VMware vShield 1.0 Quick start guide

Brand: VMware

Model: vShield 1.0

Category: Networking

Type: Quick start guide

VMware vShield vShield 1.0 is a network virtualization solution that provides security, isolation, and micro-segmentation for virtualized environments. It enables administrators to create and manage multiple isolated virtual networks within a single physical network infrastructure, providing greater flexibility and control over network resources. vShield vShield 1.0 includes features such as firewalling, intrusion detection, and traffic shaping, allowing administrators to enforce security policies and optimize network performance.

Quick Start Guide

vShield Zones 1.0 Update 1

EN-000166-00

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

2 VMware, Inc.

Quick Start Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware, the VMware “boxes” logo and design, Virtual SMP, and VMotion are registered trademarks or trademarks of

VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks

of their respective companies.

VMware, Inc. 3

Contents

AboutThisBook 5

InstallingvShieldZones 7

Requirements 7

vShieldZonesComponents 8

EvaluatingESXNetworkConfigurationBeforeInstallingvShieldZones 8

InstallingvShieldZones 8

ObtainvShieldZonesVirtualAppliances 8

InstallthevShieldManagerasaVirtualMachineUsingthevSphereClient 9

InstallthevShieldAgentandConvertitintoaTemplate 10

LogIntothevShieldManagerUserInterfacetoConfiguretheSystem 10

Add

avShieldAgent 11

EnableContinuousDiscoverytoIdentifyYourGuestVirtualMachineTraffic 12

AdditionalvCenterConfigurationforvShieldAgents 12

PoweringoffvShieldZonesVirtualMachines 13

vShieldAgentAutomatedInstallationAt‐a‐Glance 14

UnderstandingthePortGroupsCreatedfromvShieldAgentInstallation 14

Quick Start Guide

4 VMware, Inc.

VMware, Inc. 5

TheQuickStartGuideprovidesinformationaboutinstallingvShieldZonesintoyourVMware

Virtual

Infrastructureenvironment.

Intended Audience

ThisbookisintendedforanyonewhowantstoinstallorusevShieldZones.Theinformationinthisbookis

writtenforexperiencedWindowsorLinuxsystemadministratorswhoarefamiliarwithvirtualmachine

technologyanddatacenteroperations.ThisbookalsoassumesfamiliaritywithVMwareVirtual

Infrastructure,includingvCenterServer4.0,

VMwareESX4.0,andthevSphereClient.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbacktodocfeedback@vmware.com.

VMware Infrastructure Documentation

ThefollowingdocumentscomprisethevShieldZonesdocumentationset:

 vShieldZonesAdministrationGuide

 vShieldZonesQuickStartGuide

 IntroductiontovShieldZones

YoushouldalsohaveaccesstothecombinedvCenterServerandESXdocumentationset.

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

About This Book

Quick Start Guide

6 VMware, Inc.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehands‐onlabs,casestudyexamples,andcoursematerials

designedtobeusedason‐the‐jobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,

build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.

VMware, Inc. 7

vShieldZonesprovidesfirewallprotectionandtrafficanalysistoprotectyourVMwarevCenterServervirtual

infrastructure.vShieldZonesvirtualapplianceinstallationhasbeenautomatedformostvirtualdatacenters.

Thischapterincludesthefollowingtopics:

 “Requirements”onpage 7

 “vShieldZonesComponents”onpage 8

 “EvaluatingESXNetworkConfigurationBeforeInstallingvShieldZones”onpage 8

 “InstallingvShieldZones”onpage 8

 “A d d i t i o n a lvCenterConfigurationforvShieldAgents”onpage 12

 “PoweringoffvShieldZonesVirtualMachines”onpage 13

 “vShieldAgentAutomatedInstallationAt‐a‐Glance”onpage 14

 “UnderstandingthePortGroupsCreatedfromvShieldAgentInstallation”onpage 14

Requirements

BeforeinstallingvShieldZones,youmusthave:

