ddos secure: vmware virtual edition installation guide
DESCRIPTION
This document will cover DDoS Secure VMware virtual edition Overview, prerequisites for installing a DDoS Secure appliance virtual edition, ESX (i) server preparation, and DDoS Secure appliance virtual engine installation overview.TRANSCRIPT
DDoS Secure
VMware Virtual Edition Installation Guide
Release
5.13.2-0
Published: 2013-11-25
Copyright © 2013, Juniper Networks, Inc.
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Copyright © 2013, Juniper Networks, Inc.
Copyright ©Webscreen Technology 2001-2013
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
DDoS Secure VMware Virtual Edition Installation GuideCopyright © 2013, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2013, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part 1 VMware Virtual Edition Installation
Chapter 1 DDoS Secure VMware Virtual Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
DDoS Secure VMware Virtual Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition . . . . . . 7
Physical Interface Requirements for Installing a DDoS Secure Appliance VE . . . . . 7
Chapter 3 ESX (i) Server Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Preparing to Configure an ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview . . . . . . . . . . . . 11
Deploying a DDoS Secure Appliance Using the vSphere OVA Package . . . . . . . . . 12
DDoS Secure Appliance Virtual Engine Startup and Shutdown . . . . . . . . . . . . . . . 17
Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual
Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Powering On a DDoS Secure Appliance Virtual Engine . . . . . . . . . . . . . . . . . . . . . 23
Configuring the Management IP Address in a DDoS Secure Appliance . . . . . . . . . 27
Connecting to the DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
First Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding DDoS Secure Appliance Overview Page Information . . . . . . . 33
Configuring a Pair of High Availability DDoS Secure Appliances . . . . . . . . . . . . . . 34
Part 2 Appendix
Appendix A Installing Virtual Switches in a Network Adaptor . . . . . . . . . . . . . . . . . . . . . . 39
Installing Virtual Switches in a Network Adaptor . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Adding JS Protected and Protected LAN Port Groups . . . . . . . . . . . . . . . . . . . 41
Adding a JS Data Share Port Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding a JS Internet Port Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Reassigning the Existing VM Network Interfaces to a DDoS Secure
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
iiiCopyright © 2013, Juniper Networks, Inc.
Appendix B Installing an Existing Single NIC ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 69
Installing an Existing Single NIC ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i)
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Adding a JS Data Share Port Group to a NIC ESX (i) Server . . . . . . . . . . . . . . 82
Adding a JS Internet Port Group to a NIC ESX (i) Server . . . . . . . . . . . . . . . . . 86
Appendix C Installing and Configuring a New ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 97
Installing and Configuring a New ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Installing an ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Connecting to vSphere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring vSwitch0 in the DDoS Secure Appliance Management
Interface(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Creating Internet Traffic for a DDoS Secure Appliance . . . . . . . . . . . . . . . . . 103
Configuring a Data Share Port Group in a DDoS Secure Appliance . . . . . . . . 110
Setting a DDoS Secure Appliance Protected Interface to Promiscuous
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Changing the Configuration Settings in an ESX (i) Server VMNIC
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Appendix D Reassigning the Existing VMNetwork Interfaces in a VM Server . . . . . . . . . 113
Reassigning the Existing VM Network Interfaces in a VM Server . . . . . . . . . . . . . . 113
Appendix E Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Reconfiguring a vSphere Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Appendix F Understanding Sizing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Understanding Sizing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Appendix G NUMA Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Tuning in a NUMA Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Copyright © 2013, Juniper Networks, Inc.iv
DDoS Secure VMware Virtual Edition Installation Guide
List of Figures
Part 1 VMware Virtual Edition Installation
Chapter 1 DDoS Secure VMware Virtual Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Virtual Edition with DDoS Protection System (External Servers
Protection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2: Virtual Edition with DDoS Protection System (VM Servers
Protection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview . . . . . . . . . . . . 11
Figure 3: Deploy OVF Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 4: OVF Template Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 5: EULA - Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 6: EULA Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 7: EULA – Name and Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 8: Disk Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 9: Network Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 10: Ready to Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 11: Deployment Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 12: vSphere Client - Primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 13: VM Startup and Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 14: VM Startup and Shutdown –Startup Order . . . . . . . . . . . . . . . . . . . . . . 18
Figure 15: VM Startup and Shutdown – Automatic Startup . . . . . . . . . . . . . . . . . . 19
Figure 16: VM Autostart Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 17: Startup and Shutdown – Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 18: Startup and Shutdown – Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 19: Primary Virtual Machine Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 20: DDoS Secure Appliance Power On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 21: DDoS Secure Appliance Package Installation . . . . . . . . . . . . . . . . . . . . . 24
Figure 22: DDoS Secure Appliance Package Progression . . . . . . . . . . . . . . . . . . . . 25
Figure 23: DDoS Secure Appliance VMware Tools Screen . . . . . . . . . . . . . . . . . . . 25
Figure 24: DDoS Secure Appliance Package Update Screen . . . . . . . . . . . . . . . . . 26
Figure 25: DDoS Secure Appliance Primary Console . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 26: IP Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 27: Netmask Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 28: Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 29: Input Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 30: Layer 2, Layer 23 or Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 31: Navigation Block Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 32: DDoS Secure Appliance Log in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 33: Security Log in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 34: First Boot Screen Snippets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
vCopyright © 2013, Juniper Networks, Inc.
Figure 35: First Boot Accept Screen Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 36: DDoS Secure Appliance Summary Board . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 37: Configure Interface Page - Data Share Interface . . . . . . . . . . . . . . . . . . 35
Part 2 Appendix
Appendix A Installing Virtual Switches in a Network Adaptor . . . . . . . . . . . . . . . . . . . . . . 39
Figure 38: Example of ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 39: Example of ESX (i) Server with Dual NIC . . . . . . . . . . . . . . . . . . . . . . . . 41
Figure 40: ESX (i) Server Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 41: ESX (i) Server Add Network Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 42: ESX (i) Server Wizard - Network Access . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 43: ESX (i) Server Wizard - Connection Settings . . . . . . . . . . . . . . . . . . . . . 44
Figure 44: ESX (i) Server Wizard Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 45: ESX (i) Server Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 46: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 47: vSwitch Network Wizard – Connection Type . . . . . . . . . . . . . . . . . . . . . 47
Figure 48: vSwitch NetworkWizard – Connection Settings . . . . . . . . . . . . . . . . . . 48
Figure 49: vSwitch Network Wizard – Confirmation . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 50: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 51: JS Protected Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 52: JS Protected Properties - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 53: vSwitch3 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 54: ESX (i) Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 55: VMware Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 56: Virtual Machine Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 57: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 58: Virtual Machine Connection Settings Completion . . . . . . . . . . . . . . . . 56
Figure 59: Virtual Machine Connections Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 60: Virtual Machine Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 61: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 62: vSwitch Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 63: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 64: Network Wizard Completion Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 65: Virtual Machine Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 66: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 67: JS Internet Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 68: JS Internet Properties - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 69: vSwitch Properties - Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Figure 70: Virtual Machine Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Appendix B Installing an Existing Single NIC ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 69
Figure 71: ESX (i) Server with Single NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 73: JS Protected and Protected LAN Port Groups . . . . . . . . . . . . . . . . . . . . 72
Figure 74: Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 75: Virtual Machine Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Figure 76: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 77: Virtual Machine Connection Settings Completion . . . . . . . . . . . . . . . . . 75
Copyright © 2013, Juniper Networks, Inc.vi
DDoS Secure VMware Virtual Edition Installation Guide
Figure 78: Virtual Machine Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Figure 79: vSwitch Properties - Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Figure 80: Virtual Machine Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 81: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 82: Virtual Machine Connection Completion . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 83: vSwitch Properties Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 84: JS Protected Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 85: JS Protected Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Figure 86: JS Protected Properties - Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Figure 87: Virtual Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 88: Virtual Switch Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 89: Virtual Switch - Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 90: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 91: Virtual Machine Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 92: Virtual Switch Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 93: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 94: Virtual Machine Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Figure 95: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Figure 96: Virtual Machine Connection Completion Page . . . . . . . . . . . . . . . . . . . 90
Figure 97: Virtual Machine Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Figure 98: vSwitch Properties Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Figure 99: JS Internet Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Figure 100: JS Internet Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Figure 101: JS Internet vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Appendix C Installing and Configuring a New ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 97
Figure 102: VMware vSphere Client Log in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Figure 103: VMware vSphere Summary Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Figure 104: vSphere Client Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Figure 105: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Figure 106: VM Network Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Figure 107: vSwitch Properties - Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Figure 108: vSphere Client Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Figure 109: vSwitch Properties - Connection Type . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 110: Virtual Machine - Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 111: Virtual Machine - Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . 106
Figure 112: Virtual Machine Connection Setting Completion . . . . . . . . . . . . . . . . . 107
Figure 113: Virtual Machine Connection Networking . . . . . . . . . . . . . . . . . . . . . . . 107
Figure 114: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Figure 115: JS Internet Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Figure 116: JS Internet Properties - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Appendix D Reassigning the Existing VMNetwork Interfaces in a VM Server . . . . . . . . . 113
Figure 117: VM Server Edit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Figure 118: Virtual Machine Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 119: Virtual Machine Properties - Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 120: Virtual Machine Network Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Appendix E Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Figure 121: DDoS Secure Primary Appliance Summary . . . . . . . . . . . . . . . . . . . . . . 117
viiCopyright © 2013, Juniper Networks, Inc.
