Port Isolation in vShield Edge 5

jibbajabba

Anyone know how ? Even VMWare Support seems clueless

** Please do not change the subject line of this email if you wish to respond. **

Hello xxx,

Thank you for your Support Request.

<snip>

I am not sure how this is intstalled or configured in vShield 5 and there is, as you say, no documentation on it.

<snip>

Kind regards

Shocking, considering how much $$ you pay for the products ...

Anyway, not a rant over an SR - just need that sorted so any help / pointers are appreciated ..

jmritenour

I haven't labbed this 5 yet, but in 4.1, all had to do was right click on the port group and the option was there. The license for Edge needs to be installed first, however. You can get a trial license key for Edge from the download trial link here. Just add the key to the license section in vCenter - nothing to actually install, it just enables the functionality.

jibbajabba

jmritenour wrote: »

I haven't labbed this 5 yet, but in 4.1, all had to do was right click on the port group and the option was there. The license for Edge needs to be installed first, however. You can get a trial license key for Edge from the download trial link here. Just add the key to the license section in vCenter - nothing to actually install, it just enables the functionality.

Oh I worked with it on 4.1 - option just isn't there on 5

Here a comparison between the versions





There is a vShield Zones install for vSphere 5 - but that is an installer from 2009 which is a bit odd and shouldn't be needed anyway ... Not that happy to say the least ..

Oh and yes, it is all licensed

jmritenour

Interesting, I'll try to take a look at it on my lab at work later today when I get in.

jmritenour

Looks like it's not in vSphere 5. VMware Communities: How to create private network with Edge?

jibbajabba

jmritenour wrote: »

Looks like it's not in vSphere 5. VMware Communities: How to create private network with Edge?

Thanks for finding this - now that just sucks ... The whole point in using Portgroup Isolation is to stop having to use VLANs ...

ARG ...

azjag

jibbajabba wrote: »

Thanks for finding this - now that just sucks ... The whole point in using Portgroup Isolation is to stop having to use VLANs ...

ARG ...

If you don't need internet access why don't you just create a vSwitch with no up-links?

jibbajabba

azjag wrote: »

If you don't need internet access why don't you just create a vSwitch with no up-links?

Wouldn't work in this scenario ... That would be too complicated to explain here to be honest, this environment is massive and certainly not straight forward with very specific requirements

jibbajabba

That's that then

The communities page is correct PGI has stopped and has been replaced by vxlan, unfortunately vxlan was not ready in time for the release of vShield 5 or more appropriately vSphere 5. Vxlan is estimated to be availble in the next release of of vSphere 5.

Cloud director still uses PGI because the dvfilter module is installed with the cloud agent and cloud alters the vmx file accordingly.

I have attached a white paper which describes how to do PGI equivalent using a edge device:
http://www.vmware.com/files/pdf/techpaper/vShield-Edge-Design-Guide-WP.pdf

The only other workaround would be to downgrade you environment to vShield version 4.1.

I appreciate this is probably not what you were hoping for. Please let me know if you have any further questions.

Kind regards