DDoS Secure. VMware Virtual Edition Installation Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

Transcription

1 DDoS Secure VMware Virtual Edition Installation Guide Release Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA Copyright Webscreen Technology Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. DDoS Secure VMware Virtual Edition Installation Guide All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the Documentation xi Documentation and Release Notes xi Documentation Conventions xi Documentation Feedback xiii Requesting Technical Support xiii Self-Help Online Tools and Resources xiv Opening a Case with JTAC xiv Part 1 VMware Virtual Edition Installation Chapter 1 DDoS Secure VMware Virtual Edition Overview DDoS Secure VMware Virtual Edition Overview Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition Physical Interface Requirements for Installing a DDoS Secure Appliance VE Chapter 3 ESX (i) Server Preparation Preparing to Configure an ESX (i) Server Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview Deploying a DDoS Secure Appliance Using the vsphere OVA Package DDoS Secure Appliance Virtual Engine Startup and Shutdown Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine Powering On a DDoS Secure Appliance Virtual Engine Configuring the Management IP Address in a DDoS Secure Appliance Connecting to the DDoS Secure Appliance First Boot Understanding DDoS Secure Appliance Overview Page Information Configuring a Pair of High Availability DDoS Secure Appliances Part 2 Appendix Appendix A Installing Virtual Switches in a Network Adaptor Installing Virtual Switches in a Network Adaptor Adding JS Protected and Protected LAN Port Groups Adding a JS Data Share Port Group Adding a JS Internet Port Group Reassigning the Existing VM Network Interfaces to a DDoS Secure Appliance iii

4 DDoS Secure VMware Virtual Edition Installation Guide Appendix B Installing an Existing Single NIC ESX (i) Server Installing an Existing Single NIC ESX (i) Server Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server Adding a JS Data Share Port Group to a NIC ESX (i) Server Adding a JS Internet Port Group to a NIC ESX (i) Server Appendix C Installing and Configuring a New ESX (i) Server Installing and Configuring a New ESX (i) Server Installing an ESX (i) Server Connecting to vsphere Configuring vswitch0 in the DDoS Secure Appliance Management Interface(s) Creating Internet Traffic for a DDoS Secure Appliance Configuring a Data Share Port Group in a DDoS Secure Appliance Setting a DDoS Secure Appliance Protected Interface to Promiscuous Mode Changing the Configuration Settings in an ESX (i) Server VMNIC Interface Appendix D Reassigning the Existing VM Network Interfaces in a VM Server Reassigning the Existing VM Network Interfaces in a VM Server Appendix E Troubleshooting Reconfiguring a vsphere Client Appendix F Understanding Sizing Requirements Understanding Sizing Requirements Appendix G NUMA Tuning Tuning in a NUMA Environment iv

5 List of Figures Part 1 VMware Virtual Edition Installation Chapter 1 DDoS Secure VMware Virtual Edition Overview Figure 1: Virtual Edition with DDoS Protection System (External Servers Protection) Figure 2: Virtual Edition with DDoS Protection System (VM Servers Protection) Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview Figure 3: Deploy OVF Template Figure 4: OVF Template Details Figure 5: EULA - Accept Figure 6: EULA Name Figure 7: EULA Name and Location Figure 8: Disk Format Figure 9: Network Mapping Figure 10: Ready to Complete Figure 11: Deployment Confirmation Figure 12: vsphere Client - Primary Figure 13: VM Startup and Shutdown Figure 14: VM Startup and Shutdown Startup Order Figure 15: VM Startup and Shutdown Automatic Startup Figure 16: VM Autostart Settings Figure 17: Startup and Shutdown Confirmation Figure 18: Startup and Shutdown Complete Figure 19: Primary Virtual Machine Properties Figure 20: DDoS Secure Appliance Power On Figure 21: DDoS Secure Appliance Package Installation Figure 22: DDoS Secure Appliance Package Progression Figure 23: DDoS Secure Appliance VMware Tools Screen Figure 24: DDoS Secure Appliance Package Update Screen Figure 25: DDoS Secure Appliance Primary Console Figure 26: IP Address Configuration Figure 27: Netmask Configuration Figure 28: Gateway Configuration Figure 29: Input Values Figure 30: Layer 2, Layer 23 or Layer Figure 31: Navigation Block Error Figure 32: DDoS Secure Appliance Log in Page Figure 33: Security Log in Page Figure 34: First Boot Screen Snippets v

6 DDoS Secure VMware Virtual Edition Installation Guide Figure 35: First Boot Accept Screen Snippet Figure 36: DDoS Secure Appliance Summary Board Figure 37: Configure Interface Page - Data Share Interface Part 2 Appendix Appendix A Installing Virtual Switches in a Network Adaptor Figure 38: Example of ESX (i) Server Figure 39: Example of ESX (i) Server with Dual NIC Figure 40: ESX (i) Server Console Figure 41: ESX (i) Server Add Network Wizard Figure 42: ESX (i) Server Wizard - Network Access Figure 43: ESX (i) Server Wizard - Connection Settings Figure 44: ESX (i) Server Wizard Confirmation Figure 45: ESX (i) Server Configuration Page Figure 46: vswitch Properties Figure 47: vswitch Network Wizard Connection Type Figure 48: vswitch Network Wizard Connection Settings Figure 49: vswitch Network Wizard Confirmation Figure 50: vswitch Properties Figure 51: JS Protected Properties - General Figure 52: JS Protected Properties - Security Figure 53: vswitch3 Properties Figure 54: ESX (i) Host Configuration Figure 55: VMware Connection Type Figure 56: Virtual Machine Network Access Figure 57: Virtual Machine Connection Settings Figure 58: Virtual Machine Connection Settings Completion Figure 59: Virtual Machine Connections Page Figure 60: Virtual Machine Configuration Page Figure 61: vswitch Properties Figure 62: vswitch Connection Type Figure 63: Virtual Machine Connection Settings Figure 64: Network Wizard Completion Page Figure 65: Virtual Machine Configuration Page Figure 66: vswitch Properties Figure 67: JS Internet Properties - General Figure 68: JS Internet Properties - Security Figure 69: vswitch Properties - Ports Figure 70: Virtual Machine Properties Appendix B Installing an Existing Single NIC ESX (i) Server Figure 71: ESX (i) Server with Single NIC Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance Installation Figure 73: JS Protected and Protected LAN Port Groups Figure 74: Connection Type Figure 75: Virtual Machine Network Access Figure 76: Virtual Machine Connection Settings Figure 77: Virtual Machine Connection Settings Completion vi