List of Figures
Appendix G NUMA Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 122: Processor Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 123: Virtual Machine Properties Resources options . . . . . . . . . . . . . . . . . . 122
Figure 124: Virtual Machine Properties - Allocating Maximum vCPUs . . . . . . . . . 122
Copyright © 2013, Juniper Networks, Inc.viii
DDoS Secure VMware Virtual Edition Installation Guide
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Part 1 VMware Virtual Edition Installation
Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition . . . . . . 7
Table 3: DDoS Secure Appliance VE Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview . . . . . . . . . . . . 11
Table 4: Default Configurations in OVF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Part 2 Appendix
Appendix F Understanding Sizing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Table 5: Sizing Requirement Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
ixCopyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.x
DDoS Secure VMware Virtual Edition Installation Guide
About the Documentation
• Documentation and Release Notes on page xi
• Documentation Conventions on page xi
• Documentation Feedback on page xiii
• Requesting Technical Support on page xiii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page xii defines notice icons used in this guide.
xiCopyright © 2013, Juniper Networks, Inc.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2 on page xii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
Copyright © 2013, Juniper Networks, Inc.xii
DDoS Secure VMware Virtual Edition Installation Guide
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include
the following information with your comments:
• Document or topic name
• URL or page number
• Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
xiiiCopyright © 2013, Juniper Networks, Inc.
About the Documentation
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2013, Juniper Networks, Inc.xiv
DDoS Secure VMware Virtual Edition Installation Guide
PART 1
VMware Virtual Edition Installation
• DDoS Secure VMware Virtual Edition Overview on page 3
• Prerequisites for Installing a DDoS Secure Appliance Virtual Edition on page 7
• ESX (i) Server Preparation on page 9
• DDoS Secure Appliance Virtual Engine Installation Overview on page 11
1Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.2
DDoS Secure VMware Virtual Edition Installation Guide
CHAPTER 1
DDoS Secure VMware Virtual EditionOverview
• DDoS Secure VMware Virtual Edition Overview on page 3
DDoS Secure VMware Virtual Edition Overview
This chapter provides an overview of the VMware Virtual Edition (VE). Figure 1 on page 4
illustrates the Virtual Edition with DDoS external server protection system and
Figure 2 on page 5 illustrates the Virtual Edition with DDoS Secure with VM protection
system.
3Copyright © 2013, Juniper Networks, Inc.
Figure 1: Virtual Edition with DDoS Protection System (External ServersProtection)
Copyright © 2013, Juniper Networks, Inc.4
DDoS Secure VMware Virtual Edition Installation Guide
Figure 2: Virtual Edition with DDoS Protection System (VMServersProtection)
TheDDoSSecureapplianceVirtualEditionprovides the freedomandoperational flexibility
to install a fully automatic DDoS protection system for any hardware platform running
VMware ESX (i) v4 or later server software.
The DDoS Secure appliance VMware solution is placed between the JS Internet port
group and the port group JS Protected as a layer 2 device controlling the flow between
the two switches. The solution is scalable for performance by adding in virtual CPUs and
scalable for IP protection by adding in more virtual memory (subject to license key).
High Availability primary and secondary instances of DDoS Secure appliance VE are
connected to the JS Data Share port group. This connection is then used to synchronize
theconfigurationandother informationof theDDoSSecureapplianceVEstandby/active
pair.
RelatedDocumentation
• Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7
• Preparing to Configure an ESX (i) Server on page 9
• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12
5Copyright © 2013, Juniper Networks, Inc.
Chapter 1: DDoS Secure VMware Virtual Edition Overview
Copyright © 2013, Juniper Networks, Inc.6
DDoS Secure VMware Virtual Edition Installation Guide
CHAPTER 2
Prerequisites for Installing a DDoS SecureAppliance Virtual Edition
• Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7
Physical Interface Requirements for Installing a DDoS Secure Appliance VE
Table 3 on page 7 describes the prerequisites to bemet before installing DDoS Secure
appliance VE.
Table 3: DDoS Secure Appliance VE Prerequisites
COMMENTSCOMPONENT TYPE(S)PREREQUISITE
Provides support to run a 64-bit virtual guest. VT is usually enabledthrough the BIOS settings of the host.
Intel-VTxorequivalentwith64-bit support
64-bit hardwareassisted virtualizationsupport enabled
Provides a virtualization layer that abstracts the processor, memory,storage, and networking resources of the physical host into multiplevirtual machines.
You can install ESX (i) installable on any hard drive on your physicalserver.
VMware ESX (i) 4.1 Serveror above
Bare-Metal EmbeddedHypervisor
Installs on aWindows PC and is the primary method of interactionwithVMwarevSphere.ThevSphereclientactsasaconsole tooperatevirtualmachinesandasanadministration interface intoESX(i) hosts.
The vSphere client is downloadable from the vCenter server systemand ESX (i) hosts. The vSphere client includes documentation foradministrators and console users.
VMware vSphere ClientVirtual InfrastructureManagement Tool
Deploys theDDoSSecure applianceVirtual Edition (VE) on to an ESX(i) server using a vSphere client.
The DDoS Secure appliance Virtual Edition (VE) Product package isdownloadable from the from the Juniper Network website:https://juniper.net (login required).
OVA packageDDoS Secure applianceVirtual Edition Productpackage
At least 800MB free of virtual RAM to allocate to each DDoS Secureappliance VE.
Virtualmanaged in vSphereenvironment
RAM
7Copyright © 2013, Juniper Networks, Inc.
Table 3: DDoS Secure Appliance VE Prerequisites (continued)
COMMENTSCOMPONENT TYPE(S)PREREQUISITE
At least 11GB of free space for each DDoS Secure appliance VE.Virtual disk managed invSphere environment
Datastore
At least one virtual CPU. Preferably two or more.Virtual CPUCPU
Connects existing management traffic and DDoS Secure applianceVE(s) together through a port group ManagementLan.
1 x vSwitch
1 x Port Group
Management Network
It is recommended that the physical Internet Gateway router/switchis connected to a vSwitch with a dedicated vmnic. The DDoS Secureappliance Internet interfacemust be connected to this vSwitch usinga JS Internet port group configured in promiscuous mode.
1 x vSwitch
1 x Dedicated
Port Group
Internet Network
It is recommended that firewalls/load balancers/servers and so onare connected to a vSwitch with port group ProtectedLAN so thattheir traffic is routed using the DDoS Secure appliance transparentlyto and from the internet gateway. DDoS Secure appliance protectedinterfaces must be connected to this vSwitch using a dedicated JSProtected port group configured in promiscuous mode.
1 x vSwitch
1 x Dedicated
Port Group
1 x Port Group
Protected Network
DDoSSecure appliance VE can be paired to provide a highly availableactive/standby pair. The port group is labeled as JS Data Share.
1 x vSwitch
1 x Port Group
Data Share Network
RelatedDocumentation
• DDoS Secure VMWare Virtual Edition Overview on page 3
• Preparing to Configure an ESX (i) Server on page 9
• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12
Copyright © 2013, Juniper Networks, Inc.8
DDoS Secure VMware Virtual Edition Installation Guide
CHAPTER 3
ESX (i) Server Preparation
• Preparing to Configure an ESX (i) Server on page 9
Preparing to Configure an ESX (i) Server
It is possible that the ESX (i) server has been built in many different ways, or the ESX (i)
server has not yet been built.
There are three existing generic build scenarios, andmost existing ESX (i) configurations
should map into one of the following scenarios:
1. Two (or more) NIC interfaces in use—Existing 2+ NIC ESX (i) Installation.
2. Single (possibly teamed)NIC interface in use—ExistingSingleNIC ESX (i) Installation.
3. Initial build of ESX (i) server—New ESX (i) Installation.
Verify which is the most appropriate scenario to use to reconfigure/update the ESX (i)
internal networking layout.
NOTE: This preparation workMUST be done prior to installing the DDoSSecure appliance VMware instance.
The ESX (i) server may be restricted in the number of physical interfaces, soit may not be possible to associate each vSwitch with a dedicated physicalinterface.
The Management Lan port group and JS Data Share port groupmust not beon the same vSwitch, unless they are in different VLANs.
The JS Internet port group and JS Protected port groupmust not be on thesame vSwitch, unless they are in different VLANs.
RelatedDocumentation
• Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7
• DDoS Secure VMWare Virtual Edition Overview on page 3
• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12
9Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.10
DDoS Secure VMware Virtual Edition Installation Guide
CHAPTER 4
DDoS Secure Appliance Virtual EngineInstallation Overview
To install theDDoSSecureapplianceVE, youwill need todeployaDDoSSecureappliance
OVFTemplatepackageonto theVMwareESX (i) server via a vSphere client. The vSphere
configurationwizardguides you through the initial configurationandallowsyou tochange
the virtual machine name, disk format and the network mapping.
Thereare twovariantsof theOpenVirtualizationFormat (OVF).Onevariant is for general
use and the other variant is for light use (that is, demo on laptop).
Table 4 on page 11 describes the initial default configuration contained in the OVF:
Table 4: Default Configurations in OVF
VALUEGENERAL VALUERESOURCE
2 vCPU4 vCPUvCPU
15GB100GBVirtual Disk
1000MB6000MBMemory
44Network Interfaces
It is quite likely that these defaults will need to be changed according to bandwidth
requirements, thenumberofprotectedservers, tracked IPaddressesandTCPconnections;
depending on your network usage. Resource values must be changed using the vSphere
client user interface before powering on the virtual machine for the first time.
• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12
• DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17
• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual
Engine on page 22
• Powering On a DDoS Secure Appliance Virtual Engine on page 23
• Configuring the Management IP Address in a DDoS Secure Appliance on page 27
• Configuring a Pair of High Availability DDoS Secure Appliances on page 34
11Copyright © 2013, Juniper Networks, Inc.
Deploying a DDoS Secure Appliance Using the vSphere OVA Package
To deploy an appliance using the vSphere OVA package:
1. Verify that you have created all the necessary port groups.
2. In vSphere client, select the appropriate host or resource pool.
3. Select File > Deploy OVF Template to invoke the Deploy OVF template wizard, as
shown in Figure 3 on page 12.
Figure 3: Deploy OVF Template
The Deploy OVF Templatewizard will be invoked andwill request selection of an OVA
package. Use the OVA package previously downloaded from the DDoS Secure
appliance Technology website. The OVA package can be identified by the following
naming format:
DDoS Secure appliance[VERSION].[ARCH].ova
DDoS Secure applianceFC11_64-4.0.2-2.x86_64.ova
ddossecureCENTOS_6_3-lite-5.13.2-0.x86_64.ova
4. Specify your OVA file or click Browse to browse for it and then click Next to continue.
Figure 4 on page 13 displays the OVF template details.
Copyright © 2013, Juniper Networks, Inc.12
DDoS Secure VMware Virtual Edition Installation Guide
Figure 4: OVF Template Details
5. TheWizard reads and verifies the OVF template details. Click Next to continue.
Figure 5 on page 13 displays the EULA screen.
Figure 5: EULA - Accept
6. Read and accept the End User License Agreement (EULA). Click Next to continue.
Figure 6 on page 14 displays the screen to enter the name of the EULA.
13Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 6: EULA Name
7. A suggested default VM name is provided. Rename this to DDoS Secure appliance
Primary (DDoS Secure appliance Secondary, if this is the second instance for a HA
pair), or any other suitable name. Figure 7 on page 14 displays the screen to enter the
name and location.
Figure 7: EULA –Name and Location
Copyright © 2013, Juniper Networks, Inc.14
DDoS Secure VMware Virtual Edition Installation Guide
8. ClickNext to continue. Figure8onpage 15displays the screenwith disk formatdetails.
Figure 8: Disk Format
9. Select the disk format in which the DDoS Secure appliance VE files are stored. You
must choose Thick provisioned format (the default format).
10. Click Next to continue. Figure 9 on page 15 displays the network mapping screen.
Figure 9: Network Mapping
15Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
11. Map the networks used in theOVF template to the networks defined in your inventory.
If the port groups have been labeled up as previously described, no changes are
required. However, if there are differences, for each source network choose an
appropriatedestinationnetworkbyselectingan inventorynetwork fromthedestination
networks drop-down select box.
12. Click Next to continue. Figure 10 on page 16 displays the ready to complete screen.
Figure 10: Ready to Complete
13. Review the configured settings and click Finish to start the deployment process. This
completes the wizard process, the Deploy OVF Template windowwill now close. It
may take a fewminutes for the newmachine to be deployed in the vSphere client
inventory. Figure 11 on page 16 displays the deployment completion message.
Figure 11: Deployment Confirmation
Upon deployment, a window box will appear stating that the deployment has been
successful.
14. Click Close to continue.
Copyright © 2013, Juniper Networks, Inc.16
DDoS Secure VMware Virtual Edition Installation Guide
RelatedDocumentation
DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17•
• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on
page 22
• Powering On a DDoS Secure Appliance Virtual Engine on page 23
• Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7
DDoS Secure Appliance Virtual Engine Startup and Shutdown
To start or shutdown a Virtual Machine:
1. Open the vSphere client.
2. Select the ESX (i) host in the inventory.
3. Select the Configuration tab and click Virtual Machine Startup Shutdown.
Figure 12 on page 17 displays the vSphere primary client screen.
Figure 12: vSphere Client - Primary
4. Click Properties on the same line as Virtual Machine startup and shutdown.
Figure 13 on page 18 displays the virtual machine startup and shutdown screen.
17Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 13: VM Startup and Shutdown
5. Select Allow virtual machines to start and stop automatically with the system under
SystemSettings, as shown in Figure 14 on page 18.
Figure 14: VM Startup and Shutdown –Startup Order
6. In the startup order window, select DDoS Secure appliance Primary underManual
Startup and clickMove Up (in this case) twice for automatic startup, as shown in
Figure 15 on page 19.
Copyright © 2013, Juniper Networks, Inc.18
DDoS Secure VMware Virtual Edition Installation Guide
Figure 15: VM Startup and Shutdown – Automatic Startup
7. Click Edit.
The Virtual Machine Autostart Settingswindow is displayed.
8. Under Shutdown Settings, select Use specified settings and select Guest Shutdown
from the Perform shutdown action drop-down, as shown in Figure 16 on page 20.
19Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 16: VMAutostart Settings
9. ClickOK in the Virtual Machine Startup and Shutdownwindow. Figure 17 on page 21
displays the confirmation screen of Virtual Machine Startup and Shutdown window.
Copyright © 2013, Juniper Networks, Inc.20
DDoS Secure VMware Virtual Edition Installation Guide
Figure 17: Startup and Shutdown – Confirmation
10. ClickOK in the vSphere Clientwindow. Figure 18 on page 21 displays the completion
screen of Virtual Machine Startup and Shutdown window.
Figure 18: Startup and Shutdown – Complete
StartupandShutdownconfiguration forDDoSSecureappliancePrimary isnowcomplete.
NOTE: If the entry is repeatedmultiple times, select another configurationoption and then switch back to validate the screen above.
21Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
RelatedDocumentation
Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12•
• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on
page 22
• Powering On a DDoS Secure Appliance Virtual Engine on page 23
• Understanding Sizing Requirements on page 119
Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine
Increasing thenumber of vCPUswill improveperformanceof theDDoSSecureappliance
VE and increasing the memory will increase the number of servers the appliance VE will
be capable of protecting. Increasing disk space will increase the logging retention
capability.
Alterations to vCPUs, memory and disk space can only be done with the appliance
powered off. Furthermore, the disk space cannot be changed after the appliance has
been powered on and the software installed.
Open thevSphereClient, select aappliance virtualmachine fromthe inventory andselect
Edit Settings, this will open the Virtual Machine properties window.
Use the recommendedVirtualMachineProperties.Anymemoryconfigurations suggested
by the vSphere client are not applicable to the appliance VE and should be ignored.
Areas to consider are:
• CPUs
• Memory
• Disk Space
Figure 19 on page 23 displays the Primary Virtual Machine Properties window.
Copyright © 2013, Juniper Networks, Inc.22
DDoS Secure VMware Virtual Edition Installation Guide
Figure 19: Primary Virtual Machine Properties
RelatedDocumentation
Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12•
• Powering On a DDoS Secure Appliance Virtual Engine on page 23
• DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17
• Understanding Sizing Requirements on page 119
Powering On a DDoS Secure Appliance Virtual Engine
Beforepoweringon for the first time, confirm that youhaveconfigured thecorrect amount
of disk space as this cannot be subsequently changed. To power on a DDoS Secure
appliance virtual engine:
1. Open the vSphere client, select a DDoS Secure appliance virtual machine from the
inventory and power on themachine by typing Ctrl-B or using the mouse-click driven
menus, as shown in Figure 20 on page 24.
23Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 20: DDoS Secure Appliance Power On
When powering on your DDoS Secure appliance virtual machine for the first time, the
DDoSSecure appliance softwarewill automatically install andboot theDDoSSecure
applianceVEup to the login: prompt. Itwill pause, requesting thatVMtools Installation
is enabled before this can complete.
2. Monitor the install by selecting theConsolepaneof theDDoSSecure appliance virtual
machine, as shown in Figure 21 on page 24.
Figure 21: DDoS Secure Appliance Package Installation
Copyright © 2013, Juniper Networks, Inc.24
DDoS Secure VMware Virtual Edition Installation Guide
Figure22onpage25softwarepackagesbeing installedandtheDDoSSecureappliance
is waiting for VMtools to be installed.
Figure 22: DDoS Secure Appliance Package Progression
3. Right click the Guest name in the Inventory and select Interactive Tools Upgrade, as
shown in Figure 23 on page 25.
Figure 23: DDoS Secure Appliance VMware Tools Screen
25Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
The update screen appears after the VMtools CD has been detected, as shown in
Figure 24 on page 26.
Figure 24: DDoS Secure Appliance Package Update Screen
When the installation has finished, you will be prompted to login at the console, as
shown in Figure 25 on page 26.
Figure 25: DDoS Secure Appliance Primary Console
An IP address will be allocated by DHCP if it is available. If DHCP is not available, it
will default to 192.168.0.196.
Copyright © 2013, Juniper Networks, Inc.26
DDoS Secure VMware Virtual Edition Installation Guide
RelatedDocumentation
Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12•
• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on
page 22
• DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17
Configuring theManagement IP Address in a DDoS Secure Appliance
To configure DDoS Secure appliancemanagement IP address:
1. Login from the console with username configure and password configure.
The following sets up the interfacemapping, IP address, netmask, gatewayand speed
of theDDoSSecure appliancemanagement interface. Replace the values shownwith
your appropriate settings to connect to your management network.
2. Enter the management IP address for accessing the DDoS Secure appliance GUI or
CLI, as shown in Figure 26 on page 27. This IP address must not be in use elsewhere.
