VCP-IaaS Study Notes: Section 4.4

This is Section 4.4 in the VCP-IaaS blueprint Guide 1.2. The rest of the (completed) sections can be found here.

Identify available vShield Edge network services

  • DHCP
  • Firewall
  • NAT
  • VPN

Configure DHCP/NAT/VPN services

  • DHCP
    • You can configure certain organization networks to provide DHCP services to virtual machines in the organization.
    • When you enable DHCP for an organization network, connect a NIC on virtual machine in the organization to that network, and select DHCP as the IP mode for that NIC, vCloud Director assigns a DHCP IP address to the virtual machine when you power it on.
    • Both system administrators and organization administrators can configure DHCP.
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Configure Services.
      • Click the DHCP tab and select Enable DHCP.
      • Type a range of IP addresses or use the default range.
        • vCloud Director uses these addresses to satisfy DHCP requests. The range of DHCP IP addresses cannot overlap with the static IP pool for the organization network.
        • Set the default lease time and maximum lease time or use the default values.
        • Click OK.
  • NAT: First add IP then NAT mapping(Port Forwarding or IP translation)
    • Add External IP Addresses to an Organization Network
      • Before you can configure NAT mapping for an organization network, you must add one or more external IP addresses.
      • Only a system administrator can add external IP addresses to an organization network.
      • Prerequisites
        • An external NAT-routed organization network.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the NAT – External IPs tab.
          • Type an IP address and click Add.
            • The IP address must be routable on the external network and unique across internal networks.
          • Click OK.
      • Configure Port Forwarding for an Organization Network
        • You can configure certain organization networks to provide port forwarding. Port forwarding provides external access to services running on virtual machines on the organization network.
        • When you configure port forwarding, vCloud Director maps an external IP address and a port to a service running on a port on a virtual machine for inbound traffic.
        • When you add a new port forwarding rule to an organization network, it appears at the bottom of the NAT mapping rule list.
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the NAT Mapping tab and click Add.
          • Select Port Forwarding and configure the port forwarding rule.
            • Select an external IP address.
            • Select an external port.
            • Type the IP address of the destination virtual machine.
            • If the virtual machine is fenced, type its external IP address.
            • If the virtual machine is not fenced, type its internal IP address.
            • Select an internal port.
            • Select a protocol for the type of traffic to forward.
            • Click OK.
          • Click OK.
      • Configure IP Translation for an Organization Network
        • You can configure certain organization networks to provide IP tanslation.
        • When you add a new IP translation rule to an organization network, it appears at the bottom of the NAT mapping rule list.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the NAT Mapping tab and click Add.
          • Select IP Translation and configure the rule.
            • Select an external IP address.
            • Type the IP address of the destination virtual machine.
              • If the virtual machine is fenced, type its external IP address.
              • If the virtual machine is not fenced, type its IP address.
              • Click OK.
          • Click OK.
      • Enable IP Masquerading for an Organization Network
        • You can configure certain organization networks to provide IP masquerade services. You can use IP masquerading on an organization network to hide the internal IP addresses of virtual machines from the external network.
        • When you enable IP masquerade, vCloud Director translates a virtual machine’s private, internal IP address to a public IP address for outbound traffic.
        • Both system administrators and organization administrators can enable IP masquerade.
        • Prerequisites
          • Verify that you have an external NAT-routed organization network.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the NAT Mapping tab and select Enable IP Masquerade.
          • Click OK.
  • VPN:
    • Enable Site-to-Site VPN for an Organization Network
      • You can enable site-to-site VPN for an organization network and then create a secure tunnel to another network.
      • vCloud Director supports site-to-site VPN between organization networks in the same organization, organization networks in different organizations (including organization networks in different instances of vCloud Director), and remote networks.
      • Both system administrators and organization administrators can enable site-to-site VPN.
      • Prerequisites
        • An external NAT-routed organization network.
        • vShield Manager 5.0.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the Site-to-Site VPN tab and select Enable site-to-site VPN.
          • (Optional) Type a public IP address.
            • If the external network to which the organization network is routed is behind a NAT device, you must provide a publicly accessible IP address that faces the Internet.
          • Click OK.
      • Create a VPN Tunnel Within an Organization
        • You can create a VPN tunnel between two organizations networks in the same organization.
        • Both system administrators and organization administrators can create VPN tunnels.
        • If there is a firewall between the tunnel endpoints, you must configure it to allow the following IP protocols and UDP ports:
          • IP Protocol ID 50 (ESP)
          • IP Protocol ID 51 (AH)
          • UDP Port 500 (IKE)
          • UDP Port 4500
        • Prerequisites
          • At least two external NAT-routed organization networks with non-overlapping IP subnets and site-to-site VPN enabled on both networks.
          • vShield Manager 5.0.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the Site-to-Site VPN tab and click Add.
          • Type a name and optional description.
          • Select a network in this organization from the drop-down menu and select a peer network.
          • Review the tunnel settings and click OK.
      • Create a VPN Tunnel Between Organizations
        • You can create a VPN tunnel between two organizations networks in different organizations. The organizations can be part of the same vCloud Director installation or a different installation.
        • Both system administrators and organization administrators can create VPN tunnels.
        • If there is a firewall between the tunnel endpoints, you must configure it to allow the following IP protocols and UDP ports:
          • IP Protocol ID 50 (ESP)
          • IP Protocol ID 51 (AH)
          • UDP Port 500 (IKE)
          • UDP Port 4500
        • Prerequisites
          • An external NAT-routed organization network in each of the organizations. The organization networks must have non-overlapping IP subnets and site-to-site VPN enabled.
          • vShield Manager 5.0.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the Site-to-Site VPN tab and click Add.
          • Type a name and optional description.
          • Select a network in another organization from the drop-down menu.
          • Click Connect to another organization, type the login information for the peer organization, and click Continue

