Monday, 7 January 2013

vShield Edge 5.1.1

vShield Edge (vSE) is used to provide security services at network edge. Its similar to Cisco ASA Firewall in physical networks. 

It consists of security zones as well as the code which is responsible for implementing security policies between zones. This code is running inside vSE VA which is deployed by vShield Manager once vSE is configured.

The security zones are represented by vSS Port Group, vDS Port Group, or N1KV Port Profile in vCenter environment. This means that vSE VA is securing the communication between different port groups (not within same port group).

In addition to security policies, vSE can provide L2L & SSL VPN, Load Balancing, DHCP & NAT Services, HA, Routing. 

A typical use of vSE can be seen in multi-tenant cloud environments to isolate between Organizations.
 vSE Implementation

The first configuration step is deploying vSE. When you deploy vSE, a VA will be created which is having the code to act as a firewall. Each vSE VA is having 10 vNICs to connect to 10 port-groups.

Navigate to Home > Inventory > Networking > Select the Cluster > Network Virtualization.
Start Adding New vSE
Once vSE VA is deployed, you can see its properties from summary tab (Home > Inventory > Hosts and Clusters > vSE-VA) including vCPUs, Memory, Port-Groups, etc.
To manage vSE VA, Select Actions > Manage. Other actions are available as well from same drop-down menu such as convert to large/x-large, download tech-support, disable/enable auto-rules, etc.
Below snapshots describe the functions of different tabs. Basic ones are only covered (firewall, nat, zones).
Important note about NAT implementation:

The translated IPs should be configured in vSE vNIC configuration. This is required for vSE to generate ARP of the translated addresses. Without this configuration, uplink devices won't forward traffic to the translated addresses due to missing ARP.
In case vShield Manager is down, existing running vSEs will still operate with the following restrictions:

1. No GUI management of existing running vSEs (CLI will be available) 
2. No deployment of new vSEs

Note: Communication between vShield Manager and vShield Edge is happening at VMkernal level and not using IP communication

Here are some useful CLI commands for troubleshooting on vSE:
vSE-VMs-0> show system
  cpu            Show system cpu information.
  memory         Show system memory information.
  network-stats  Show system network stats.
  storage        Show system storage information.
  uptime         Show system uptime information.

vSE-VMs-0> debug packet display
vSE-VMs-0> show log
vSE-VMs-0> traceroute
vSE-VMs-0> ping

No comments:

Post a Comment