Well,

i have followed the guide step by step, the icon on the Vm placed on their new portgroup are green, but are neither "checked" nor the exclamation mark is present from the vshield manager view.

And if i select the VM, the summary says it has not connection to any vswitch.

Here is my final config:

vNDS1 => 1 pnic - old VM pg - unprotected pg

vNDS2=> 0 pnic - protected pg - new VM pg

SC and vmk are on a normal vswitch

Vshield :

u0=> unprotected pg (vNDS1)

p0=> protected pg (vNDS2)

mgmt =>old VM pg

some test VMs are placed on the new VM pg to see if they are marked as protected. The rest of the VMs are in the old VM pg.

In fact, my "protected" VM doesn't have network link, i cannot ping it from the old VMs pg.

as if the vshield instance does not forward the packets ... is it something special to activate to enable forwarding ? ( i asked it because i needed to => conf t => int u0 +p0 => no shutdown to activate the interfaces)

I see two separate issues, one is the connectivity. Other than making sure the u0/p0 NICs are enabled and placed in the correct port groups there is nothing else that needs to be done for connectivity. The configuration seems correct, just a couple of things that were not mentioned:

did you set the protected and unprotected port groups to 'Promiscous Mode = Accept"? and make sure vShield NIC#2 is placed in the Protected port group and NIC#3 is in the Unprotected port group.

Once you've verified these, here are a few other connectivity related things to check:

-If you're using VLANs make sure the port groups are configured to accept VLAN traffic

-Check the vShield VM, edit settings --> NIC --> 'device status' make sure each NIC has the 'Connected' and 'Connect at Power On' checked.And that the NIC is in the correct port group.

-Open a console on the vShield and log in, switch to enable mode and issue the command 'show interface'. Check to make sure interfaces u0, p0, mgmt show this status 'interface is up, line protocol is up'

The other issue is related to the protected VMs not showing as protected from the vShield Manager view when using vDS (check missing, and summary page incorrect). This is related to a bug that has been fixed and will be released with the next update. This does not affect protection, the VMs are still protected.

Hello,

here is the information:

p0 : Interface p0 is up, line protocol is up , promiscuous mode ok, nic#2 on vNDS2.

u0: Interface u0 is up, line protocol is up, promiscuous mode ok, nic#3on vNDS1

there are no vlans , nics are set to connected ( at power on as well).

What seems weird,is that under the p0 and u0 status from the command "sh int", i have Full-duplex, 0Mb/s, but for the mgmt link, it's Auto-duplex (Full), Auto-speed (1000Mb/s).

i give you the result of the gui in attachment : i have a network link inside the VM ( i can join the DC which is in a non protected vswitch), but the Vm is not marked as protected , it's marked as power off and on at the same time )

Update: i have just tried the same config with normal vSwitch, everything is fine ....

Did you add the ESX host to the vDS switches?

From the vsphere client, go to View > Inventory> Networking.

Select the Protected vDS and click on the Hosts tab to see the hosts that have been added to this vDS--> If none are listed, you then have to switch to the configuration tab and click on Add Host

yes, the ESX has beem added to the vswitch. I tried to create a VMWall rule to log ICMP packets and it's working. So i think the problem is just the VM that is not checked from the manager view. However is it normal that the u0 and p0 can not be set to any duplex and speed from the vshield cli (#vs1-> conf t -> int u0 -> duplex full speed 1000 -> error )? and that the speed is set to 0 MB/s (result from the command show int)?

thank you for your precious help.

hi,

I have the same problem, the configuration ist exactly like in the documentation but the vms don't get any network connection.

I seems as if the vshield vm actually doesn't recognize tha it is on a switch. Do you have to tell it somewhere which switch it is on?

In a situation where you have vNDS do you need to configure one vshield vm for every esx host connected to the vNDS?

I have included the "error" message from the vshield plugin.

Thanx for the help

Harro,

The screenshot is related to the issue that I explained above, this is an existing issue with how it shows up in the GUI which will be fixed in the next update. However, this does not affect functionality, it will not block traffic from reaching your VMs and it does not prevent vShield Zones from firewalling your VMs.

Can you confirm if the issue you are seeing is only what is reported in the screenshot or is it also that you can not reach the protected VMs? If you are not able to reach the VMs at all I would recommend you check the following connectivy related configs (best to have the admin guide in hand and review the vDS install steps):

-Is there a protected port group in the protected vDS (this would be the one without a physical NIC attached to it)? Does the port group have Promiscous Mode set to Accept?

-The VMs to protect should be on a separate port group in the protected vDS. Do NOT place the VMs in the protected port group (the one with promiscous mode).

-Is there an unprotected port group in the unprotected vDS (this one has a physical NIC)? Does it have Promiscous mode set to Accept?

-Are the vShield NICs assigned to the correct port groups: NIC1=Management, NIC2=Protected port group, NIC3=Unprotected pg

-Are the vShield NICs enabled? Check the vShield VM, edit settings --> NIC --> 'device status' make sure each NIC has the 'Connected' and 'Connect at Power On' checked.

-Open a console on the vShield and log in, switch to enable mode and issue the command 'show interface'. Check to make sure interfaces u0, p0, mgmt show this status 'interface is up, line protocol is up'

-If you're using VLANs make sure the port groups are configured to accept VLAN traffic

Hope this helps.

Thanks!

Harro,

Hello nik-o

Has your issue been resolved?if still not, please take a look at my setup and configuration:

My setup is:

The p0 and u0 of vShield VM connection is:

p0 --> dvportgroup1 on vNDS2

u0 --> dvportgroup2 on vNDS1

Protected VMs --> dvportgroup3 on vNDS2

vNDS uplink NICs connection:

vNDS1 has physical uplink NICs,

vNDS2 has no uplink NICs

VLAN setting:

dvportgroup3 --> vlan 21

dvportgroup1 --> vlan trunking 21

dvportgroup2 --> vlan trunking 21

At first, my protected VMs are not pingable from my unprotected VMs, it's because I did't configure vlan trunking on the dvportgroup "dvportgroup1" and "dvportgroup2"

After I set trunking vlan on these two dvportgroups, my protected VMs are pingable from the unprotected VMs

Hope this info resolve your issue

Hi carlos,

I'm using vSphere 4.1, and I config my environment as what you have mentioned, but the problem still exists. In addition, there are another 2 Interfaces in my vShield Agent, c0 and d0,  and mac address of vNIC2 is HWaddress of d0 but not p0, mac address of vNIC3 is HWaddress of c0 but not u0, does it matter？ The result of “show interface” is like the screenshot in attachment.

Thanks a lot.

Hello,

Moved to the vShield forum.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf