Mohammad1982
Hot Shot
Hot Shot

vShield Zones and DV switch

Hi All.

I want to install vShield in my environment. I have 7 ESX4.0 servers and a VC standard. I have configured DV switch on it.

Now if I want to install vShield in my environment, do I need to install it on all of the ESX servers seperately?

As in vShield documentation it is mentioned that we need to install it manually, by creating a second vNDS. If I have more than one ESX servers do I need to install vShields on all the ESX hosts or only on one ESX host and add the VMs from the other ESx host to the protected port group.

Any help is higly appreciated.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Mohammad Wasim
0 Kudos
4 Replies
Dave_Mishchenko
Immortal
Immortal

You'll have just a single vShield Manager appliance, but each host that you protect will require a running vShield Agent appliance to be configured.




Dave

VMware Communities User Moderator

Now available - vSphere Quick Start Guide

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.

0 Kudos
Mohammad1982
Hot Shot
Hot Shot

Hi Dave,

Thank you for replying so fast.

Alrite so I need to configure vShield agent on each of the ESX hosts. How do I go about this in DV switch? Do I need to add all the vShields that are installed on my ESX hosts.

My scenario is, I have 7 ESX hosts and a VC with vNDS. If I have to create vShield zones in my environment, How do I go about it?

Do I have to install the vshield agent on all the ESX hosts, If yes do I also have to create more dv switches. Please help

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Mohammad Wasim
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Do I have to install the vshield agent on all the ESX hosts, If yes do I also have to create more dv switches.

You need several dvswitches... .one for the network that is unprotected and one for the network that is protected.... so in effect it looks like this.

unprotected <-> vShield 1.0 Agent(s) <-> protected

Even though you have dVS in use, you need to install the agent 'Appliance' on each host and configure it to sit between each dVS for each host. Remember, while dVS is global it is also related to each host....

You manage vShield Zones Appliances outside of dVS and you need one per host.

I believe last year's VMworld (2009) Lab was about just this. I did this Lab so you may be able to find this on hte VMworld 2009 forum somewhere but alas I do not know....

But yes 1 Agent Appliance per host. Each agent is on a host and links the unprotected/protected dVS to each other at the HOST level.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
carlosVSZ
VMware Employee
VMware Employee

For the latest version of vShield Zones/vShield App this bridge based concept of protected and unprotected is no longer true. The latest version gets installed at the hypervisor level, so the protection is now on a per ESX basis (vs per vSwitch). You still need one vShield (Zones/App) per ESX host but once installed you provide protection to all VMs on the host, no need to specify a vSwitch. It's a vNic level firewall so it's like having a firewall on each NIC of every VM.

0 Kudos