7 List of Figures Figure 78: Virtual Machine Inventory Figure 79: vswitch Properties - Port Figure 80: Virtual Machine Connection Type Figure 81: Virtual Machine Connection Settings Figure 82: Virtual Machine Connection Completion Figure 83: vswitch Properties Port Figure 84: JS Protected Properties Figure 85: JS Protected Properties - General Figure 86: JS Protected Properties - Port Figure 87: Virtual Switch Figure 88: Virtual Switch Connection Type Figure 89: Virtual Switch - Network Access Figure 90: Virtual Machine Connection Settings Figure 91: Virtual Machine Summary Figure 92: Virtual Switch Configuration Page Figure 93: vswitch Properties Figure 94: Virtual Machine Connection Type Figure 95: Virtual Machine Connection Settings Figure 96: Virtual Machine Connection Completion Page Figure 97: Virtual Machine Inventory Figure 98: vswitch Properties Summary Figure 99: JS Internet Properties Figure 100: JS Internet Properties - General Figure 101: JS Internet vswitch Properties Appendix C Installing and Configuring a New ESX (i) Server Figure 102: VMware vsphere Client Log in Page Figure 103: VMware vsphere Summary Page Figure 104: vsphere Client Configuration Page Figure 105: vswitch Properties Figure 106: VM Network Properties - General Figure 107: vswitch Properties - Ports Figure 108: vsphere Client Configuration Page Figure 109: vswitch Properties - Connection Type Figure 110: Virtual Machine - Network Access Figure 111: Virtual Machine - Connection Settings Figure 112: Virtual Machine Connection Setting Completion Figure 113: Virtual Machine Connection Networking Figure 114: vswitch Properties Figure 115: JS Internet Properties - General Figure 116: JS Internet Properties - Security Appendix D Reassigning the Existing VM Network Interfaces in a VM Server Figure 117: VM Server Edit Settings Figure 118: Virtual Machine Properties Figure 119: Virtual Machine Properties - Hardware Figure 120: Virtual Machine Network Adapter Appendix E Troubleshooting Figure 121: DDoS Secure Primary Appliance Summary vii

8 DDoS Secure VMware Virtual Edition Installation Guide Appendix G NUMA Tuning Figure 122: Processor Sockets Figure 123: Virtual Machine Properties Resources options Figure 124: Virtual Machine Properties - Allocating Maximum vcpus viii

9 List of Tables About the Documentation xi Table 1: Notice Icons xii Table 2: Text and Syntax Conventions xii Part 1 VMware Virtual Edition Installation Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition Table 3: DDoS Secure Appliance VE Prerequisites Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview Table 4: Default Configurations in OVF Part 2 Appendix Appendix F Understanding Sizing Requirements Table 5: Sizing Requirement Details ix

10 DDoS Secure VMware Virtual Edition Installation Guide x

11 About the Documentation Documentation and Release Notes Documentation and Release Notes on page xi Documentation Conventions on page xi Documentation Feedback on page xiii Requesting Technical Support on page xiii Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at Table 1 on page xii defines notice icons used in this guide. xi

12 DDoS Secure VMware Virtual Edition Installation Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Table 2: Text and Syntax Conventions Table 2 on page xii defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: [edit] root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; xii

13 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected], or fill out the documentation feedback form at If you are using , be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, xiii

14 DDoS Secure VMware Virtual Edition Installation Guide or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see xiv

15 PART 1 VMware Virtual Edition Installation DDoS Secure VMware Virtual Edition Overview on page 3 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition on page 7 ESX (i) Server Preparation on page 9 DDoS Secure Appliance Virtual Engine Installation Overview on page 11 1

16 DDoS Secure VMware Virtual Edition Installation Guide 2

17 CHAPTER 1 DDoS Secure VMware Virtual Edition Overview DDoS Secure VMware Virtual Edition Overview on page 3 DDoS Secure VMware Virtual Edition Overview This chapter provides an overview of the VMware Virtual Edition (VE). Figure 1 on page 4 illustrates the Virtual Edition with DDoS external server protection system and Figure 2 on page 5 illustrates the Virtual Edition with DDoS Secure with VM protection system. 3

18 DDoS Secure VMware Virtual Edition Installation Guide Figure 1: Virtual Edition with DDoS Protection System (External Servers Protection) 4

19 Chapter 1: DDoS Secure VMware Virtual Edition Overview Figure 2: Virtual Edition with DDoS Protection System (VM Servers Protection) The DDoS Secure appliance Virtual Edition provides the freedom and operational flexibility to install a fully automatic DDoS protection system for any hardware platform running VMware ESX (i) v4 or later server software. The DDoS Secure appliance VMware solution is placed between the JS Internet port group and the port group JS Protected as a layer 2 device controlling the flow between the two switches. The solution is scalable for performance by adding in virtual CPUs and scalable for IP protection by adding in more virtual memory (subject to license key). High Availability primary and secondary instances of DDoS Secure appliance VE are connected to the JS Data Share port group. This connection is then used to synchronize the configuration and other information of the DDoS Secure appliance VE standby/active pair. Related Documentation Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 Preparing to Configure an ESX (i) Server on page 9 Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 5