Figure 26: IP Address Configuration
3. Enter the management IP netmask, as shown in Figure 27 on page 27.
Figure 27: Netmask Configuration
4. Enter the management network gateway. This has to be in the same subnet as the
management IP address, as shown in Figure 28 on page 27.
Figure 28: Gateway Configuration
5. If youare satisfiedwith the input values, thenenter y, as shown inFigure 29onpage27.
Figure 29: Input Values
6. Choose the Layer 2, Layer 23 or Layer 3 operational mode, as shown in
Figure 30 on page 28.
27Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 30: Layer 2, Layer 23 or Layer 3
TheDDoSSecure appliance normally works as a layer 2 device on themain data path
that provides DDoS protection. However, there are circumstances where layer 2 will
not work and the DDoS appliance needs to operate in a layer 3 type environment
without the interfaces being in promiscuousmode. Thismode is catered for, but does
have limitations as described in the selection figure. Normally, you would select n at
this point. Otherwise, you will need to define the appropriate IP addresses.
The DDoS Secure appliance will re-configure and the console will return to the login
prompt.
• Connecting to the DDoS Secure Appliance on page 28
• First Boot on page 31
• Understanding DDoS Secure Appliance Overview Page Information on page 33
Connecting to the DDoS Secure Appliance
To connect to the DDoS Secure appliance:
1. Open a browser window on amanagement PC. It is recommended that the
management PC is connected via the vSwitch associated with the JS Management
port group although access to the DDoS Secure appliance GUI and command line
can also be gained via vSwitches associated with the non-promiscuous Protected or
Internet port groups (provided routing is in place). Whichever method is used, the
managementPCwill need tobeconfiguredwithan IPaddress that is routable to/from
themanagement IP address of the DDoS Secure appliance.
2. Type https://aaa.bbb.ccc.ddd in the address bar, where aaa.bbb.ccc.ddd is the IPaddress of the management interface of the appliance (factory default is
192.168.0.196). A navigation block error is displayed, as shown in Figure 31 on page 29.
Copyright © 2013, Juniper Networks, Inc.28
DDoS Secure VMware Virtual Edition Installation Guide
Figure 31: Navigation Block Error
NOTE: The URL is prefixed with https://.
All traffic between the Management PC and the DDoS Secure applianceis encrypted.
The DDoS Secure appliance produces a self-signed certificate for use in the secured
communications. This certificate is recreated every time the appliancemanagement
interface IPaddress is reconfigured, or if there is less thanayear to runwhenasoftware
patch isapplied. It is possible for thedate tobe invalid if theclockson theDDoSSecure
appliance and on the browser are significantly out of phase. It is possible to replace
this certificate through the GUI.
3. View the certificate and install it to prevent the security alert every time you connect
to the DDoS Secure appliance.
4. ClickProcess anyway if you are sure that you are trying to connect to the DDoSSecure
appliance. TheDDoSSecureappliance loginpage is displayed in Figure 32onpage30.
29Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 32: DDoS Secure Appliance Log in Page
5. Click Login to access the DDoS Secure appliance.
Alternatively, check UseOriginal GUI to access the older DDoS Secure interface. If the
checkbox is pre-checked, DDoS Secure has determined that your browser does not
support the new UI interface.
6. Enter the username and password when prompted. Figure 33 on page 31 displays the
security log in page.
Copyright © 2013, Juniper Networks, Inc.30
DDoS Secure VMware Virtual Edition Installation Guide
Figure 33: Security Log in Page
The default user name is user and the password is password.
7. Click Login.
First Boot
On the first connection, the licensing screen appears on the Management PC.
Figure 34 on page 32 displays the first boot screen snippets.
NOTE: The first time of use, you will be asked to accept the DDoS SecureEULA.
31Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 34: First Boot Screen Snippets
Copyright © 2013, Juniper Networks, Inc.32
DDoS Secure VMware Virtual Edition Installation Guide
1. Read theEndUser LicenseAgreement carefully tomakesure that you fully understand
the Terms and Conditions.
To accept the End User License Agreement:
Click I Accept to accept the terms and conditions.
Click Cancel to proceed no further.
This will cause the system to power-off.
On accepting the Terms and Conditions of the license, the DDoS Secure appliance
will thendisplay a second licensing screen. Figure 35onpage33displays the first boot
accept screen snippet
Figure 35: First Boot Accept Screen Snippet
On accepting the Terms and Conditions of the license, the DDoS Secure appliance
will redirect to the overview page.
Understanding DDoS Secure Appliance Overview Page Information
After successful authentication, theDDoSSecureappliancesummaryboard isdisplayed.
Figure 36 on page 34 displays the DDoS Secure appliance overview page.
33Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Figure 36: DDoS Secure Appliance Summary Board
The options available are:
• Traffic Monitor — Displays the average speed of data processed, both inbound and
outbound, for the appliance.
• Load Status — Displays how busy the DDoS Secure appliance engine is.
• Attack Status — Displays how aggressively the DDoS Secure appliance is dropping
traffic to defend the appropriate resources.
• Good Traffic — Displays the distribution of where good traffic is coming from.
• Bad Traffic — Displays distribution of where the bad traffic is coming from.
• Protected Performance — Displays how busy a protected IP is from an aggregated
Charm perspective, and what the average traffic to and from the IP is.
Configuring a Pair of High Availability DDoS Secure Appliances
DDoS Secure appliance VEs can be HA paired within the same inventory on the same
ESX (i) server or on a different inventory on a different ESX (i) server providing they share
network connectivity in your network design.
Having an Active/Standby pair of DDoS Secure appliances means that (software)
maintenance can be on one of the DDoS Secure appliances (such as an upgrade) while
still having Internet traffic flowing.
DDoS Secure appliance data share interfaces are used to synchronize configurations,
state information and incident information between the active/standby pair.
The Primary DDoS Secure appliance and the Secondary DDoS Secure appliance in a HA
pair both require configuration of their data share IP addresses.
Copyright © 2013, Juniper Networks, Inc.34
DDoS Secure VMware Virtual Edition Installation Guide
To configure data share IP addresses:
1. Click Login symbol on the DDoS Secure portal.
2. You will then be prompted for a login and password.
3. Enter initial username as user and password as password.
4. ClickOK.
After successful authentication, on the first access, the DDoS Secure appliance page
is displayed.
5. In the Left pane, click Configuration/Logs, which will bring up a new tab.
6. In the Left pane, click Configure Interfaces. The Data Share Interface Definition option
is displayed, as shown in Figure 37 on page 35.
Figure 37: Configure Interface Page - Data Share Interface
7. Under Data Share Interface Definition, enter the IP address and the network mask.
NOTE: Both DDoS Secure appliance data share interfaces IP addressmustbe unique and in the same (preferable RFC1918) subnet in order to connect.
NOTE: Both DDoS Secure appliancesmust be connected to the same JSProtected, JS Internet and JSManagement port groups so HA operation tobe established.
RelatedDocumentation
• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on
page 22
• Installing Virtual Switches in a Network Adaptor on page 39
• Powering On a DDoS Secure Appliance Virtual Engine on page 23
35Copyright © 2013, Juniper Networks, Inc.
Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview
Copyright © 2013, Juniper Networks, Inc.36
DDoS Secure VMware Virtual Edition Installation Guide
PART 2
Appendix
• Installing Virtual Switches in a Network Adaptor on page 39
• Installing an Existing Single NIC ESX (i) Server on page 69
• Installing and Configuring a New ESX (i) Server on page 97
• Reassigning the Existing VM Network Interfaces in a VM Server on page 113
• Troubleshooting on page 117
• Understanding Sizing Requirements on page 119
• NUMA Tuning on page 121
37Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.38
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX A
Installing Virtual Switches in a NetworkAdaptor
• Installing Virtual Switches in a Network Adaptor on page 39
Installing Virtual Switches in a Network Adaptor
You need to separate the source of your unprotected traffic from the network segment
hosting your servers by using two separate virtual switches, one for each area. The DDoS
Secure appliance Virtual Edition will be bridging these two virtual switches and hence
control what is and is not allowed to flow between them.
The source of unprotected traffic might be an external network (for example, Internet
Gateway) connected to an ESX (i) network adaptor or it might already be on a separate
virtual network which is routed or bridged to your server virtual network.
In the rest of this appendix, we will refer to port groups associated with two virtual
switches as the JS Internet port group (carrying unprotected traffic) and the JSProtected
and Protected LAN port groups (carrying protected traffic).
Wherever unprotected xxx is referred, this is likely to be called something else on the
original ESX (i) configuration, the default being VM Network . Substitute as appropriate.
Figure 38 on page 40 illustrates a simple example of an ESX (i) Server:
39Copyright © 2013, Juniper Networks, Inc.
Figure 38: Example of ESX (i) Server
The following sections outline the steps required for reconfiguring the example dual NIC
ESX (i) Server:
• Add new vSwitch C and attach a new JS Protected port group (connects to DDoS
Secure appliance) and a new Protected LAN port group (connects to protected
network).
• Set JS Protected port group to support promiscuous mode.
• Add new vSwitch D and attach a new JS Data Share port group.
• Attach a new JS Internet port group with vSwitch A.
• Set JS Internet port group to support promiscuous mode.
• Install the DDoS Secure appliance VE from theOVA file.
• Connect to the GUI using the default IP address https://192.168.0.196, log in with
usernameuserandpasswordpassword. Themanagement IPaddress canbechangedfrom the Configure Interfaces icon on the left-hand pane.
• Log in to the DDoS Secure appliance GUI.
