are my personal opinions and not of my employer. Thanks #Sorabh [[ http://sorabhk5.in or @sorabhk5 ]]

hypercloud · ‎06-06-2012

Thank you for reply.

I am redoing my test environment but was wondering, if I need vShield App at all to achieve these things?

I will let you know how edge configuration goes.

sorabhk5 · ‎06-06-2012

Based on my understanding of your requirements vShield App is not required.

In simple words:

vShield APP is vNic level firewall & need to be installed on all hosts.

& VShield Edge is interface/portgroup level firewall where traffic direction also needs to be defined (inbound/outbound).

All opinions expressed here are my personal opinions and not of my employer. Thanks #Sorabh [[ http://sorabhk5.in or @sorabhk5 ]]

hypercloud · ‎06-07-2012

Thanks again for the info.

I dont see anyway to setup port group or group isoloation with vshield Edge only.

When I try to make a firewall rule I cannot select a port group or group, only IP addresses, subnet or range. I must be missing something here.

hypercloud · ‎06-11-2012

Also is this possible to do without using a vDS?

sorabhk5 · ‎06-11-2012

Yes, you can install vShield Edge on a port group, vNetwork Distributed Switch (vDS) port group, or a Cisco® Nexus 1000V.

For details: check these free courses:

VMware vShield Fundamentals [V5.X]

http://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu&a=one&id_subject=31783

VMware vShield Edge Fundamentals [V5.X]

http://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu&a=one&id_subject=31786

All opinions expressed here are my personal opinions and not of my employer. Thanks #Sorabh [[ http://sorabhk5.in or @sorabhk5 ]]

hypercloud · ‎06-11-2012

I just found those course this morning. They were helpful but seems the environment I inherited is not Enterprise so I cannot create vDSs. Sux!

I also cannot do isolation with vlans. Is there another way besides vlans?

Thank you

hypercloud · ‎06-14-2012

My issue is that i cannot use vlans. Any other way to do this?

sorabhk5 · ‎06-14-2012

You need isolation at layer 2 that can be achieved by VLAN only in vSphere / enterprise environment.

Edge act as a router between two portgroups unless the packets reach edge interface no blocking/firewall is possible.

On a side note:

In VCD (vCloud Director) isolation is done via VCDNI but not in vSphere 5.x.

All opinions expressed here are my personal opinions and not of my employer. Thanks #Sorabh [[ http://sorabhk5.in or @sorabhk5 ]]

hypercloud · ‎06-24-2012

This is the only error in the logs that I can find.

Error 2012-06-25 02:52:43.186 GMT EdgeApplianceManager deployEdgeAppliance 246: error while deploying edge::

EXCEPTION: com.bluelane.vfc.edge.exception.VseGenericErrorException,

MESSAGE: Unable to create vShield Edge Virtual machine. This is a vCenter Server operation and might fail due to intermittent communication failure with vCenter Server or system unresponsiveness. Please check vCenter Server Tasks for details

at com.bluelane.vfc.deploy.EdgeApi.deployNewEdge(EdgeApi.java:754)

at com.bluelane.vfc.deploy.EdgeApi.createEdgeDevice(EdgeApi.java:438)

at com.bluelane.vfc.edge.EdgeApplianceManager.deployEdgeAppliance(EdgeApplianceManager.java:1242)

at com.bluelane.vfc.edge.BulkManager.config(BulkManager.java:304)

at com.bluelane.vfc.edge.EdgeApplianceManagerV2.install(EdgeApplianceManagerV2.java:76)

at com.bluelane.vfc.edge.VseService.installEdge(VseService.java:374)

at com.bluelane.presentation.edge.EdgeAppV2$1.run(EdgeAppV2.java:118)

at java.lang.Thread.run(Unknown Source)