          • Select a peer network.
          • Review the tunnel settings and click Connect.
      • Create a VPN Tunnel to a Remote Network
        • You can create a VPN tunnel between an organization network and a remote network.
        • Both system administrators and organization administrators can create VPN tunnels.
        • If there is a firewall between the tunnel endpoints, you must configure it to allow the following IP protocols and UDP ports:
          • IP Protocol ID 50 (ESP)
          • IP Protocol ID 51 (AH)
          • UDP Port 500 (IKE)
          • UDP Port 4500
        • Prerequisites
          • An external NAT-routed organization network and a routed remote network that uses IPSec.
          • vShield Manager 5.0.
        • Procedure
          • Click the Manage & Monitor tab and click Organization Networks in the left pane.
          • Right-click the organization network name and select Configure Services.
          • Click the Site-to-Site VPN tab and click Add.
          • Type a name and optional description.
          • Select a remote network from the drop-down menu.
          • Type the peer settings.
          • Review the tunnel settings and click OK.

Add a SNAT/DNAT rule

  • When you create an IP translation rule for a network, vCloud Director adds a DNAT and SNAT rule to the vShield Edge associated with the network’s port group. The DNAT rule translates an external IP address to an internal IP address for inbound traffic. The SNAT rule translates an internal IP address to an external IP address for outbound traffic. If the network is also using IP masquerade, the SNAT rule takes precedence.
  • The vShield Admin Guide states how to config SNAT and DNAT rules (page 40&41) in the vSphere client but this happens automatically when configuring IP translation in the vCloud GUI.

Add a DHCP IP pool

  • When configuring the DHCP pool to be used the range of DHCP IP addresses cannot overlap with the static IP pool for the network.
    • Click the Manage & Monitor tab and click Organization Networks in the left pane.
    • Right-click the organization network name and select Configure Services.
    • Type a range of IP addresses or use the default range.
    • Set the default lease time and maximum lease time or use the default values.
    • Click OK.
  • The vShield Admin Guide states how to config a new IP pool (page 41&42) in the vSphere client but this happens automatically when configuring the DHCP range in the vCloud GUI.