 AsystemrunningvCenterServer4.0orlater

 AtleastonerunningESX4.0installation

 APCwiththevSphereClient

 Permissionstoaddandpoweronvirtualmachines

 Accesstothedatastorewhereyoustorevirtualmachinefiles,andtheaccountpermissionstocopyfilesto

thatdatastore

 vShieldManagerandvShieldagentOVFfiles

 AstaticIPaddressforthemanagementinterfaceofeachvShieldagentyouinstall

 AsinglestaticIPaddressforthevShieldManagermanagementinterface

 EnablecookiesonyourWebbrowsertoaccessthevShieldManageruserinterface

Installing vShield Zones

Quick Start Guide

8 VMware, Inc.

vShield Zones Components

ThefollowingcomponentscomprisethevShieldZonessolution:

 vShieldManager:ThevShieldZonesmanagementcenterthatmanagesallofthedistributedvShield

agents.Providesformonitoring,configuration,andsoftwareupdatingofyourvShieldagents.

 vShieldagent:TheactivesecuritycomponentofvShieldZonesthatinspectstrafficflowandprovides

firewallprotection.YouinstallavShieldagentoneachESXhostyouwanttoprotect.AvShieldagent

installswithinthetrafficpathtomonitoralltrafficintoandoutofanESXhost,as

wellasbetweenvirtual

machinesonthehost.

Evaluating ESX Network Configuration Before Installing vShield Zones

PriortoinstallingvShieldZonesinyourvCenterServerenvironment,considerthenetworkconfigurationof

yourESXhosts.Ataminimum,eachhosthasatleastoneassociatedphysicalNICandonevSwitch,which

hoststheVMKernel,serviceconsole,andvirtualmachines.Inmorerobustenvironments,anESXhostmight

have

multiplededicatedphysicalNICsandmultiplevSwitchestoseparatetheVMKernelandserviceconsole

fromthevirtualmachines.

ThevShieldZonesappliancesinstallasvirtualmachinesonanESXhost.However,installationofavShield

agentrequiressomeplanning.YoucaninstallavShieldagentonanyvSwitchwithadedicated

NIC.vShield

agentinstallationmovesvirtualmachinesfromtheiroriginalvSwitchtoaclonedvSwitch.ThevShieldagent

theninstallsbetweentheoriginalvSwitchandtheclonedvSwitchtocapturealltraffictoandfromthevirtual

machines.TheoriginalvSwitchkeepstheNIC,whilethenewvSwitchdoesnot

associatewithaNIC.Thus,if

youhaveanESXhostwithmultiplevSwitcheshostingavarietyofvirtualmachines,youneedonevShield

agentpervSwitch.AnyvirtualmachinesconnectedtoavSwitchwhereavShieldagentisnotinstalledisnot

protectedbyvShieldZones.

Theinstallationofmultiple

vShieldagentsissimplifiedbyinstallingthevShieldagentOVFandthen

deployingtheoriginalvShieldagentvirtualmachineasatemplate.ThistemplateisreferencedbythevShield

Manager,allowingyoutoinstallmultiplevShieldagentsintoyourvCenterServerenvironmentfromthe

vShieldManageruserinterface.Formoreinformation

onthevShieldagentinstallationprocess,see“vShield

AgentAutomatedInstallationAt‐a‐Glance”onpage 14.

Installing vShield Zones

vShieldZonesinstallationisamulti‐stepprocess.PerformthefollowingtasksinsequencetocompletevShield

Zonesinstallationsuccessfully.

Obtain vShield Zones Virtual Appliances

vShieldZonesvirtualappliancesarepackagedusingtheOpenVirtualizationFormat(OVF).Thispackaging

simplifiestheinstallationbyallowingyoutousethevSphereClienttoimportthevirtualapplianceintothe

datastoreandvirtualmachineinventory.

ContactyourVMwareaccountteamtoobtainavShieldZonessoftwarepackage,whichconsists

ofonevShield

ManagerandonevShieldagent.OnevShieldagentvirtualappliancecanbeusedformultiplevShieldagent

installations.

Onceyouhaveobtainedthepackage,downloadittoaPCwherethevSphereClientisinstalled.

OTEThevShieldZonessystemwasbuilttoprotectvirtualmachines,andnottheVMKernelorservice

console.

VMware, Inc. 9

Installing vShield Zones

Install the vShield Manager as a Virtual Machine Using the vSphere Client

vShieldManagervirtualmachineinstallationrequirescreatingaportgroupforthevShieldManager.