20 DDoS Secure VMware Virtual Edition Installation Guide 6

21 CHAPTER 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 Physical Interface Requirements for Installing a DDoS Secure Appliance VE Table 3 on page 7 describes the prerequisites to be met before installing DDoS Secure appliance VE. Table 3: DDoS Secure Appliance VE Prerequisites PREREQUISITE COMPONENT TYPE(S) COMMENTS 64-bit hardware assisted virtualization support enabled Intel-VTx or equivalent with 64-bit support Provides support to run a 64-bit virtual guest. VT is usually enabled through the BIOS settings of the host. Bare-Metal Embedded Hypervisor VMware ESX (i) 4.1 Server or above Provides a virtualization layer that abstracts the processor, memory, storage, and networking resources of the physical host into multiple virtual machines. You can install ESX (i) installable on any hard drive on your physical server. Virtual Infrastructure Management Tool VMware vsphere Client Installs on a Windows PC and is the primary method of interaction with VMware vsphere. The vsphere client acts as a console to operate virtual machines and as an administration interface into ESX (i) hosts. The vsphere client is downloadable from the vcenter server system and ESX (i) hosts. The vsphere client includes documentation for administrators and console users. DDoS Secure appliance Virtual Edition Product package OVA package Deploys the DDoS Secure appliance Virtual Edition (VE) on to an ESX (i) server using a vsphere client. The DDoS Secure appliance Virtual Edition (VE) Product package is downloadable from the from the Juniper Network website: (login required). RAM Virtual managed in vsphere environment At least 800MB free of virtual RAM to allocate to each DDoS Secure appliance VE. 7

22 DDoS Secure VMware Virtual Edition Installation Guide Table 3: DDoS Secure Appliance VE Prerequisites (continued) PREREQUISITE COMPONENT TYPE(S) COMMENTS Datastore Virtual disk managed in vsphere environment At least 11GB of free space for each DDoS Secure appliance VE. CPU Virtual CPU At least one virtual CPU. Preferably two or more. Management Network 1 x vswitch 1 x Port Group Connects existing management traffic and DDoS Secure appliance VE(s) together through a port group ManagementLan. Internet Network 1 x vswitch 1 x Dedicated Port Group It is recommended that the physical Internet Gateway router/switch is connected to a vswitch with a dedicated vmnic. The DDoS Secure appliance Internet interface must be connected to this vswitch using a JS Internet port group configured in promiscuous mode. Protected Network 1 x vswitch 1 x Dedicated Port Group 1 x Port Group It is recommended that firewalls/load balancers/servers and so on are connected to a vswitch with port group ProtectedLAN so that their traffic is routed using the DDoS Secure appliance transparently to and from the internet gateway. DDoS Secure appliance protected interfaces must be connected to this vswitch using a dedicated JS Protected port group configured in promiscuous mode. Data Share Network 1 x vswitch 1 x Port Group DDoS Secure appliance VE can be paired to provide a highly available active/standby pair. The port group is labeled as JS Data Share. Related Documentation DDoS Secure VMWare Virtual Edition Overview on page 3 Preparing to Configure an ESX (i) Server on page 9 Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 8

23 CHAPTER 3 ESX (i) Server Preparation Preparing to Configure an ESX (i) Server on page 9 Preparing to Configure an ESX (i) Server It is possible that the ESX (i) server has been built in many different ways, or the ESX (i) server has not yet been built. There are three existing generic build scenarios, and most existing ESX (i) configurations should map into one of the following scenarios: 1. Two (or more) NIC interfaces in use Existing 2+ NIC ESX (i) Installation. 2. Single (possibly teamed) NIC interface in use Existing Single NIC ESX (i) Installation. 3. Initial build of ESX (i) server New ESX (i) Installation. Verify which is the most appropriate scenario to use to reconfigure/update the ESX (i) internal networking layout. NOTE: This preparation work MUST be done prior to installing the DDoS Secure appliance VMware instance. The ESX (i) server may be restricted in the number of physical interfaces, so it may not be possible to associate each vswitch with a dedicated physical interface. The Management Lan port group and JS Data Share port group must not be on the same vswitch, unless they are in different VLANs. The JS Internet port group and JS Protected port group must not be on the same vswitch, unless they are in different VLANs. Related Documentation Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 DDoS Secure VMWare Virtual Edition Overview on page 3 Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 9

24 DDoS Secure VMware Virtual Edition Installation Guide 10

25 CHAPTER 4 DDoS Secure Appliance Virtual Engine Installation Overview To install the DDoS Secure appliance VE, you will need to deploy a DDoS Secure appliance OVF Template package onto the VMware ESX (i) server via a vsphere client. The vsphere configuration wizard guides you through the initial configuration and allows you to change the virtual machine name, disk format and the network mapping. There are two variants of the Open Virtualization Format (OVF). One variant is for general use and the other variant is for light use (that is, demo on laptop). Table 4 on page 11 describes the initial default configuration contained in the OVF: Table 4: Default Configurations in OVF RESOURCE GENERAL VALUE VALUE vcpu 4 vcpu 2 vcpu Virtual Disk 100GB 15GB Memory 6000 MB 1000 MB Network Interfaces 4 4 It is quite likely that these defaults will need to be changed according to bandwidth requirements, the number of protected servers, tracked IP addresses and TCP connections; depending on your network usage. Resource values must be changed using the vsphere client user interface before powering on the virtual machine for the first time. Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Powering On a DDoS Secure Appliance Virtual Engine on page 23 Configuring the Management IP Address in a DDoS Secure Appliance on page 27 Configuring a Pair of High Availability DDoS Secure Appliances on page 34 11

26 DDoS Secure VMware Virtual Edition Installation Guide Deploying a DDoS Secure Appliance Using the vsphere OVA Package To deploy an appliance using the vsphere OVA package: 1. Verify that you have created all the necessary port groups. 2. In vsphere client, select the appropriate host or resource pool. 3. Select File > Deploy OVF Template to invoke the Deploy OVF template wizard, as shown in Figure 3 on page 12. Figure 3: Deploy OVF Template The Deploy OVF Template wizard will be invoked and will request selection of an OVA package. Use the OVA package previously downloaded from the DDoS Secure appliance Technology website. The OVA package can be identified by the following naming format: DDoS Secure appliance[version].[arch].ova DDoS Secure appliancefc11_ x86_64.ova ddossecurecentos_6_3-lite x86_64.ova 4. Specify your OVA file or click Browse to browse for it and then click Next to continue. Figure 4 on page 13 displays the OVF template details. 12