• Reassign your firewall/load balancers/servers from the original Unprotected Network
port group to the Protected LAN port group.
• Place the DDoS Secure appliance VE in desired operating mode.
• Remove the Unprotected Network port group (Optional).
Copyright © 2013, Juniper Networks, Inc.40
DDoS Secure VMware Virtual Edition Installation Guide
Figure 39 on page 41 illustrates the ESX (i) Server with a dual NIC after DDoS Secure
appliance installation.
Figure 39: Example of ESX (i) Server with Dual NIC
• Adding JS Protected and Protected LAN Port Groups on page 41
• Adding a JS Data Share Port Group on page 52
• Adding a JS Internet Port Group on page 57
• Reassigning theExistingVMNetwork Interfaces toaDDoSSecureApplianceonpage66
Adding JS Protected and Protected LAN Port Groups
To add port groups JS protected and Protected LAN:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory.
41Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
3. Select the Configuration tab and click Networking as shown in Figure 40 on page 42.
Figure 40: ESX (i) Server Console
4. Click Add Networking. The Add NetworkWizard page is displayed, as shown in figure
Figure 41 on page 42.
Figure 41: ESX (i) Server Add NetworkWizard
Copyright © 2013, Juniper Networks, Inc.42
DDoS Secure VMware Virtual Edition Installation Guide
5. Click the connection type Virtual Machine.
6. Click Next. The ESX (i) server wizard for network access is displayed, as shown in
Figure 42 on page 43.
Figure 42: ESX (i) ServerWizard - Network Access
7. Select Create a virtual switch and uncheck all network adapters.
8. Click Next.
The ESX (i) server wizard for connection settings is displayed, as shown in
Figure 43 on page 44.
43Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 43: ESX (i) ServerWizard - Connection Settings
9. In Port Group Properties area, change the Network Label to Protected LAN.
10. Click Next.
The ESX (i) server wizard confirmation screen is displayed, as shown in
Figure 44 on page 45.
Copyright © 2013, Juniper Networks, Inc.44
DDoS Secure VMware Virtual Edition Installation Guide
Figure 44: ESX (i) ServerWizard Confirmation
11. Click Finish.
12. Return to the main vSphere client windowwhere your ESX (i) host is selected in the
inventory list.
13. Select the Configuration tab and click Networking. The server configuration page is
displayed, as shown in Figure 45 on page 46.
45Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 45: ESX (i) Server Configuration Page
14. Click Properties of the Virtual Switch with the Protected LAN port group created in
this section. The vSwitch Properties page is displayed, as shown in
Figure 46 on page 46.
Figure 46: vSwitch Properties
Copyright © 2013, Juniper Networks, Inc.46
DDoS Secure VMware Virtual Edition Installation Guide
15. In the vSwitch properties window, click Add. The wizard connection type page is
displayed, as shown in Figure 47 on page 47.
Figure 47: vSwitch NetworkWizard – Connection Type
16. Chooseconnection typeVirtualMachineandclickNext. Thewizardconnectionsettings
page is displayed, as shown in Figure 48 on page 48.
47Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 48: vSwitch NetworkWizard – Connection Settings
17. In port group properties, change the Network Label to JS Protected.
18. Click Next. The wizard connection confirmation page is displayed, as shown in
Figure 49 on page 49
Copyright © 2013, Juniper Networks, Inc.48
DDoS Secure VMware Virtual Edition Installation Guide
Figure 49: vSwitch NetworkWizard – Confirmation
19. Click Finish.
The vSwitch3 Properties page is displayed, as shown in Figure 50 on page 49.
Figure 50: vSwitch Properties
49Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
20.Select the JS Protected port group .
21. Click Edit. The JS protected properties for general tab is displayed, as shown in
Figure 51 on page 50.
Figure 51: JS Protected Properties - General
22. In the JS Protected Properties window, select the Security tab.
The JS Protected Properties- Security tab is displayed, as shown in
Figure 52 on page 51.
Copyright © 2013, Juniper Networks, Inc.50
DDoS Secure VMware Virtual Edition Installation Guide
Figure 52: JS Protected Properties - Security
23.Check PromiscuousMode and select Accept from the list.
24.ClickOK. The vSwitch3Properties page is displayed, as shown in Figure 53onpage52.
51Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 53: vSwitch3 Properties
The ProtectedLAN and JS Protected port group configurations are now complete.
Adding a JS Data Share Port Group
The JS Data Share port group is used to synchronize configuration of a DDoS Secure
appliance HA Pair. The appliance recommend you create HA pairs on the same ESX (i)
host thereby allowing software upgrade of standby whilst the other is active.
Even if a standalone appliance is to be deployed, this port group is still required for the
appliance data share interface to connect to. Follow the instructions below to configure
the JS Data Share port group on a new vSwitch:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory.
3. Select Configuration tab and click Networking. The ESX (i) host configuration page is
displayed, as shown in Figure 54 on page 53.
Copyright © 2013, Juniper Networks, Inc.52
DDoS Secure VMware Virtual Edition Installation Guide
Figure 54: ESX (i) Host Configuration
4. Click Add Networking. The VMware connection type page is displayed, as shown in
Figure 55 on page 53.
Figure 55: VMware Connection Type
53Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
5. Choose connection type Virtual Machine and click Next. The virtual machine network
access page is displayed, as shown in Figure 56 on page 54.
Figure 56: Virtual Machine Network Access
6. Select create a virtual switch and uncheck all network adapters. The virtual machine
connection settings page is displayed, as shown in Figure 57 on page 55.
In certain circumstances a user may want to pair up with a appliance external to the
ESX (i) server. In this case, select the network adapter that the external appliance
data share interface is connected to.
Copyright © 2013, Juniper Networks, Inc.54
DDoS Secure VMware Virtual Edition Installation Guide
Figure 57: Virtual Machine Connection Settings
7. In Port Group Properties area, change the network label to JS Data Share.
8. Click Next. The virtual machine connection settings completion page is displayed, as
shown in Figure 58 on page 56.
55Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 58: Virtual Machine Connection Settings Completion
9. Click Finish.
The JS Data Share port group configuration is now complete. The virtual machine
connection page is displayed, as shown in Figure 59 on page 57.
Copyright © 2013, Juniper Networks, Inc.56
DDoS Secure VMware Virtual Edition Installation Guide
Figure 59: Virtual Machine Connections Page
Adding a JS Internet Port Group
To add JS Internet port group:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory.
3. Select the Configuration tab and click Networking. The virtual machine configuration
page is displayed, as shown in Figure 60 on page 58.
57Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 60: Virtual Machine Configuration Page
4. Click Properties next to Virtual Switch with Unprotected Network port group . The
vSwitch Properties page is displayed, as shown in Figure 61 on page 59.
NOTE: Unprotected network is the name for the existing port group.
Copyright © 2013, Juniper Networks, Inc.58
DDoS Secure VMware Virtual Edition Installation Guide
Figure 61: vSwitch Properties
5. In thevSwitchPropertieswindow, in theConfiguration list pane, clickAdd. ThevSwitch
connection type page is displayed, as shown in Figure 62 on page 59.
Figure 62: vSwitch Connection Type
59Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
6. Choose connection type as Virtual Machine.
7. Click Next. The Virtual Machines - Connection Settings page is displayed, as shown
in Figure 63 on page 60.
Figure 63: Virtual Machine Connection Settings
8. In the Port Group Properties area, change the Network Label to JS Internet.
9. Click Next. The network wizard completion page is displayed, as shown in
Figure 64 on page 61.
Copyright © 2013, Juniper Networks, Inc.60
DDoS Secure VMware Virtual Edition Installation Guide
Figure 64: NetworkWizard Completion Page
10. Click Finish.
11. Return to main vSphere client windowwhere your ESX (i) host is selected in the
inventory list.
12. Select the Configuration tab and click Networking. The virtual machine configuration
page is displayed, as shown in Figure 65 on page 62
61Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 65: Virtual Machine Configuration Page
13. Click Properties of the Virtual Switch with the JS Internet port group created in this
section. The vSwitch0Properties page is displayed, as shown in Figure 66 on page 63.
Copyright © 2013, Juniper Networks, Inc.62
DDoS Secure VMware Virtual Edition Installation Guide
Figure 66: vSwitch Properties
14. Select the port group JS Internet and click Edit. The JS Internet properties page is
displayed, as shown in Figure 67 on page 64.
63Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 67: JS Internet Properties - General
15. In the JS InternetPropertieswindow, select theSecurity tab. The JS Internet properties
for the security tab is displayed, as shown in Figure 68 on page 65.
Copyright © 2013, Juniper Networks, Inc.64
DDoS Secure VMware Virtual Edition Installation Guide
Figure 68: JS Internet Properties - Security
16. Check PromiscuousMode and select Accept from the list.
17. ClickOK. ThevSwitch3Propertiespage isdisplayed, as shown inFigure69onpage66.
65Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Figure 69: vSwitch Properties - Ports
The JS Internet port group configuration is now complete.
Reassigning the Existing VMNetwork Interfaces to a DDoS Secure Appliance
All virtual machines connected to existing Unprotected Network port group will need
reconfiguring to use the Protected LAN port group.
Copyright © 2013, Juniper Networks, Inc.66
DDoS Secure VMware Virtual Edition Installation Guide
1. Select the virtual machine in the vSphere Client inventory and open the properties
window using option Edit Settings.
The virtual machine properties for hardware is displayed, as shown in
Figure 70 on page 67.