To add the vShield Manager to your vCenter Server inventory as a virtual machine

1LogintothevSphereClient.

2 SelectanESXhostfromtheinventorypanel.

3GotoFile>DeployOVFTemplate.

TheDeployOVFTemplatewizardopens.

4ClickDeployfromfileandclickBrowsetolocatethefolder

onyourPCcontainingthevShieldManager

OVFfile.

5Completethewizard.

ThevShieldManagerisinstalledintoyourinventory.

6 CreateaportgroupnamedvsmgmtforthevShieldManagerontheESXhostwherethevShieldManager

installed.

EachinstalledvShieldagentrecognizesthisportgroupname,whichpreventsthevShieldagent

from

movingthevShieldManagervirtualmachineduringvShieldagentinstallation.

7EditthesettingsofthevShieldManagervirtualmachinetoconnectatpoweronandsetthenetworklabel

tothevsmgmtportgroup.

aRight‐clickthevShieldManagervirtualmachineandclickEditSettings.

ThevShieldManager‐VirtualMachine

Propertiesdialogboxopens.

bUndertheHardwaretab,clickNetworkAdapter1.

c SelectConnectatpoweronunderDeviceStatus.

dIntheNetworklabeldrop‐downlistandselectvsmgmt.

eClickOKtoclosethewindow.

8PoweronthevShieldManagervirtualmachine.

9ClicktheConsoletabfromtheright‐handpanetoopenthevShieldManagerCLI.

Thebootingprocessmighttakeacoupleofminutes.

10 Afterthemanager loginpromptappears,logintotheCLIbyusingtheusernameadmin andthe

passworddefault.

11 RunthesetupcommandtolaunchtheCLIsetupwizard.

TheCLIsetupwizardguidesyouthrough

IPaddressassignmentforthevShieldManager’smanagement

interfaceandidentificationofthedefaultnetworkgateway.TheIPaddressofthemanagementinterface

mustbereachablebyallinstalledvShieldagents,aswellasbyaWebbrowserforsystemmanagement.

manager> setup

Use ctrl-d to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

Hostname [manager]:

IP Address [10.115.216.66/255.255.255.0]:

Default gateway [10.115.219.253]:

Old configuration will be lost, and system needs to be rebooted

Do you want to save new configuration (y/[n]): y

Please log out and log back in again.

Youdonotneedtologoutatthistime.vShieldManagerinstallationiscomplete.

Quick Start Guide

10 VMware, Inc.

12 Pingthedefaultgatewaytoverifynetworkconnectivity.

manager> ping 10.115.219.253

13 FromyourPC,pingthevShieldManagerIPaddresstovalidatethattheIPaddressisreachable.

14 InstallVMwareToolsonthevShieldManagervirtualmachine.

Install the vShield Agent and Convert it into a Template

InstallthevShieldagentasavirtualmachineandconvertitintoatemplate.AfterthevShieldagentvirtual

machineisconvertedtotemplateformat,thetemplatecanbereferencedbythevShieldManagerforvShield

agentinstallationonmultipleESXinstances.

To add the vShield agent to vCenter Server and convert it to a template

1LogintothevSphereClient.

2 SelectanESX

hostfromtheinventorypanel.

3GotoFile>DeployOVFTemplate.

TheDeployOVFTemplatewizardopens.

4ClickDeployfromfileandclickBrowsetolocatethefolderonyourclientmachinecontainingthevShield

agentOVFfile.

5Completethewizard.

ThevShieldagentisinstalledintoyourinventory.

6Afterthe

wizardcompletesinstallation,convertthevShieldagentintoavirtualmachinetemplate.

ThetemplateenablesautomatedinstallationofmultiplevShieldagentsfromthevShieldManageruser

interface.

AfterthevShieldManagervirtualappliancehasbeeninstalledandthevShieldagenthasbeenconvertedtoa

template,logintothevShieldManageruserinterfaceandconfigurethevShieldManagertoauthenticatewith

thevCenterServer.ThisauthenticationallowsthevShieldManagertodisplayyourvCenterServerinventory,

install

vShieldagents,andconfigurethefirewalltoprotectyourresources.

To log in to the vShield Manager user interface

1OpenaWebbrowserwindowandtypetheIPaddressassignedtothevShieldManager.

