VMware Cloud Community
pcorrea117
Contributor
Contributor
Jump to solution

Initial setup of vShield Manager 4.1 (and how to protect a VM?)

I have 2 ESXi hosts that are currently set up in vCenter 4.1. Before vShield Manager installation, there were 3 vSwitches present on each server; one regular, and two distributed.

  • vSwitch0 - connected to vmnic0 - has management and production network 1 10.168.90.x

  • VLAN 10.1 - vNDS connected to vmnic1 on each host - connects to private physical network 10.1.x.x

  • VLAN 10.2 - vNDS connected to vmnic2 on each host - connects to private physical network 10.2.x.x

After installing vShield Manager in a new VM, and then deploying vShield Zones to each individual ESXi host, a new vSwitch is created

vmservice-vswitch - has new Virtual Machine Port Group vmservice-vshield-pg - not connected to any physical adapters

The Individual vShield-FW VMs created for each host have the Network Adapters connected as below

  • Network Adapter 1 - VM Network (hooked to vSwitch 0) - normal production network

  • Network Adapter 2 - VM Network (hooked to vSwitch 0) - normal production network

  • Network Adapter 3 - vmservice-vshield-pg

I tried connecting my VMs to the vmservice-vshield-pg network in order

to protect them and place them behiind the firewall. However, that did

not seem to work, and my VM just lost network connectivity.

How do I protect a VM that needs to connect to the normal production

network (on vSwitch0) ? Are there any configuration steps I'm missing?

What if I want to connect a VM or one of its NICs to one of the 10.1.xx

or 10.2.x.x networks instead of the normal 10.168.90.x network? What

additional steps do I have to perform? The new 4.1 documentation is no

help at all, and it seems that the old vShield Zones 1.0 docs don't

apply at all.

Reply
0 Kudos
1 Solution

Accepted Solutions
none95
Enthusiast
Enthusiast
Jump to solution

There is no need to change the network the VM is connected to.

Just enable/install vShield zones on your hosts and add rules to either the vSwitch or the Datacenter.

The VM will became protected if no errors are shown.

View solution in original post

Reply
0 Kudos
3 Replies
pcorrea117
Contributor
Contributor
Jump to solution

By the way, inside the vShield Manager interface, all of my VMs show up as either UNPROTECTED (if they're on) or DISCONNECTED (if they're off) with no clear way of how to protect them.

Reply
0 Kudos
none95
Enthusiast
Enthusiast
Jump to solution

There is no need to change the network the VM is connected to.

Just enable/install vShield zones on your hosts and add rules to either the vSwitch or the Datacenter.

The VM will became protected if no errors are shown.

Reply
0 Kudos
pcorrea117
Contributor
Contributor
Jump to solution

There is no need to change the network the VM is connected to.

Just enable/install vShield zones on your hosts and add rules to either the vSwitch or the Datacenter.

The VM will became protected if no errors are shown.

I figured out what had happened. Because stuff was getting vmotion'ed and an ESXi host actually shut itself down during installation as part of DRS power management, it really did a number on the installation.

Doing a full uninstall and reinstall of all the service virtual machines seemed to fix the problem.

Reply
0 Kudos