Figure 70: Virtual Machine Properties
2. In the Hardware tab, select the Network Adaptor previously connected to the
Unprotected Network port group. This will be visible in the Hardware Summary but
appear as a blank selection under the Network Connection pane.
3. Choose Protected LAN port group from the drop-down select box of Network
Connections.
4. ClickOK.
5. Repeat reconfiguration for each virtualmachine connected to theport group renamed
from Unprotected Network to Protected LAN.
67Copyright © 2013, Juniper Networks, Inc.
Appendix A: Installing Virtual Switches in a Network Adaptor
Copyright © 2013, Juniper Networks, Inc.68
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX B
Installing an Existing Single NIC ESX (i)Server
• Installing an Existing Single NIC ESX (i) Server on page 69
Installing an Existing Single NIC ESX (i) Server
Youmust retain the association between the single physical interface, the virtual switch
and vmKernel which carries the ESX (i)/vSphere management traffic. Removing this
association will lead to loss of communication with your ESX (i) Server andmay require
an ESX (i) server rebuild.
Youwill need toseparate thesourceof yourunprotected traffic fromthenetwork segment
hosting your firewall/load balancer/servers by placing them on two separate virtual
switches. The DDoS Secure appliance Virtual Edition will be bridging these two virtual
switches and hence controls the flow between them.
The source of unprotected traffic might be an external network (for example: Internet
Gateway) connected to an ESX (i) network adaptor or it might already be on a separate
virtual network which is routed or bridged to your server virtual network.
In the rest of this chapterwewill refer to port groups associatedwith two virtual switches
as the JS Internet port group (carrying unprotected traffic) and the JS Protected and
Protected LAN port groups (carrying protected traffic).
Wherever Unprotected xxx is referred, this is likely to be called something else on the
original ESX configuration, the default being VMNetwork. Substitute as appropriate.
Figure 71 on page 70 illustrates a simple example of an ESX (i) Server with a single NIC.
69Copyright © 2013, Juniper Networks, Inc.
Figure 71: ESX (i) Server with Single NIC
The following sections outline the steps required for reconfiguring the example single
NIC ESX (i) Server:
• Add new vSwitch B and associate a new JS Protected port group (connects to DDoS
Secure appliance) and a new Protected LAN port group (connects to protected
network).
• Set JS Protected port group to support promiscuous mode.
• Add new switch C and associate a new JS Data Share port group.
• Associate a new JS Internet port group with vSwitch A.
• Set JS Internet port group to support Promiscuous mode.
• Install the DDoS Secure appliance VE from the .OVA file.
• Connect to the GUI using the default IP address https://192.168.0.196, login with
username user and password password. Themanagement IP address can be changed
from the Configure Interfaces icon within the (Admin) left-hand pane.
• Logon to the DDoS Secure appliance GUI and apply a new license.
• Reassign your firewall/load balancers/servers from the original Unprotected Network
port group to the Protected LAN port group.
• Place the DDoS Secure appliance VE in desired operating mode.
Figure 72 on page 71illustrates the ESX (i) Server with a single NIC after DDoS Secure
appliance installation.
Copyright © 2013, Juniper Networks, Inc.70
DDoS Secure VMware Virtual Edition Installation Guide
Figure 72: ESX (i) Server with Single NIC after DDoS Secure ApplianceInstallation
• Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server on page 71
• Adding a JS Data Share Port Group to a NIC ESX (i) Server on page 82
• Adding a JS Internet Port Group to a NIC ESX (i) Server on page 86
Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server
To add JS Protected and ProtectedLAN port groups:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory.
3. Select the Configuration tab and click Networking. The JS protected and Protected
LAN port groups are displayed, as shown in Figure 73 on page 72.
71Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 73: JS Protected and Protected LAN Port Groups
4. Click Add Networking. The network Connection Type page is displayed, as shown in
Figure 74 on page 72.
Figure 74: Connection Type
Copyright © 2013, Juniper Networks, Inc.72
DDoS Secure VMware Virtual Edition Installation Guide
5. Choose connection type Virtual Machine.
6. Click Next. The virtual machine network access page is displayed, as shown in
Figure 75 on page 73.
Figure 75: Virtual Machine Network Access
7. Select Create a virtual switch and uncheck all network adapters.
8. Click Next. The virtual machine connection settings page is displayed, as shown in
Figure 76 on page 74.
73Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 76: Virtual Machine Connection Settings
9. In port group Properties, change the Network Label to Protected LAN.
10. Click Next. The virtual machine connection setting completion page is displayed, as
shown in Figure 77 on page 75.
Copyright © 2013, Juniper Networks, Inc.74
DDoS Secure VMware Virtual Edition Installation Guide
Figure 77: Virtual Machine Connection Settings Completion
11. Click Finish.
12. Return to main vSphere client windowwhere your ESX (i) host is selected in the
inventory list, andselect theConfiguration tabandclickNetworking. Thevirtualmachine
inventory page is displayed, as shown in Figure 78 on page 76.
75Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 78: Virtual Machine Inventory
13. Click Properties of the Virtual Switch with the Protected LAN port group, as shown in
Figure 79 on page 76.
Figure 79: vSwitch Properties - Port
Copyright © 2013, Juniper Networks, Inc.76
DDoS Secure VMware Virtual Edition Installation Guide
14. In the vSwitch propertieswindow, and clickAdd. The virtualmachine connection type
wizard page is displayed, as shown in Figure 80 on page 77.
Figure 80: Virtual Machine Connection Type
15. Chooseconnection typeVirtualMachine, andclickNext. Thevirtualmachineconnection
settings page is displayed, as shown in Figure 81 on page 78.
77Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 81: Virtual Machine Connection Settings
16. In port group Properties, change the Network Label to JS Protected, and click Next.
The virtual machine connection complete page is displayed, as shown in
Figure 82 on page 78.
Figure 82: Virtual Machine Connection Completion
Copyright © 2013, Juniper Networks, Inc.78
DDoS Secure VMware Virtual Edition Installation Guide
17. Click Finish to return to vSwitch properties window, as shown in Figure 83 on page 79.
Figure 83: vSwitch Properties Port
18. Select the port group JS Protected and click Edit. The JS protected properties page is
displayed, as shown in Figure 84 on page 80.
79Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 84: JS Protected Properties
19. In the JS Protected Properties window, select Security tab, as shown in
Figure 85 on page 81.
Copyright © 2013, Juniper Networks, Inc.80
DDoS Secure VMware Virtual Edition Installation Guide
Figure 85: JS Protected Properties - General
20.CheckPromiscuousMode and selectAccept from the drop-down select box, and click
OK, as shown in Figure 86 on page 82.
81Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 86: JS Protected Properties - Port
The Protected LAN and JS Protected port group configurations are now complete.
Adding a JS Data Share Port Group to a NIC ESX (i) Server
The JS Data Share port group is used to synchronize configuration of a DDoS Secure
appliance HAPair. DDoS Secure appliance recommend you create HA pairs on the same
ESX (i) host thereby allowing software upgrade of standby whilst the other is active.
Even if a Standalone DDoS Secure appliance is to be deployed, this port group is still
required for the DDoS Secure appliance data share interface to connect to.
Follow the instructions below to configure the JS Data Share port group:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory.
3. Select the Configuration tab and click Networking, as shown in Figure 87 on page 83.
Copyright © 2013, Juniper Networks, Inc.82
DDoS Secure VMware Virtual Edition Installation Guide
Figure 87: Virtual Switch
4. Click Add Networking. The connection type page is displayed, as shown in
Figure 88 on page 83.
Figure 88: Virtual Switch Connection Type
5. Choose connection type Virtual Machine, and click Next, as shown in
Figure 89 on page 84.
83Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 89: Virtual Switch - Network Access
6. Select Create a virtual switch and uncheck all network adapters.
In certain circumstances, a user may want to pair up with a DDoS Secure appliance
external to the ESX (i) server. In this case select the network adapter that the external
DDoS Secure appliance data share Interface is connected to, as shown in
Figure 90 on page 85.
Copyright © 2013, Juniper Networks, Inc.84
DDoS Secure VMware Virtual Edition Installation Guide
Figure 90: Virtual Machine Connection Settings
7. In Port Group Properties area, change the Network Label to JS Data Share.
8. Click Next. The virtual machine summary page is displayed, as shown in
Figure 91 on page 86.
85Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 91: Virtual Machine Summary
9. Click Finish.
The JS Data Share port group configuration is now complete.
Adding a JS Internet Port Group to a NIC ESX (i) Server
To add JS Internet port group:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory.
3. Select the Configuration tab and click Networking, as shown in Figure 92 on page 87.
Copyright © 2013, Juniper Networks, Inc.86
DDoS Secure VMware Virtual Edition Installation Guide
Figure 92: Virtual Switch Configuration Page
4. ClickPropertiesnext toVirtualSwitchwithUnprotectedNetworkport group, as shown
in Figure 93 on page 87.
NOTE: Unprotected Network is the name for the existing port group.
Figure 93: vSwitch Properties
87Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
5. In the vSwitch properties window, in the Configuration list pane, click Add, as shown
in Figure 94 on page 88.
Figure 94: Virtual Machine Connection Type
6. Choose connection type Virtual Machine.
7. Click Next. The virtual machine connection settings page is displayed, as shown in
Figure 95 on page 89.
Copyright © 2013, Juniper Networks, Inc.88
DDoS Secure VMware Virtual Edition Installation Guide
Figure 95: Virtual Machine Connection Settings
8. In Properties port group, change the Network Label to JS Internet.
9. ClickNext. Figure 96 on page 90 displays the virtual machine connection completion
page.
89Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 96: Virtual Machine Connection Completion Page
10. Click Finish.
11. Return to main vSphere client windowwhere your ESX (i) host is selected in the
inventory list, select the Configuration tab and click Networking. The virtual machine
inventory configuration page is displayed, as shown in Figure 97 on page 91.
Copyright © 2013, Juniper Networks, Inc.90
DDoS Secure VMware Virtual Edition Installation Guide
Figure 97: Virtual Machine Inventory
12. Click Properties of the Virtual Switch with the JS Internet port group created in this
section. The vSwitch properties summary page is displayed, as shown in
Figure 98 on page 92.
91Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 98: vSwitch Properties Summary
13. Select the port group JS Internet and click Edit, as shown in Figure 99 on page 93.
Copyright © 2013, Juniper Networks, Inc.92
DDoS Secure VMware Virtual Edition Installation Guide
Figure 99: JS Internet Properties
14. In the JS Internet Propertieswindow, select the Security tab, as shown in
Figure 100 on page 94.
93Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Figure 100: JS Internet Properties - General
15. Check PromiscuousMode and select Accept from the drop-down and clickOK. The
vSwitch0 properties page is displayed, as shown in Figure 101 on page 95.
Copyright © 2013, Juniper Networks, Inc.94
DDoS Secure VMware Virtual Edition Installation Guide
Figure 101: JS Internet vSwitch Properties
The JS Internet port group configuration is now complete.
95Copyright © 2013, Juniper Networks, Inc.
Appendix B: Installing an Existing Single NIC ESX (i) Server
Copyright © 2013, Juniper Networks, Inc.96
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX C
Installing and Configuring a New ESX (i)Server
• Installing and Configuring a New ESX (i) Server on page 97
Installing and Configuring a New ESX (i) Server
• Installing an ESX (i) Server on page 97
• Connecting to vSphere on page 97
• Configuring vSwitch0 in the DDoS Secure Appliance Management
Interface(s) on page 98
• Creating Internet Traffic for a DDoS Secure Appliance on page 103
• Configuring a Data Share Port Group in a DDoS Secure Appliance on page 110
• SettingaDDoSSecureApplianceProtected Interface toPromiscuousModeonpage 111
• Changing the Configuration Settings in an ESX (i) Server VMNIC Interface on page 112
Installing an ESX (i) Server
Read the VMware step-by-step guide on installing and configuring ESX (i) . After
successful installation of ESX (i) server, several configuration steps are essential. In
particular, some licensing, networking, and security configuration are necessary.
For more details on these configuration tasks, see the following guides in the vSphere
Documentation:
• The ESX (i) Installable Server Setup Guide for information on licensing
• The ESX (i) Configuration Guide for information on networking and security
Connecting to vSphere
Read the VMware step-by-step guide on installing and configuring vSphere Client onto
aWindows PC.
Start the vSphere Client on yourWindows PC. Enter the IP address assigned to your ESX
(i) server. Figure 102 on page 98 displays the VMware vSphere client log in page. For the
first login, use the user root and there is no password.
97Copyright © 2013, Juniper Networks, Inc.
Figure 102: VMware vSphere Client Log in Page
Set the root password for the ESX (i) server and update the VMware license key to the
one obtained from VMware.
Configuring vSwitch0 in the DDoS Secure ApplianceManagement Interface(s)
vSwitch0 (default) is set up at ESX (i) installation with a vmKernel port labeled
Management Networkwhich provides management network access to the kernel and
virtual machine VM Network port group connectivity using vmnic0.
Follow the steps below to configure vSwitch0 to add in the DDoS Secure appliance
management interface(s). Figure 103onpage99displays theVMwarevSpheresummary
page.
Copyright © 2013, Juniper Networks, Inc.98
DDoS Secure VMware Virtual Edition Installation Guide
Figure 103: VMware vSphere Summary Page
99Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
1. Select the Configuration tab and click Networking. The vSphere client configuration
page is displayed, as shown in Figure 104 on page 100.
Figure 104: vSphere Client Configuration Page
2. Click Properties on the same line as Virtual Switch: vSwitch0, as shown in
Figure 105 on page 101.
Copyright © 2013, Juniper Networks, Inc.100
DDoS Secure VMware Virtual Edition Installation Guide
Figure 105: vSwitch Properties
3. In the vSwitch propertieswindow, in the Ports tab, select the VM Network port group
and click Edit. The virtual machine general tab is displayed, as shown in
Figure 106 on page 102.
101Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
Figure 106: VMNetwork Properties - General
4. On the General tab, rename the Network Label toManagementLan and clickOK.
5. In the vSwitch Propertieswindow, click Close, as shown in Figure 107 on page 103.
Copyright © 2013, Juniper Networks, Inc.102
DDoS Secure VMware Virtual Edition Installation Guide
Figure 107: vSwitch Properties - Ports
The ManagementLan port group configuration is now complete.
Creating Internet Traffic for a DDoS Secure Appliance
Youcould route your Internet connection through the samevSwitchas yourManagement
port group. However, DDoS Secure appliance recommends you create a separate
vSwitch/port group/NIC for internet traffic to guarantee separation between the Internet
andmanagement traffic.
This section describes the creation of the JS Internet port group which exchanges traffic
between DDoS Secure appliance Internet interface and the Internet.
The DDoSSecure appliance Internet interface is set to promiscuousmode and therefore
must be connected to a port group that is configured to accept promiscuous traffic on
the vSwitch. The port group is named JS Internet. Do not connect any other VM instance
to this port group as this could create an unacceptable security risk.
The following instructions guide you through the configuration of a vSwitch, adding a
port group with network label JS Internet and setting this to promiscuous mode.
In our running example, the next vSwitch (vSwitch1) is used for internet traffic.
103Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
1. Return to theConfiguration tabandclickNetworking, asshown inFigure 108onpage 104.
Figure 108: vSphere Client Configuration Page
2. Click Add Networking. The vSwitch properties for connection type is displayed, as
shown in Figure 109 on page 105.
Copyright © 2013, Juniper Networks, Inc.104
DDoS Secure VMware Virtual Edition Installation Guide
Figure 109: vSwitch Properties - Connection Type
3. Choose connection type VirtualMachine, and clickNext. The virtual machine network
access page is displayed, as shown in Figure 110 on page 105.
Figure 110: Virtual Machine - Network Access
105Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
4. SelectCreate a virtual switch and select one unclaimed network adapters. In this case
select vmnic1, as shown in Figure 111 on page 106.
Figure 111: Virtual Machine - Connection Settings
5. In Port Group Properties, change the Network Label to JS Internet.
6. Click Next. The virtual machine connection setting completion page is displayed, as
shown in Figure 112 on page 107.
Copyright © 2013, Juniper Networks, Inc.106
DDoS Secure VMware Virtual Edition Installation Guide
Figure 112: Virtual Machine Connection Setting Completion
7. Click Finish.
8. Return to main vSphere client windowwhere your ESX (i) host is selected in the
inventory list, select the Configuration tab and click Networking, as shown in
Figure 113 on page 107.
Figure 113: Virtual Machine Connection Networking
9. Click Properties of the Virtual Switch with Virtual Machine port group JS Internet, as
shown in Figure 114 on page 108.
107Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
Figure 114: vSwitch Properties
10. Select JS Internet port group configuration and click Edit. The JS Internet properties
for General tab is displayed, as shown in Figure 115 on page 109.
Copyright © 2013, Juniper Networks, Inc.108
DDoS Secure VMware Virtual Edition Installation Guide
Figure 115: JS Internet Properties - General
11. In the JS Internet Propertieswindow, select the Security tab, as shown in
Figure 116 on page 110.
109Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
Figure 116: JS Internet Properties - Security
12. CheckPromiscuousMode and selectAccept from the drop-down select box, and click
OK.
The JS Internet port group configuration is now complete.
Configuring a Data Share Port Group in a DDoS Secure Appliance
The JS Data Share port group is used to synchronize configurations of a DDoS Secure
applianceHAPair. DDoSSecureappliance recommendsyoucreateHApairs on the same
ESX (i) host which allows, for example, software maintenance with no disruption to
traffic flows. Even if a standalone DDoS Secure appliance is to be used, this port group
is still required for the DDoS Secure appliance Data Share interface to connect to.
To configure the data share port group:
1. Return to the Configuration tab and click Networking.
2. Click Add Networking.
3. Choose connection type Virtual Machine and click Next.
Copyright © 2013, Juniper Networks, Inc.110
DDoS Secure VMware Virtual Edition Installation Guide
4. Select Create a virtual switch and uncheck all network adapters. If the DDoS Secure
appliance is to be pairedwith a DDoS Secure appliance external to the ESX (i) server,
a suitable vmnic that will connect to the external DDoS Secure appliance needs to
be added in.
5. In port group Properties, change the Network Label to JS Data Share and click Next.
6. Click Finish.
7. The JS Data Share configuration is now complete.
NOTE: Promiscuousmode should not be set in this port group.
Setting a DDoS Secure Appliance Protected Interface to PromiscuousMode
TheDDoSSecureapplianceProtected interface is set topromiscuousmodeand therefore
must be connected to a dedicated port group that is configured to accept promiscuous
traffic on it is associated vSwitch. Do not connect any other VM instance to this port
group as this could create an unacceptable security risk. Protected Servers should be
connected to adifferent port groupon the vSwitch that has promiscuousmodedisabled.