Add DHCP static binding

  • You can enable static binding to bind an IP address to the MAC address of a virtual machine.
  • Procedure
    • In the vSphere Client, go to Inventory > Networking.
    • Select an internal port group that is protected by a vShield Edge.
    • Click the vShield Edge tab.
    • Click the DHCP link.
    • Under DHCP Bindings, click Add Binding.
    • Select the VM Name that you want to bind.
    • Select the Interface for which you want to create the binding.
    • Type the IP Address to which you want to bind the MAC address of the selected virtual machine.
    • Type the Domain Name.
    • Type the Primary Nameserver and Secondary Nameserver, which refer to the DNS service. You must enter the IP address of a DNS server for hostname-to-IP address resolution.
    • Type the Default Gateway address.
    • For Lease Time, select whether you want to lease the address to the client for the default time (1 day) or specify a value in seconds.
    • Click OK.

Configure the VPN service

  • For some reason it seems as the Blueprint wants you to know how to configure VPN services on a vShield Edge device in the vSphere client as well even though this is supposed to be done in the vCloud GUI.
    • You must configure an external IP address on the vShield Edge to provide VPN service.
    • Procedure
      • In the vSphere Client, go to Inventory > Networking.
      • Select an internal port group that is protected by a vShield Edge.
      • Click the vShield Edge tab.
      • Click the VPN link.
      • Under Global Configuration, click Enable VPN.
        • The Add VPN Configuration dialog box opens.
        • Type the IP address of the vShield Edge instance in Local Service IP Address.
        • Type the pre-shared key in PSK for Sites with any Peer IP if anonymous sites are to connect to the VPN service.
        • Type a name for the VPN connection in VPN Gateway ID.
        • Select Log to log VPN activity.
        • Click OK.

Configure Syslog

  • Apply Syslog Server Settings to an Organization Network
    • You can apply syslog server settings to a routed organization network to enable firewall rule logging.
    • Apply syslog server settings to any organization network that was created before the initial creation of those settings. Apply the syslog server settings to an organization network any time the settings are changed.
    • If you are unsure whether an organization network’s syslog settings are up-to-date, you can view the organization network’s syslog settings.
    • Prerequisites
      • Verify that you have an external NAT-routed organization network.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Select an organization network, right-click, and select Synchronize syslog server settings.
        • Click Yes.
  • View Syslog Server Settings for an Organization Network
    • You can view the syslog server settings for a routed organization network.
    • vCloud Director supports logging events related to firewall rules to a syslog server that a system administrator specifies.
    • If an organization network lacks syslog server settings and you think that it should have them, or if the settings are not what you expected, synchronize the network with the most current syslog server settings.
    • Prerequisites
      • Verify that you have an external NAT-routed organization network.
      • Verify that you are an organization administrator.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Select an organization network, right-click, and select Properties.
        • Click the Syslog Server Settings tab.
  • You can Select Log network traffic for firewall rule check box when configuring a firewall rule.

Use logs to troubleshoot common network service issues

  • The system event message logged in the syslog has the following structure.

syslog header (timestamp + hostname + sysmgr/)

Timestamp (from the service)

Name/value pairs

Name and value separated by delimiter ‘::’ (double colons)

Each name/value pair separated by delimiter ‘;;’ (double semi-colons)

  • The fields and types of the system event contain the following information.

Event ID :: 32 bit unsigned integer

Timestamp :: 32 bit unsigned integer

Application Name :: string

Application Submodule :: string

Application Profile :: string

Event Code :: integer (possible values: 10007 10016 10043 20019)

Severity :: string (possible values: INFORMATION LOW MEDIUM HIGH CRITICAL)

Message ::

Leave a Reply

Your email address will not be published. Required fields are marked *