27 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 4: OVF Template Details 5. The Wizard reads and verifies the OVF template details. Click Next to continue. Figure 5 on page 13 displays the EULA screen. Figure 5: EULA - Accept 6. Read and accept the End User License Agreement (EULA). Click Next to continue. Figure 6 on page 14 displays the screen to enter the name of the EULA. 13

28 DDoS Secure VMware Virtual Edition Installation Guide Figure 6: EULA Name 7. A suggested default VM name is provided. Rename this to DDoS Secure appliance Primary (DDoS Secure appliance Secondary, if this is the second instance for a HA pair), or any other suitable name. Figure 7 on page 14 displays the screen to enter the name and location. Figure 7: EULA Name and Location 14

29 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview 8. Click Next to continue. Figure 8 on page 15 displays the screen with disk format details. Figure 8: Disk Format 9. Select the disk format in which the DDoS Secure appliance VE files are stored. You must choose Thick provisioned format (the default format). 10. Click Next to continue. Figure 9 on page 15 displays the network mapping screen. Figure 9: Network Mapping 15

30 DDoS Secure VMware Virtual Edition Installation Guide 11. Map the networks used in the OVF template to the networks defined in your inventory. If the port groups have been labeled up as previously described, no changes are required. However, if there are differences, for each source network choose an appropriate destination network by selecting an inventory network from the destination networks drop-down select box. 12. Click Next to continue. Figure 10 on page 16 displays the ready to complete screen. Figure 10: Ready to Complete 13. Review the configured settings and click Finish to start the deployment process. This completes the wizard process, the Deploy OVF Template window will now close. It may take a few minutes for the new machine to be deployed in the vsphere client inventory. Figure 11 on page 16 displays the deployment completion message. Figure 11: Deployment Confirmation Upon deployment, a window box will appear stating that the deployment has been successful. 14. Click Close to continue. 16

31 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Related Documentation DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Powering On a DDoS Secure Appliance Virtual Engine on page 23 Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 DDoS Secure Appliance Virtual Engine Startup and Shutdown To start or shutdown a Virtual Machine: 1. Open the vsphere client. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Virtual Machine Startup Shutdown. Figure 12 on page 17 displays the vsphere primary client screen. Figure 12: vsphere Client - Primary 4. Click Properties on the same line as Virtual Machine startup and shutdown. Figure 13 on page 18 displays the virtual machine startup and shutdown screen. 17

32 DDoS Secure VMware Virtual Edition Installation Guide Figure 13: VM Startup and Shutdown 5. Select Allow virtual machines to start and stop automatically with the system under System Settings, as shown in Figure 14 on page 18. Figure 14: VM Startup and Shutdown Startup Order 6. In the startup order window, select DDoS Secure appliance Primary under Manual Startup and click Move Up (in this case) twice for automatic startup, as shown in Figure 15 on page

33 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 15: VM Startup and Shutdown Automatic Startup 7. Click Edit. The Virtual Machine Autostart Settings window is displayed. 8. Under Shutdown Settings, select Use specified settings and select Guest Shutdown from the Perform shutdown action drop-down, as shown in Figure 16 on page

34 DDoS Secure VMware Virtual Edition Installation Guide Figure 16: VM Autostart Settings 9. Click OK in the Virtual Machine Startup and Shutdown window. Figure 17 on page 21 displays the confirmation screen of Virtual Machine Startup and Shutdown window. 20

35 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 17: Startup and Shutdown Confirmation 10. Click OK in the vsphere Client window. Figure 18 on page 21 displays the completion screen of Virtual Machine Startup and Shutdown window. Figure 18: Startup and Shutdown Complete Startup and Shutdown configuration for DDoS Secure appliance Primary is now complete. NOTE: If the entry is repeated multiple times, select another configuration option and then switch back to validate the screen above. 21

36 DDoS Secure VMware Virtual Edition Installation Guide Related Documentation Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Powering On a DDoS Secure Appliance Virtual Engine on page 23 Understanding Sizing Requirements on page 119 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine Increasing the number of vcpus will improve performance of the DDoS Secure appliance VE and increasing the memory will increase the number of servers the appliance VE will be capable of protecting. Increasing disk space will increase the logging retention capability. Alterations to vcpus, memory and disk space can only be done with the appliance powered off. Furthermore, the disk space cannot be changed after the appliance has been powered on and the software installed. Open the vsphere Client, select a appliance virtual machine from the inventory and select Edit Settings, this will open the Virtual Machine properties window. Use the recommended Virtual Machine Properties. Any memory configurations suggested by the vsphere client are not applicable to the appliance VE and should be ignored. Areas to consider are: CPUs Memory Disk Space Figure 19 on page 23 displays the Primary Virtual Machine Properties window. 22

37 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 19: Primary Virtual Machine Properties Related Documentation Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 Powering On a DDoS Secure Appliance Virtual Engine on page 23 DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Understanding Sizing Requirements on page 119 Powering On a DDoS Secure Appliance Virtual Engine Before powering on for the first time, confirm that you have configured the correct amount of disk space as this cannot be subsequently changed. To power on a DDoS Secure appliance virtual engine: 1. Open the vsphere client, select a DDoS Secure appliance virtual machine from the inventory and power on the machine by typing Ctrl-B or using the mouse-click driven menus, as shown in Figure 20 on page