YoumustprependtheIPaddresswithhttps.

2Acceptthesecuritycertificate.

ThevShieldManagerloginscreenappears.

3LogintothevShieldManageruserinterfaceby

usingtheusernameadminandthepassworddefault.

ThevShieldManageruserinterfaceopenstotheConfiguration>vCentertabcontentintheright‐side

frame.Uponinitiallogin,noinformationisdisplayedinthevShieldManagerasyouhavenotyet

synchronizedcommunicationwiththevCenterServer.

CAUTIONDonotpoweronoreditthevShieldagentvirtualmachineatthistime.Poweringonorediting

thevirtualmachineatthispointcancausenetworkissues,suchasanendlessloop.

VMware, Inc. 11

Installing vShield Zones

4CompletethevCentertabformasfollows:

5ClickCommit.

ThevShieldManagerconnectstothevCenterServer,logsin,andaccessestheVMwareVirtual

InfrastructureSDK.TheinventorytreeontheleftsideofthevShieldManagerscreenshouldmatchyour

vSphereClientHosts&Clustersinventorytreeview.

Add a vShield Agent

YoucanaddvShieldagentstothevCenterServerandvShieldZonesinventoriesbycreatingclonesfromthe

vShieldagenttemplate.

YoushouldinstallonevShieldagentpervSwitchwithanattachedNIC.Anyvirtualmachinesconnectedtoa

vSwitchwhereavShieldagentisnotinstalledarenotprotectedby

vShieldZones.

To add a vShield agent

1LogintothevShieldManager.

2Fromtheinventorytree,clicktheESXhostthatyouwanttoprotect.

3ClicktheInstallvShieldtabthatappearsabovetherightframe.

4ClickConfigureinstallparameters.

5Completetheformasfollows:

Field Action

IPaddress/Name TypetheIPaddressofyourvCenterServer.

UserName TypeyourvSphereClientusername.

Password TypethepasswordassociatedwithyourvSphereClientusername.

NOTEThevShieldManagerdoesnotappearinthevShieldZonesinventorypanel.TheSettings&

ReportsobjectrepresentsthevShieldManagerintheinventorypanel.

NOTEToinstallavShieldagentonavNetworkDistributedSwitch(vNDS),refertothevShieldZones

AdministrationGuide.

Field Action

SelectfromavailablevShields Leavethisfieldblank.UsethisfieldonlywhenyouareaddingavShield

agentwithoutanestablishedtemplate.

Selecttemplatetoclone Clickthisdrop‐downmenuandselectthevShieldagenttemplate.

Selectadatastoretoplaceclone Clickthisdrop‐downmenuandselectthedatastore

onwhichtostorethe

vShieldagentclone.

Enteranamefortheclone TypeauniquenameforthevShieldagentclone.Thisnameappearsinyour

vSphereClientandvShieldManagerinventories.

SpecifyIPAddressofvShieldVM TypetheIPaddresstobeassignedtothevShieldagent’smanagement

port.

SpecifyIPMaskforvShield TypetheIPsubnetmaskassociatedwiththeassignedIPaddress.

SpecifyIPAddressofDefault

GatewayforvShield

TypetheIPaddressofthedefaultnetworkgateway

SpecifySecureKeyforvShield

(leaveblankfordefault)

(Optional)TypeakeytobeusedbetweenthevShieldagent

andthevShield

Managerforsecurecommunication.Bydefault,thisentryinthisfieldis

masked.Thisdefaultseedisusedforencryptedcommunicationbetweenthe

vShieldagentandthevShieldManager.Keysarenotsharedacrossthe

network.

SelectavSwitchtoshield Clickthisdrop‐downmenuandselect

thevSwitchtoprotect.ThevSwitches

eligibleforprotectionarehighlightedingreenintheaccompanyingtable.

Quick Start Guide

12 VMware, Inc.

6ClickContinue.

Theinstallationsummaryscreenappears.Thisscreendisplaysbeforeandafterexampleillustrationsof

installingavShieldagentontheESX.

7ClickInstall.

YoucanfollowthevShieldagentinstallationstepsfromtheRecentTasksstatuspanelocatedatthebottom

ofthevSphereClientwindow.Formoredetails

ontheinstallationprocess,see“vShieldAgentAutomated

InstallationAt‐a‐Glance”onpage 14.

vShieldagentinstallationiscomplete.

