Hi there,
It's been a week since i've tried to play with vShield with vNDS.
Although i have followed word by word the administration guide, my protected vms aren't able to communicate with the rest of the network.
What seems strange to me is that in a normal vswitch environment, the u0 is still bound to the original vswitch, linked to a physical interface.
But if you see the vNDS procedure, u0 and p0 are connected to the cloned vNDS, with no physical adapter bound ....so maybe i'm missing something or there is something weird here
So has someone managed to configure fully vShield with vNDS and if so, could you help me please :)?
Thanks a lot,
I believe this might be an issue with the documentation not being clear in the summarized procedure listed at the bottom of page 32 of the Administration Guide. Specifically step #2 which makes it sound like both the Protected and Unprotected port groups should be created on the same vDS. Steps 1 through 4 (page 32 and 34) are only a summary of what needs to be done and only lists the steps in a very generalized manner.
The detailed steps begin on page 33:
-Creating the second vDS (the protected side) Page 33
-Creating the protected dvPort Group in the second/protected vDS Page 33
-Creating the unprotected dvPort Group in the existing vDS or unprotected. This is the one with the physical NIC(s). Page 34
In the end the insertion is very similar as with the legacy vSwitch. Two virtual switches bridged by the vShield, where the outside/unprotected switch has the uplink (physical NIC) and the inside/protected switch does not.
I believe this might be an issue with the documentation not being clear in the summarized procedure listed at the bottom of page 32 of the Administration Guide. Specifically step #2 which makes it sound like both the Protected and Unprotected port groups should be created on the same vDS. Steps 1 through 4 (page 32 and 34) are only a summary of what needs to be done and only lists the steps in a very generalized manner.
The detailed steps begin on page 33:
-Creating the second vDS (the protected side) Page 33
-Creating the protected dvPort Group in the second/protected vDS Page 33
-Creating the unprotected dvPort Group in the existing vDS or unprotected. This is the one with the physical NIC(s). Page 34
In the end the insertion is very similar as with the legacy vSwitch. Two virtual switches bridged by the vShield, where the outside/unprotected switch has the uplink (physical NIC) and the inside/protected switch does not.
Well,
i have followed the guide step by step, the icon on the Vm placed on their new portgroup are green, but are neither "checked" nor the exclamation mark is present from the vshield manager view.
And if i select the VM, the summary says it has not connection to any vswitch.
Here is my final config:
vNDS1 => 1 pnic - old VM pg - unprotected pg
vNDS2=> 0 pnic - protected pg - new VM pg
SC and vmk are on a normal vswitch
Vshield :
u0=> unprotected pg (vNDS1)
p0=> protected pg (vNDS2)
mgmt =>old VM pg
some test VMs are placed on the new VM pg to see if they are marked as protected. The rest of the VMs are in the old VM pg.
In fact, my "protected" VM doesn't have network link, i cannot ping it from the old VMs pg.
as if the vshield instance does not forward the packets ... is it something special to activate to enable forwarding ? ( i asked it because i needed to => conf t => int u0 +p0 => no shutdown to activate the interfaces)
I see two separate issues, one is the connectivity. Other than making sure the u0/p0 NICs are enabled and placed in the correct port groups there is nothing else that needs to be done for connectivity. The configuration seems correct, just a couple of things that were not mentioned:
did you set the protected and unprotected port groups to 'Promiscous Mode = Accept"? and make sure vShield NIC#2 is placed in the Protected port group and NIC#3 is in the Unprotected port group.
Once you've verified these, here are a few other connectivity related things to check:
-If you're using VLANs make sure the port groups are configured to accept VLAN traffic
-Check the vShield VM, edit settings --> NIC --> 'device status' make sure each NIC has the 'Connected' and 'Connect at Power On' checked.And that the NIC is in the correct port group.
-Open a console on the vShield and log in, switch to enable mode and issue the command 'show interface'. Check to make sure interfaces u0, p0, mgmt show this status 'interface is up, line protocol is up'
The other issue is related to the protected VMs not showing as protected from the vShield Manager view when using vDS (check missing, and summary page incorrect). This is related to a bug that has been fixed and will be released with the next update. This does not affect protection, the VMs are still protected.
Hello,
here is the information:
p0 : Interface p0 is up, line protocol is up , promiscuous mode ok, nic#2 on vNDS2.
u0: Interface u0 is up, line protocol is up, promiscuous mode ok, nic#3on vNDS1
there are no vlans , nics are set to connected ( at power on as well).