38 DDoS Secure VMware Virtual Edition Installation Guide Figure 20: DDoS Secure Appliance Power On When powering on your DDoS Secure appliance virtual machine for the first time, the DDoS Secure appliance software will automatically install and boot the DDoS Secure appliance VE up to the login: prompt. It will pause, requesting that VMtools Installation is enabled before this can complete. 2. Monitor the install by selecting the Console pane of the DDoS Secure appliance virtual machine, as shown in Figure 21 on page 24. Figure 21: DDoS Secure Appliance Package Installation 24

39 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 22 on page 25 software packages being installed and the DDoS Secure appliance is waiting for VMtools to be installed. Figure 22: DDoS Secure Appliance Package Progression 3. Right click the Guest name in the Inventory and select Interactive Tools Upgrade, as shown in Figure 23 on page 25. Figure 23: DDoS Secure Appliance VMware Tools Screen 25

40 DDoS Secure VMware Virtual Edition Installation Guide The update screen appears after the VMtools CD has been detected, as shown in Figure 24 on page 26. Figure 24: DDoS Secure Appliance Package Update Screen When the installation has finished, you will be prompted to login at the console, as shown in Figure 25 on page 26. Figure 25: DDoS Secure Appliance Primary Console An IP address will be allocated by DHCP if it is available. If DHCP is not available, it will default to

41 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Related Documentation Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Configuring the Management IP Address in a DDoS Secure Appliance To configure DDoS Secure appliance management IP address: 1. Login from the console with username configure and password configure. The following sets up the interface mapping, IP address, netmask, gateway and speed of the DDoS Secure appliance management interface. Replace the values shown with your appropriate settings to connect to your management network. 2. Enter the management IP address for accessing the DDoS Secure appliance GUI or CLI, as shown in Figure 26 on page 27. This IP address must not be in use elsewhere. Figure 26: IP Address Configuration 3. Enter the management IP netmask, as shown in Figure 27 on page 27. Figure 27: Netmask Configuration 4. Enter the management network gateway. This has to be in the same subnet as the management IP address, as shown in Figure 28 on page 27. Figure 28: Gateway Configuration 5. If you are satisfied with the input values, then enter y, as shown in Figure 29 on page 27. Figure 29: Input Values 6. Choose the Layer 2, Layer 23 or Layer 3 operational mode, as shown in Figure 30 on page

42 DDoS Secure VMware Virtual Edition Installation Guide Figure 30: Layer 2, Layer 23 or Layer 3 The DDoS Secure appliance normally works as a layer 2 device on the main data path that provides DDoS protection. However, there are circumstances where layer 2 will not work and the DDoS appliance needs to operate in a layer 3 type environment without the interfaces being in promiscuous mode. This mode is catered for, but does have limitations as described in the selection figure. Normally, you would select n at this point. Otherwise, you will need to define the appropriate IP addresses. The DDoS Secure appliance will re-configure and the console will return to the login prompt. Connecting to the DDoS Secure Appliance on page 28 First Boot on page 31 Understanding DDoS Secure Appliance Overview Page Information on page 33 Connecting to the DDoS Secure Appliance To connect to the DDoS Secure appliance: 1. Open a browser window on a management PC. It is recommended that the management PC is connected via the vswitch associated with the JS Management port group although access to the DDoS Secure appliance GUI and command line can also be gained via vswitches associated with the non-promiscuous Protected or Internet port groups (provided routing is in place). Whichever method is used, the management PC will need to be configured with an IP address that is routable to/from the management IP address of the DDoS Secure appliance. 2. Type in the address bar, where aaa.bbb.ccc.ddd is the IP address of the management interface of the appliance (factory default is ). A navigation block error is displayed, as shown in Figure 31 on page

43 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 31: Navigation Block Error NOTE: The URL is prefixed with All traffic between the Management PC and the DDoS Secure appliance is encrypted. The DDoS Secure appliance produces a self-signed certificate for use in the secured communications. This certificate is recreated every time the appliance management interface IP address is reconfigured, or if there is less than a year to run when a software patch is applied. It is possible for the date to be invalid if the clocks on the DDoS Secure appliance and on the browser are significantly out of phase. It is possible to replace this certificate through the GUI. 3. View the certificate and install it to prevent the security alert every time you connect to the DDoS Secure appliance. 4. Click Process anyway if you are sure that you are trying to connect to the DDoS Secure appliance. The DDoS Secure appliance login page is displayed in Figure 32 on page

44 DDoS Secure VMware Virtual Edition Installation Guide Figure 32: DDoS Secure Appliance Log in Page 5. Click Login to access the DDoS Secure appliance. Alternatively, check Use Original GUI to access the older DDoS Secure interface. If the checkbox is pre-checked, DDoS Secure has determined that your browser does not support the new UI interface. 6. Enter the username and password when prompted. Figure 33 on page 31 displays the security log in page. 30

45 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 33: Security Log in Page The default user name is user and the password is password. 7. Click Login. First Boot On the first connection, the licensing screen appears on the Management PC. Figure 34 on page 32 displays the first boot screen snippets. NOTE: The first time of use, you will be asked to accept the DDoS Secure EULA. 31

46 DDoS Secure VMware Virtual Edition Installation Guide Figure 34: First Boot Screen Snippets 32

47 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview 1. Read the End User License Agreement carefully to make sure that you fully understand the Terms and Conditions. To accept the End User License Agreement: Click I Accept to accept the terms and conditions. Click Cancel to proceed no further. This will cause the system to power-off. On accepting the Terms and Conditions of the license, the DDoS Secure appliance will then display a second licensing screen. Figure 35 on page 33 displays the first boot accept screen snippet Figure 35: First Boot Accept Screen Snippet On accepting the Terms and Conditions of the license, the DDoS Secure appliance will redirect to the overview page. Understanding DDoS Secure Appliance Overview Page Information After successful authentication, the DDoS Secure appliance summary board is displayed. Figure 36 on page 34 displays the DDoS Secure appliance overview page. 33