The following instructions guide you through the configuration of a vSwitch, adding a
port group with network label ProtectedLANwith promiscuous mode disabled and a
port group with network label JS Protected with promiscuous mode enabled.
1. Return to the Configuration tab and click Networking.
2. Click Add Networking.
3. Choose connection type Virtual Machine, and click Next.
4. Select Create a virtual switch. If you are in the process of migrating from a physical
network to a virtual network then youmay want to protect both virtual and physical
servers. By adding a vmnic network adaptor to the vSwitch associatedwith protected
trafficmeans these traffic flows can reach physical servers. To addanetwork adapter,
andselect f theadapterwhich isphysically connected to thephysical network segment
on which the physical server(s) is used to access the internet.
5. Click Next.
6. In port group Properties change the Network Label to Protected LAN, click Next.
7. Click Finish.
8. Return to main vSphere client windowwhere your ESX (i) host is selected in the
inventory list, select the Configuration tab and click Networking.
9. Click on Properties of the Virtual Switch with the port group Protected LAN created in
this section.
10. In the vSwitch propertieswindow, and click Add.
11. Choose connection type Virtual Machine and click Next.
12. In port group Properties, change the Network Label to JS Protected, and click Next.
111Copyright © 2013, Juniper Networks, Inc.
Appendix C: Installing and Configuring a New ESX (i) Server
13. Click Finish.
14. Return to vSwitch properties window.
15. Select the port group JS Protected and click Edit.
16. In the JS Protected Propertieswindow, select the Security tab.
17. Check PromiscuousMode and selectAccept from the drop-down select box, clickOK.
The vSwitch configuration for the JS Protected is now complete.
Changing the Configuration Settings in an ESX (i) Server VMNIC Interface
TheESX(i)Server vmnic interfacesmusthave thesamespeed/duplex settingsdefinitions
as the device (router or switch) that they are connected to prevent unnecessary packet
loss.
For example, if the router interface is set to auto, then the vmnic that it is connectedmust
also be set to auto. If the router interface is set to 100 full duplex, then the vmnic that it
is connectedmust also be set to 100 full duplex.
The following steps must be taken in order to change the configuration settings of a
network adaptor in your configuration if there (potentially) is a mismatch:
1. Open the vSphere client.
2. Select the ESX (i) host in the inventory.
3. Select the Configuration tab and click Networking.
4. Click on the Properties of the vSwitch which has the appropriate vmnic.
5. In the vSwitch propertieswindow, select the Network Adapters tab.
6. Compare the speed of the Network Adapter to that of your router. If these steps do
not match then select the Network Adapter, click Edit.
7. Configure the speed from the drop-down select box so that it matches the Router
configuration.
Copyright © 2013, Juniper Networks, Inc.112
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX D
Reassigning the Existing VM NetworkInterfaces in a VM Server
• Reassigning the Existing VM Network Interfaces in a VM Server on page 113
Reassigning the Existing VMNetwork Interfaces in a VMServer
As the names of port groups may have been changed, any pre-existing VMs need to be
re-visited to make sure that their management/protected interfaces are connected to
the correct port groups. To re-assign the existing VM network interfaces in a VM server:
1. Open the vSphere client if not already open.
2. Select the ESX (i) host in the inventory. The VM server edit setting page is displayed,
as shown in Figure 117 on page 113.
Figure 117: VM Server Edit Settings
113Copyright © 2013, Juniper Networks, Inc.
3. For each server (apart from the DDoS Secure appliance VMs) listed in the inventory
clickEditSettingsbyusing themouse-clickdrivenmenus. Figure 118onpage 114displays
the virtual machine properties screen.
Figure 118: Virtual Machine Properties
4. Select each Network Adapter, as shown in Figure 119 on page 115.
Copyright © 2013, Juniper Networks, Inc.114
DDoS Secure VMware Virtual Edition Installation Guide
Figure 119: Virtual Machine Properties - Hardware
5. For everyNetworkConnection that is blank, select the appropriate port group (usually
ProtectedLAN) from the Network Connection drop down, as shown in
Figure 120 on page 116.
115Copyright © 2013, Juniper Networks, Inc.
Appendix D: Reassigning the Existing VM Network Interfaces in a VM Server
Figure 120: Virtual Machine Network Adapter
6. ClickOK
The Server interface has now been connected to the ProtectedLAN network.
RelatedDocumentation
• Reconfiguring a vSphere Client on page 117
• Understanding Sizing Requirements on page 119
• Tuning in a NUMA Environment on page 121
Copyright © 2013, Juniper Networks, Inc.116
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX E
Troubleshooting
• Reconfiguring a vSphere Client on page 117
Reconfiguring a vSphere Client
The DDoS Secure appliance VE is configured to run on a 64-bit Guest Operating System
on a host which is VT-capable. The host may be VT-capable but if VT is disabled in the
BIOS then the following message, as shown in Figure 121 on page 117 may appear when
installing the DDoS Secure appliance VE.
Figure 121: DDoS Secure Primary Appliance Summary
In this case, you should follow the instructions in themessage, entering the BIOS of your
host, enable VT and disable trusted execution.
117Copyright © 2013, Juniper Networks, Inc.
RelatedDocumentation
• Creating vSwitch/Port Group/NIC for internet traffic in a DDoS Secure Appliance on
page 103
• Reassigning the Existing VM Network Interfaces in a VM Server on page 113
• Understanding Sizing Requirements on page 119
Copyright © 2013, Juniper Networks, Inc.118
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX F
Understanding Sizing Requirements
• Understanding Sizing Requirements on page 119
Understanding Sizing Requirements
Table 5 on page 119 provides the sizing requirement details.
Table 5: Sizing Requirement Details
MINDISK(GB)MIN RAM(MB)MTUTCP CONNSTRACKED IPS
PROTECTEDIPS
128001500262K1048K2
128001500262K1048K4
128001500262K1048K8
1310001500524K2097K16
1310001500524K2097K32
1310001500524K2097K64
1514001500524K4194K128
15140015001048K4194K256
15150015001048K4194K512
1310009000262K1048K2
1310009000262K1048K4
1310009000262K1048K8
1412009000524K2097K16
1412009000524K2097K32
119Copyright © 2013, Juniper Networks, Inc.
Table 5: Sizing Requirement Details (continued)
MINDISK(GB)MIN RAM(MB)MTUTCP CONNSTRACKED IPS
PROTECTEDIPS
1412009000524K2097K64
1519009000524K4194K128
15190090001048K4194K256
16200090001048K4194K512
NOTE: TheDDoSSecureappliancestores log filesonthedisk.Morehistoricallogs are available on larger disks.
RelatedDocumentation
• Reassigning the Existing VM Network Interfaces in a VM Server on page 113
• Reconfiguring a vSphere Client on page 117
• Tuning in a NUMA Environment on page 121
Copyright © 2013, Juniper Networks, Inc.120
DDoS Secure VMware Virtual Edition Installation Guide
APPENDIX G
NUMA Tuning
• Tuning in a NUMA Environment on page 121
Tuning in a NUMA Environment
It is vital that DDoS Secure is configured to use a single CPU socket andmemory usage
local to that CPU. In VMware ESX (i) it is possible a CPU gets assigned remote memory
(memory within another NUMA node). To check if your ESX (i) host is Non-Uniform
Memory Access (NUMA) enabled: go to the Processor information on the Host
Configuration tab.
If Processor Sockets are more than one, then the DDoS Secure VMmust be configured
to run on a single NUMA node, as shown in Figure 122 on page 121.
Figure 122: Processor Sockets
ToassignDDoSSecure resource, first calculatehowmuchmemory is availableperNUMA
Node. This is Memory / Processor Sockets.
For this example we will use an ESX (i) host with 2x processor sockets (6 cores per
socket) and 64GBmemory, so each NUMA node will have 32GB local memory.
NOTE: Withhyperthreading enabled, ESX (i) creates 24 logical vCPUs.Usingthe free VMware ESX license, themaximumof 8 vCPUs can be allocated perVM. In this instance, it would be preferable to disable hyperthreading(Configuration > Processors > Properties – uncheck Enable hyperthreading) to
utilize the physical CPU cores. Thiswould reduce the logical processor countto 12.
121Copyright © 2013, Juniper Networks, Inc.
Allocate 31GB of memory to the DDoS Secure virtual machine (allowing 1GB for ESX
systemmemory).
On the Resources tab of the JDDS Virtual Machine Properties, select AdvancedMemory.
Select Usememory from nodes and select 0 as shown in Figure 123 on page 122.
Figure 123: Virtual Machine Properties Resources options
Select Advanced CPU.
In Scheduling Affinity, add the processor numbers that are associated with NUMA node
0.
Allocate up to themaximumvCPUs contained in oneNUMAnode. Figure 124 on page 122
displays an example of allocating maximum vCPUs contained in one NUMAmode.
Figure 124: Virtual Machine Properties - AllocatingMaximum vCPUs
RelatedDocumentation
• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on
page 22
• Reconfiguring a vSphere Client on page 117
Copyright © 2013, Juniper Networks, Inc.122
DDoS Secure VMware Virtual Edition Installation Guide
• Understanding Sizing Requirements on page 119
123Copyright © 2013, Juniper Networks, Inc.
Appendix G: NUMA Tuning
Copyright © 2013, Juniper Networks, Inc.124
DDoS Secure VMware Virtual Edition Installation Guide