VMware Cloud Community
athlon_crazy
Virtuoso
Virtuoso
‎01-06-2011 12:08 AM
Jump to solution

vCenter VM + SRM VM + vNDS + vShield

Hi Guys,

Just want some comment or input from expert here. FYI, my Team will going to implement above solution later and my design of choice will be :-


    * vCenter +SRM will run on virtual machine
    * vShield Zones (vSM & vSA) will protect 3x port group (SZ1, SZ2 & DMZ) and no separate network management.
    * Virtual Network Distributed Switch (vNDS) will be used


In my current vSphere 4.1 office setup (vCenter VM + vShield + vNDS), I've noticed that this setup sometime can produce some hickup. VM connection will terminated if vShield agent sitting inside the same ESX goes down. vShield now become another dependency to my virtual network.

So, my question now :

  • Will this setup work nicely and is there any area that I need to focus more?
  • When vCenter VM goes down (vNDS), network connection will still resume as normal right?
  • Is this the correct sequence when I'm going to bring up my virtual infrastructure [ ESX -> vCenter VM -> SRM VM -> vSM -> vSA -> Other VM ]
  • For vShield 4.1.0 u1, do we still need to install vShield and create vNDS port group manually instead using wizard? I can't find this in the current document.
http://www.no-x.org
Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
‎01-17-2011 07:07 AM
Jump to solution

At this point if this is your only choice, I would suggest sticking with vShield Zones 1.0.

View solution in original post

Reply
0 Kudos
6 Replies
athlon_crazy
Virtuoso
Virtuoso
‎01-14-2011 05:20 PM
Jump to solution

Huh still no answer. Is it because no one done this before?

http://www.no-x.org
Reply
0 Kudos
admin
Immortal
Immortal
‎01-14-2011 08:40 PM
Jump to solution

To be honest I'm not 100% sure I understand your setup as explained.

When vCenter VM goes down (vNDS), network connection will still resume as normal right?

Yes, that is correct.  You wont be able to make any changes to the vDS, but you will still have connectivity.

One key thing to note is that you do not want to have your vCenter VM on a host that has a vShield App firewall on it.  It is not currently supported to protect your vCenter server with vShield App today.  This is due to the fact that you can very easily cutoff your vShield Manager from the vCenter server which can cause you to lock yourself out of the system.   The best practice today is to have a management cluster for VMs such as vCenter, SRM, vShield Manager, etc... 

As far as your startup order is concerned, I would do the following: ESX --> vSA --> vCenter --> vSM --> SRM --> Other VMs.  Note that it is important to have the vSA VM startup as soon as possible as the VMs on that host will not have connectivity until the vSA is started up.

I'm not sure what you mean by:

For vShield 4.1.0 u1, do we still need to install vShield and create vNDS port group manually instead using wizard? I can't find this in the current document.

I hope this helps.

Reply
athlon_crazy
Virtuoso
Virtuoso
‎01-14-2011 10:32 PM
Jump to solution

It's you again rramdell. Thanks for your effort.

1.Okay your answer on vDS is pretty similar to what I have in mind. Only no changes to vDS but the connection will still resume.

2.Yes, I found about this from current vShield document before (No vSA on host where vCenter VM is running). However, what if I install vSA on the host where vCenter currently sitting and and I never protect this vCenter VM?. FYI, I will use hybrid mode for my vSwitch design as follows :-

vSS0 - vmnic1 & vmnic3 -> Management Port Group

vDS1 - vmnic2 & vmnic4 -> SZ_PG and DMZ_PG

vDS2 - vmnic5 -> Fault Tolerance

vShield Zones is going to protect my vDS1 switch ONLY (SZ_PG & DMZ_PG) while my vCenter VM will connect to "Management Port Group" instead. I've tested this in my current LAB environment and so far it's working fine and perhaps because I'm using vShield Zones Release 1.0-216288. Will this setup working under vShield 4.1?

3. Thanks for VM starup order. I've no further question.

4. If you refer to vShield Zones Release 1.0-216288, the installation for vDS environment require us to create Protected and Unprotected vDS Port group manually. Only then you can start with vShield installation. I just want a confirmation whether this requirement is still apply for vShield 4.1?

http://www.no-x.org
Reply
0 Kudos
admin
Immortal
Immortal
‎01-16-2011 07:47 PM
Jump to solution

OK...now I understand what you meant.  vShield Zones 4.1 is a very different architecture and takes advantage of the VMsafe Net APIs.  Therefore, to put it at a high level, every vNIC has the vShield Zones firewall attached to it.  Regardless of the vSwitch setup.  So if vCenter is on the host, it is automatically going to be under the protection of vShield.  Hence why it is important to have it on a host where the vSheild-FW virtual appliance is not installed. 

This link may help you understand the architecture a bit better: http://www.vmware.com/products/vshield

But the key thing again is that your vSwitch architecture doesn't matter.  And to answer you last question, you are in fact NOT required to have two virtual switches that are bridged by the vShield-FW appliance setup.  As a matter of fact, vShield-FW appliance will not bridge like it did in the 1.0 version of the product.

Reply
athlon_crazy
Virtuoso
Virtuoso
‎01-16-2011 10:29 PM
Jump to solution

Oppss I forgot to update this. Actually I found about the difference between vShield 1.0 & vShield 4.1 yesterday. But since my vCenter will run on VM and it's impossible for us to bind vCenter on host that don't have vShield-FW install, what the other option that we have? Go for vShield 1.0 instead? I found in the KB that VMware still support this type of vShield.

http://www.no-x.org
Reply
0 Kudos
admin
Immortal
Immortal
‎01-17-2011 07:07 AM
Jump to solution

At this point if this is your only choice, I would suggest sticking with vShield Zones 1.0.

Reply
0 Kudos