48 DDoS Secure VMware Virtual Edition Installation Guide Figure 36: DDoS Secure Appliance Summary Board The options available are: Traffic Monitor Displays the average speed of data processed, both inbound and outbound, for the appliance. Load Status Displays how busy the DDoS Secure appliance engine is. Attack Status Displays how aggressively the DDoS Secure appliance is dropping traffic to defend the appropriate resources. Good Traffic Displays the distribution of where good traffic is coming from. Bad Traffic Displays distribution of where the bad traffic is coming from. Protected Performance Displays how busy a protected IP is from an aggregated Charm perspective, and what the average traffic to and from the IP is. Configuring a Pair of High Availability DDoS Secure Appliances DDoS Secure appliance VEs can be HA paired within the same inventory on the same ESX (i) server or on a different inventory on a different ESX (i) server providing they share network connectivity in your network design. Having an Active/Standby pair of DDoS Secure appliances means that (software) maintenance can be on one of the DDoS Secure appliances (such as an upgrade) while still having Internet traffic flowing. DDoS Secure appliance data share interfaces are used to synchronize configurations, state information and incident information between the active/standby pair. The Primary DDoS Secure appliance and the Secondary DDoS Secure appliance in a HA pair both require configuration of their data share IP addresses. 34

49 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview To configure data share IP addresses: 1. Click Login symbol on the DDoS Secure portal. 2. You will then be prompted for a login and password. 3. Enter initial username as user and password as password. 4. Click OK. After successful authentication, on the first access, the DDoS Secure appliance page is displayed. 5. In the Left pane, click Configuration/Logs, which will bring up a new tab. 6. In the Left pane, click Configure Interfaces. The Data Share Interface Definition option is displayed, as shown in Figure 37 on page 35. Figure 37: Configure Interface Page - Data Share Interface 7. Under Data Share Interface Definition, enter the IP address and the network mask. NOTE: Both DDoS Secure appliance data share interfaces IP address must be unique and in the same (preferable RFC1918) subnet in order to connect. NOTE: Both DDoS Secure appliances must be connected to the same JS Protected, JS Internet and JS Management port groups so HA operation to be established. Related Documentation Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Installing Virtual Switches in a Network Adaptor on page 39 Powering On a DDoS Secure Appliance Virtual Engine on page 23 35

50 DDoS Secure VMware Virtual Edition Installation Guide 36

51 PART 2 Appendix Installing Virtual Switches in a Network Adaptor on page 39 Installing an Existing Single NIC ESX (i) Server on page 69 Installing and Configuring a New ESX (i) Server on page 97 Reassigning the Existing VM Network Interfaces in a VM Server on page 113 Troubleshooting on page 117 Understanding Sizing Requirements on page 119 NUMA Tuning on page

52 DDoS Secure VMware Virtual Edition Installation Guide 38

53 APPENDIX A Installing Virtual Switches in a Network Adaptor Installing Virtual Switches in a Network Adaptor on page 39 Installing Virtual Switches in a Network Adaptor You need to separate the source of your unprotected traffic from the network segment hosting your servers by using two separate virtual switches, one for each area. The DDoS Secure appliance Virtual Edition will be bridging these two virtual switches and hence control what is and is not allowed to flow between them. The source of unprotected traffic might be an external network (for example, Internet Gateway) connected to an ESX (i) network adaptor or it might already be on a separate virtual network which is routed or bridged to your server virtual network. In the rest of this appendix, we will refer to port groups associated with two virtual switches as the JS Internet port group (carrying unprotected traffic) and the JS Protected and Protected LAN port groups (carrying protected traffic). Wherever unprotected xxx is referred, this is likely to be called something else on the original ESX (i) configuration, the default being VM Network. Substitute as appropriate. Figure 38 on page 40 illustrates a simple example of an ESX (i) Server: 39

54 DDoS Secure VMware Virtual Edition Installation Guide Figure 38: Example of ESX (i) Server The following sections outline the steps required for reconfiguring the example dual NIC ESX (i) Server: Add new vswitch C and attach a new JS Protected port group (connects to DDoS Secure appliance) and a new Protected LAN port group (connects to protected network). Set JS Protected port group to support promiscuous mode. Add new vswitch D and attach a new JS Data Share port group. Attach a new JS Internet port group with vswitch A. Set JS Internet port group to support promiscuous mode. Install the DDoS Secure appliance VE from the OVA file. Connect to the GUI using the default IP address log in with username user and password password. The management IP address can be changed from the Configure Interfaces icon on the left-hand pane. Log in to the DDoS Secure appliance GUI. Reassign your firewall/load balancers/servers from the original Unprotected Network port group to the Protected LAN port group. Place the DDoS Secure appliance VE in desired operating mode. Remove the Unprotected Network port group (Optional). 40

55 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 39 on page 41 illustrates the ESX (i) Server with a dual NIC after DDoS Secure appliance installation. Figure 39: Example of ESX (i) Server with Dual NIC Adding JS Protected and Protected LAN Port Groups on page 41 Adding a JS Data Share Port Group on page 52 Adding a JS Internet Port Group on page 57 Reassigning the Existing VM Network Interfaces to a DDoS Secure Appliance on page 66 Adding JS Protected and Protected LAN Port Groups To add port groups JS protected and Protected LAN: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. 41

56 DDoS Secure VMware Virtual Edition Installation Guide 3. Select the Configuration tab and click Networking as shown in Figure 40 on page 42. Figure 40: ESX (i) Server Console 4. Click Add Networking. The Add Network Wizard page is displayed, as shown in figure Figure 41 on page 42. Figure 41: ESX (i) Server Add Network Wizard 42

57 Appendix A: Installing Virtual Switches in a Network Adaptor 5. Click the connection type Virtual Machine. 6. Click Next. The ESX (i) server wizard for network access is displayed, as shown in Figure 42 on page 43. Figure 42: ESX (i) Server Wizard - Network Access 7. Select Create a virtual switch and uncheck all network adapters. 8. Click Next. The ESX (i) server wizard for connection settings is displayed, as shown in Figure 43 on page