8Afterinstallationhascompleted,openyourvSphereClient.

9 LocatethevShieldagentinyourinventory.

Notethatitispoweredon.

10 InstallVMwareToolsonthevShieldManagervirtualmachine.

Enable Continuous Discovery to Identify Your Guest Virtual Machine Traffic

AfteryourvShieldManagerandvShieldagentareinstalled,andyourvShieldagentcommunicateswithyour

vShieldManager,youmustenablethecontinuousdiscoveryoperationforthevShieldagenttoprotectyour

virtualmachines.

To enable continuous discovery of virtual machine traffic

1LogintothevShieldManager.

2ClickthevShieldagentfromtheinventorytree.

3ClicktheVMDiscovery

tab.

4ClicktheAutomatedsubhead.

5IntheScheduledDiscoveryStatusdrop‐downmenu,selectContinuous.

Donotcompleteanyotherfieldsintheform.

6ClickOK.

Thediscoveryoperationbegins.Discoveryrunscontinuously,identifyingtrafficflowsbyapplicationand

protocolspecifications.

7GotoVMDiscovery>Resultstoviewthediscoveryoutput.

DiscoveredtrafficisseparatedbyvirtualmachineIPaddress.Eachdiscoveredvirtualmachineissaved

undertheVMInventorytab,whichisavailableatthedatacenterandclustercontainerlevels,aswellas

atthevirtualmachinelevelwithinthevShieldManager.

Additional vCenter Configuration for vShield Agents

IfyouhaveenabledtheVMwareHAorVMwareDRSfeatures,youmustdisablemovementofvShieldagent

virtualmachines.ThismustbeperformedafterinstallationofeachvShieldagentvirtualmachine.

YoucanmigratethevShieldManagervirtualappliancebyusingVMotionwithoutconsequence.

To disable VMware HA or VMware DRS from moving the vShield agent virtual machines

1LogintothevSphereClient.

2Right‐clicktheclustercontainingyourvShieldagentvirtualmachinesandclickEditProperties.

OTETheexampleillustrationsarestaticanddonotdirectlyreflectyourvirtualnetwork.Thenumbered

installationscriptontheright‐handsideofthescreendetailstheactualinstallationsteps.

VMware, Inc. 13

Installing vShield Zones

TheAdminSettingsdialogboxopens.

3UnderVMwareHA,clickVirtualMachineOptions.

LocatethevShieldagentsinthelist.

4ForeachvShieldagentvirtualmachine,selectthefollowingvalues:

 VMRestartPriority:Disabled

 HostIsolationResponse:LeaveVMpoweredon

5IfyouhaveenabledDRS,clickVirtualMachineOptionsunderVMwareDRS.

LocatethevShieldagentsinthelist.

6ForeachvShieldagentvirtualmachine,selectDisabledforAutomationLevel.

7ClickOKafterallvShieldagentvirtualmachineshavebeenconfigured.

Indefaultoperation,a

vShieldagentraisesanerrorduringattemptedvirtualmachinemigrationbythe

operatororVMotion.Theerrorstatesthattheserverisconnectedtoavirtualintranet.Thisvirtualintranetis

thevSwitchthatavirtualmachineconnectstoontheprotectedsideofthevShieldagent.ThisvSwitchdoes

not

homeaphysicalNIC.ThevShieldagentbridgestraffictotheunprotectedsideofthenetworkthatis

connectedtoaphysicalNIC.

To enable VMotion to disable the virtual intranet check

1 Locatethevpxd.cfgfileonthemachinerunningvCenterServer.Bydefault,thisfileisinstalledat

C:\Documents and Settings\All Users\Application Data\VMware\VMware vCenter Server.

2Editthevpxd.cfgfileinatexteditor.

Addthe

followinglinesasasub‐leveltotheconfigsection,andatthesamelevelasthevpxdsection.

<test>

<VMOnVirtualIntranet>false</VMOnVirtualIntranet>

</CompatibleNetworks>

</test>

</migrate>

3 Savethevpxd.cfgfile.

4RestarttheVMwarevCenterServerservice.YoucanaccesstheservicemenubygoingtoControlPanel

>AdministrativeTools>Services.