What seems weird,is that under the p0 and u0 status from the command "sh int", i have Full-duplex, 0Mb/s, but for the mgmt link, it's Auto-duplex (Full), Auto-speed (1000Mb/s).
i give you the result of the gui in attachment : i have a network link inside the VM ( i can join the DC which is in a non protected vswitch), but the Vm is not marked as protected , it's marked as power off and on at the same time )
Update: i have just tried the same config with normal vSwitch, everything is fine ....
Did you add the ESX host to the vDS switches?
From the vsphere client, go to View > Inventory> Networking.
Select the Protected vDS and click on the Hosts tab to see the hosts that have been added to this vDS--> If none are listed, you then have to switch to the configuration tab and click on Add Host
yes, the ESX has beem added to the vswitch. I tried to create a VMWall rule to log ICMP packets and it's working. So i think the problem is just the VM that is not checked from the manager view. However is it normal that the u0 and p0 can not be set to any duplex and speed from the vshield cli (#vs1-> conf t -> int u0 -> duplex full speed 1000 -> error )? and that the speed is set to 0 MB/s (result from the command show int)?
thank you for your precious help.
hi,
I have the same problem, the configuration ist exactly like in the documentation but the vms don't get any network connection.
I seems as if the vshield vm actually doesn't recognize tha it is on a switch. Do you have to tell it somewhere which switch it is on?
In a situation where you have vNDS do you need to configure one vshield vm for every esx host connected to the vNDS?
I have included the "error" message from the vshield plugin.
Thanx for the help
Harro,
The screenshot is related to the issue that I explained above, this is an existing issue with how it shows up in the GUI which will be fixed in the next update. However, this does not affect functionality, it will not block traffic from reaching your VMs and it does not prevent vShield Zones from firewalling your VMs.
Can you confirm if the issue you are seeing is only what is reported in the screenshot or is it also that you can not reach the protected VMs? If you are not able to reach the VMs at all I would recommend you check the following connectivy related configs (best to have the admin guide in hand and review the vDS install steps):
-Is there a protected port group in the protected vDS (this would be the one without a physical NIC attached to it)? Does the port group have Promiscous Mode set to Accept?
-The VMs to protect should be on a separate port group in the protected vDS. Do NOT place the VMs in the protected port group (the one with promiscous mode).
-Is there an unprotected port group in the unprotected vDS (this one has a physical NIC)? Does it have Promiscous mode set to Accept?
-Are the vShield NICs assigned to the correct port groups: NIC1=Management, NIC2=Protected port group, NIC3=Unprotected pg
-Are the vShield NICs enabled? Check the vShield VM, edit settings --> NIC --> 'device status' make sure each NIC has the 'Connected' and 'Connect at Power On' checked.
-Open a console on the vShield and log in, switch to enable mode and issue the command 'show interface'. Check to make sure interfaces u0, p0, mgmt show this status 'interface is up, line protocol is up'
-If you're using VLANs make sure the port groups are configured to accept VLAN traffic
Hope this helps.
Thanks!
Harro,
Hello nik-o
Has your issue been resolved?if still not, please take a look at my setup and configuration:
My setup is:
The p0 and u0 of vShield VM connection is:
p0 --> dvportgroup1 on vNDS2
u0 --> dvportgroup2 on vNDS1
Protected VMs --> dvportgroup3 on vNDS2
vNDS uplink NICs connection:
vNDS1 has physical uplink NICs,
vNDS2 has no uplink NICs
VLAN setting:
dvportgroup3 --> vlan 21
dvportgroup1 --> vlan trunking 21
dvportgroup2 --> vlan trunking 21
At first, my protected VMs are not pingable from my unprotected VMs, it's because I did't configure vlan trunking on the dvportgroup "dvportgroup1" and "dvportgroup2"
After I set trunking vlan on these two dvportgroups, my protected VMs are pingable from the unprotected VMs
Hope this info resolve your issue
Hi carlos,
I'm using vSphere 4.1, and I config my environment as what you have mentioned, but the problem still exists. In addition, there are another 2 Interfaces in my vShield Agent, c0 and d0, and mac address of vNIC2 is HWaddress of d0 but not p0, mac address of vNIC3 is HWaddress of c0 but not u0, does it matter? The result of “show interface” is like the screenshot in attachment.
Thanks a lot.
Hello,
Moved to the vShield forum.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf