8 Responses

  1. Joshua
    Joshua at |

    Great article, thanks very much!

    Reply
  2. Enterprise Firewall Replacement with vShield Edge and vShield App « Long White Virtual Clouds

    […] Creating a small management cluster of hosts to host the vShield Manager, vCenter and vCenter DB and other supporting infrastructure. This is important to allow the managed infrastructure to be independent of the infrastructure that is being managed. If vShield Manager is deployed within the infrastructure it is protecting you will suffer circular dependencies that will prevent the solution, including vCenter from functioning, as all the traffic will be blocked during the implementation process. In larger environments this can be solved by using the design I described in vShield App Design for the Enterprise. […]

  3. Grant
    Grant at |

    This article is a must read for anyone using vShield firewalls. Thanks.

    Reply
  4. Jaime
    Jaime at |

    In order to satisfy the seperate management cluster requirement, couldn't you simply set up DRS host groups within a cluster – one for vShield hosts and one for non-vShield hosts? Then you can set affinitiy rules so that the mgmt VMs MUST run on the non-vShield hosts and the protected VMs MUST run on the vShield hosts. We want to implement a limited vShield implementation and would prefer not to break our cluster into two just for a few mgmt VMs. It seems to me that this would work especially since HA respects the 'Must' rules.

    Granted if you're trying to protect many VMs this may not be the way to go, but we're looking at a few for now (rules at the port group level) and maybe 25 max in the future. This is out of nearly 500 running in our cluster now. I'd rather the rest of the VMs have access to all resources while limiting only the mgmt and protected VMs.

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      You could try that. But it wouldn't be a supported configuration, so it would be at your risk. Although the DRS Rules would keep the Mgmt VM's on the designated hosts and the protected VM's on the protected hosts, what about all the other VM's in the environment? Every time a new VM is provisioned or maintenance needs to be done potentially you would have to change all the DRS Rules. So from a pure management overhead it might not be a good idea. Also within vShield Manager the VM's wouldn't show up as protected as not every host in the cluster has vShield App installed. So at best it's a short term solution until there is a management cluster. The management cluster only has to be big enough to run the management workloads though, so doesn't have to be too big. Breaking out a couple of hosts from a cluster to run management workloads shouldn't be that onerous. I recently did an implementation at a customer that only had 3 hosts and a physical vCenter Server. As part of the project we virtualized the vCenter server to act as the management server to host the vCenter, vCenter DB and vShield Manager. This worked great for them.

      Reply
  5. fox
    fox at |

    Could you do a blog on how to configure vshield edge portion only? Not very many options but everyone seems to be missing steps in their documentation.

    Thank you much!

    Reply
  6. Jay
    Jay at |

    Looking at the logical diagram, it looks all traffic is being inspected by the kernel which should yield high performance and traffic throughput, but if the vshield APP FW VM is in user space, that would negate the performance benefits as being inspected by the kernel. In your diagram, shouldn't there be a link shown from the FW VM back to the distributed virtual switch if all traffic is passing through it.

    Can you clarify this?

    Reply
  7. @vcdxnz001
    @vcdxnz001 at |

    Hi Jay, The traffic passes through the kernel to the vShield App Firewall VM on an isolated standard vSwitch via a special vmkernel port. So there is no ling back to the vDS. The performance will be hardware dependent but I've seen over 6Gb/s throughput possible on vShield 4.1 and it's probably improved a lot on the latest versions.

    Reply

Leave a Reply