TofurtherconfigurevShieldZones,refertothevShieldZonesAdministrationGuide.

Powering off vShield Zones Virtual Machines

YoucanpoweroffvShieldZonesvirtualmachinesatanytime.WhenyoupoweroffavShieldZonesvirtual

machine,thelastsavedconfigurationisusedwhenthevirtualmachineispoweredon.

To power off vShield Zones virtual machines

1InthevSphereClient,selectthevShieldZonesvirtualmachinesfromtheinventorypanel.

2ClicktheConsoletab

toopenthevShieldZonesCLI.

3LogintotheCLI.

4Afterloggingin,typeenabletoenterPrivilegedmode.

5Typeshutdown.

6AfterCLIshutdowniscompleted,right‐clickthevirtualmachinefromtheinventorypanelandselect

Power>PowerOff.

Quick Start Guide

14 VMware, Inc.

vShield Agent Automated Installation At-a-Glance

Wheninstalledfromareferencedtemplate,thevShieldagentinstallationprocessperformsthefollowing

steps:

1CreatesacloneofthevSwitchhost.

ThisvSwitchclonedoesnotincludeaNIC.ThenameofthevSwitchcloneincludesthenameofthe

vSwitchhostwith_VSappended:vSwitch1_VS.

2Createsaprotectedzoneport

group,VSprot_vShieldagent‐name,andattachesthisportgrouptothevSwitch

host.

3Createsamanagementportgroup,VSmgmt_vShieldagent‐name,onthevSwitchhostforthevShield

agent’smanagementinterface.

4Createsanunprotectedzoneportgroup,VSunprot_vShieldagent‐name,andattachesthisportgrouptothe

vSwitchclone.

5 Connectsandpowers

onthevShieldagent.

6 AttachesthevirtualinterfacesonthevShieldagenttotheprotectedandunprotectedportgroups.

7MovesthevirtualmachinesfromthevSwitchhosttothevSwitchclone.

IfthevShieldManagervirtualmachineresidesonthesamevSwitch,itisnotmoved.DuringvShield

Managerinstallation,youcreated

aportgroupcalledvsmgmtinwhichtoplacethevShieldManager.

vShieldagentinstallationrecognizesthisportgroupnameandignoresanyvirtualmachinesinthisport

group.

Figure 1. Installation of a vShield agent on a vSwitch

Understanding the Port Groups Created from vShield Agent Installation

vShieldagentinstallationrequiresthecreationoftwoportgroups.Theseportgroupsdelineatezonesoftrust:

unprotectedandprotected.Theunprotectedzonemonitorsincomingtraffic,whiletheprotectedzone

monitorsoutgoingtraffic.EachportgrouphomesavShieldagentinterface:U0fortheunprotectedzoneand

P0fortheprotected

zone.ConnectingtheseinterfacestothecreatedportgroupsenablesthevShieldagentto

monitorallincomingandoutgoingtraffic.

MPORTANTDonotaddvirtualmachinestotheprotectedorunprotectedportgroups.Theseportgroups

areconfiguredwithpromiscuousmodeturnedon,whichallowsthevShieldagenttoseeallpassing

traffic.

ESX

VMkernel

service

console

virtual

machine

vShield

vSwitch0

vSwitch1

vSwitch1_VS

virtual

machine

VMware, Inc. 15

Installing vShield Zones

Theunprotectedandprotectedportgroupsareconfiguredwithpromiscuousmodeenabled.Inpromiscuous

mode,aguestadaptercanlistentoallpassingpackets.Innon‐promiscuousmode,aguestadapterlistensto

trafficonlyonitsownMACaddress.Bydefault,guestadaptersaresettonon‐promiscuousmode.For



protectionpurposes,thevShieldagentmustbeabletoseeallpassingtraffic.Donotaddanyothervirtual

machinestotheseportgroups.

Quick Start Guide

16 VMware, Inc.

VMware vShield 1.0 Quick start guide

Brand: VMware

Model: vShield 1.0

Category: Networking

Type: Quick start guide

Download PDF

report

VMware vShield 1.0 Quick start guide

VMware vShield 1.0 Quick start guide

Related papers

Other documents