58 DDoS Secure VMware Virtual Edition Installation Guide Figure 43: ESX (i) Server Wizard - Connection Settings 9. In Port Group Properties area, change the Network Label to Protected LAN. 10. Click Next. The ESX (i) server wizard confirmation screen is displayed, as shown in Figure 44 on page

59 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 44: ESX (i) Server Wizard Confirmation 11. Click Finish. 12. Return to the main vsphere client window where your ESX (i) host is selected in the inventory list. 13. Select the Configuration tab and click Networking. The server configuration page is displayed, as shown in Figure 45 on page

60 DDoS Secure VMware Virtual Edition Installation Guide Figure 45: ESX (i) Server Configuration Page 14. Click Properties of the Virtual Switch with the Protected LAN port group created in this section. The vswitch Properties page is displayed, as shown in Figure 46 on page 46. Figure 46: vswitch Properties 46

61 Appendix A: Installing Virtual Switches in a Network Adaptor 15. In the vswitch properties window, click Add. The wizard connection type page is displayed, as shown in Figure 47 on page 47. Figure 47: vswitch Network Wizard Connection Type 16. Choose connection type Virtual Machine and click Next. The wizard connection settings page is displayed, as shown in Figure 48 on page

62 DDoS Secure VMware Virtual Edition Installation Guide Figure 48: vswitch Network Wizard Connection Settings 17. In port group properties, change the Network Label to JS Protected. 18. Click Next. The wizard connection confirmation page is displayed, as shown in Figure 49 on page 49 48

63 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 49: vswitch Network Wizard Confirmation 19. Click Finish. The vswitch3 Properties page is displayed, as shown in Figure 50 on page 49. Figure 50: vswitch Properties 49

64 DDoS Secure VMware Virtual Edition Installation Guide 20. Select the JS Protected port group. 21. Click Edit. The JS protected properties for general tab is displayed, as shown in Figure 51 on page 50. Figure 51: JS Protected Properties - General 22. In the JS Protected Properties window, select the Security tab. The JS Protected Properties- Security tab is displayed, as shown in Figure 52 on page

65 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 52: JS Protected Properties - Security 23. Check Promiscuous Mode and select Accept from the list. 24. Click OK. The vswitch3 Properties page is displayed, as shown in Figure 53 on page

66 DDoS Secure VMware Virtual Edition Installation Guide Figure 53: vswitch3 Properties The ProtectedLAN and JS Protected port group configurations are now complete. Adding a JS Data Share Port Group The JS Data Share port group is used to synchronize configuration of a DDoS Secure appliance HA Pair. The appliance recommend you create HA pairs on the same ESX (i) host thereby allowing software upgrade of standby whilst the other is active. Even if a standalone appliance is to be deployed, this port group is still required for the appliance data share interface to connect to. Follow the instructions below to configure the JS Data Share port group on a new vswitch: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. 3. Select Configuration tab and click Networking. The ESX (i) host configuration page is displayed, as shown in Figure 54 on page

67 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 54: ESX (i) Host Configuration 4. Click Add Networking. The VMware connection type page is displayed, as shown in Figure 55 on page 53. Figure 55: VMware Connection Type 53

68 DDoS Secure VMware Virtual Edition Installation Guide 5. Choose connection type Virtual Machine and click Next. The virtual machine network access page is displayed, as shown in Figure 56 on page 54. Figure 56: Virtual Machine Network Access 6. Select create a virtual switch and uncheck all network adapters. The virtual machine connection settings page is displayed, as shown in Figure 57 on page 55. In certain circumstances a user may want to pair up with a appliance external to the ESX (i) server. In this case, select the network adapter that the external appliance data share interface is connected to. 54

69 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 57: Virtual Machine Connection Settings 7. In Port Group Properties area, change the network label to JS Data Share. 8. Click Next. The virtual machine connection settings completion page is displayed, as shown in Figure 58 on page

70 DDoS Secure VMware Virtual Edition Installation Guide Figure 58: Virtual Machine Connection Settings Completion 9. Click Finish. The JS Data Share port group configuration is now complete. The virtual machine connection page is displayed, as shown in Figure 59 on page

71 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 59: Virtual Machine Connections Page Adding a JS Internet Port Group To add JS Internet port group: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Networking. The virtual machine configuration page is displayed, as shown in Figure 60 on page

72 DDoS Secure VMware Virtual Edition Installation Guide Figure 60: Virtual Machine Configuration Page 4. Click Properties next to Virtual Switch with Unprotected Network port group. The vswitch Properties page is displayed, as shown in Figure 61 on page 59. NOTE: Unprotected network is the name for the existing port group. 58

73 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 61: vswitch Properties 5. In the vswitch Properties window, in the Configuration list pane, click Add. The vswitch connection type page is displayed, as shown in Figure 62 on page 59. Figure 62: vswitch Connection Type 59

74 DDoS Secure VMware Virtual Edition Installation Guide 6. Choose connection type as Virtual Machine. 7. Click Next. The Virtual Machines - Connection Settings page is displayed, as shown in Figure 63 on page 60. Figure 63: Virtual Machine Connection Settings 8. In the Port Group Properties area, change the Network Label to JS Internet. 9. Click Next. The network wizard completion page is displayed, as shown in Figure 64 on page

75 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 64: Network Wizard Completion Page 10. Click Finish. 11. Return to main vsphere client window where your ESX (i) host is selected in the inventory list. 12. Select the Configuration tab and click Networking. The virtual machine configuration page is displayed, as shown in Figure 65 on page 62 61

76 DDoS Secure VMware Virtual Edition Installation Guide Figure 65: Virtual Machine Configuration Page 13. Click Properties of the Virtual Switch with the JS Internet port group created in this section. The vswitch0 Properties page is displayed, as shown in Figure 66 on page

77 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 66: vswitch Properties 14. Select the port group JS Internet and click Edit. The JS Internet properties page is displayed, as shown in Figure 67 on page

78 DDoS Secure VMware Virtual Edition Installation Guide Figure 67: JS Internet Properties - General 15. In the JS Internet Properties window, select the Security tab. The JS Internet properties for the security tab is displayed, as shown in Figure 68 on page

79 Appendix A: Installing Virtual Switches in a Network Adaptor Figure 68: JS Internet Properties - Security 16. Check Promiscuous Mode and select Accept from the list. 17. Click OK. The vswitch3 Properties page is displayed, as shown in Figure 69 on page

80 DDoS Secure VMware Virtual Edition Installation Guide Figure 69: vswitch Properties - Ports The JS Internet port group configuration is now complete. Reassigning the Existing VM Network Interfaces to a DDoS Secure Appliance All virtual machines connected to existing Unprotected Network port group will need reconfiguring to use the Protected LAN port group. 66

81 Appendix A: Installing Virtual Switches in a Network Adaptor 1. Select the virtual machine in the vsphere Client inventory and open the properties window using option Edit Settings. The virtual machine properties for hardware is displayed, as shown in Figure 70 on page 67. Figure 70: Virtual Machine Properties 2. In the Hardware tab, select the Network Adaptor previously connected to the Unprotected Network port group. This will be visible in the Hardware Summary but appear as a blank selection under the Network Connection pane. 3. Choose Protected LAN port group from the drop-down select box of Network Connections. 4. Click OK. 5. Repeat reconfiguration for each virtual machine connected to the port group renamed from Unprotected Network to Protected LAN. 67

82 DDoS Secure VMware Virtual Edition Installation Guide 68

83 APPENDIX B Installing an Existing Single NIC ESX (i) Server Installing an Existing Single NIC ESX (i) Server on page 69 Installing an Existing Single NIC ESX (i) Server You must retain the association between the single physical interface, the virtual switch and vmkernel which carries the ESX (i)/vsphere management traffic. Removing this association will lead to loss of communication with your ESX (i) Server and may require an ESX (i) server rebuild. You will need to separate the source of your unprotected traffic from the network segment hosting your firewall/load balancer/servers by placing them on two separate virtual switches. The DDoS Secure appliance Virtual Edition will be bridging these two virtual switches and hence controls the flow between them. The source of unprotected traffic might be an external network (for example: Internet Gateway) connected to an ESX (i) network adaptor or it might already be on a separate virtual network which is routed or bridged to your server virtual network. In the rest of this chapter we will refer to port groups associated with two virtual switches as the JS Internet port group (carrying unprotected traffic) and the JS Protected and Protected LAN port groups (carrying protected traffic). Wherever Unprotected xxx is referred, this is likely to be called something else on the original ESX configuration, the default being VM Network. Substitute as appropriate. Figure 71 on page 70 illustrates a simple example of an ESX (i) Server with a single NIC. 69

84 DDoS Secure VMware Virtual Edition Installation Guide Figure 71: ESX (i) Server with Single NIC The following sections outline the steps required for reconfiguring the example single NIC ESX (i) Server: Add new vswitch B and associate a new JS Protected port group (connects to DDoS Secure appliance) and a new Protected LAN port group (connects to protected network). Set JS Protected port group to support promiscuous mode. Add new switch C and associate a new JS Data Share port group. Associate a new JS Internet port group with vswitch A. Set JS Internet port group to support Promiscuous mode. Install the DDoS Secure appliance VE from the.ova file. Connect to the GUI using the default IP address login with username user and password password. The management IP address can be changed from the Configure Interfaces icon within the (Admin) left-hand pane. Logon to the DDoS Secure appliance GUI and apply a new license. Reassign your firewall/load balancers/servers from the original Unprotected Network port group to the Protected LAN port group. Place the DDoS Secure appliance VE in desired operating mode. Figure 72 on page 71illustrates the ESX (i) Server with a single NIC after DDoS Secure appliance installation. 70

85 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance Installation Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server on page 71 Adding a JS Data Share Port Group to a NIC ESX (i) Server on page 82 Adding a JS Internet Port Group to a NIC ESX (i) Server on page 86 Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server To add JS Protected and ProtectedLAN port groups: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Networking. The JS protected and Protected LAN port groups are displayed, as shown in Figure 73 on page

86 DDoS Secure VMware Virtual Edition Installation Guide Figure 73: JS Protected and Protected LAN Port Groups 4. Click Add Networking. The network Connection Type page is displayed, as shown in Figure 74 on page 72. Figure 74: Connection Type 72

87 Appendix B: Installing an Existing Single NIC ESX (i) Server 5. Choose connection type Virtual Machine. 6. Click Next. The virtual machine network access page is displayed, as shown in Figure 75 on page 73. Figure 75: Virtual Machine Network Access 7. Select Create a virtual switch and uncheck all network adapters. 8. Click Next. The virtual machine connection settings page is displayed, as shown in Figure 76 on page

88 DDoS Secure VMware Virtual Edition Installation Guide Figure 76: Virtual Machine Connection Settings 9. In port group Properties, change the Network Label to Protected LAN. 10. Click Next. The virtual machine connection setting completion page is displayed, as shown in Figure 77 on page

89 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 77: Virtual Machine Connection Settings Completion 11. Click Finish. 12. Return to main vsphere client window where your ESX (i) host is selected in the inventory list, and select the Configuration tab and click Networking. The virtual machine inventory page is displayed, as shown in Figure 78 on page

90 DDoS Secure VMware Virtual Edition Installation Guide Figure 78: Virtual Machine Inventory 13. Click Properties of the Virtual Switch with the Protected LAN port group, as shown in Figure 79 on page 76. Figure 79: vswitch Properties - Port 76

91 Appendix B: Installing an Existing Single NIC ESX (i) Server 14. In the vswitch properties window, and click Add. The virtual machine connection type wizard page is displayed, as shown in Figure 80 on page 77. Figure 80: Virtual Machine Connection Type 15. Choose connection type Virtual Machine, and click Next. The virtual machine connection settings page is displayed, as shown in Figure 81 on page

92 DDoS Secure VMware Virtual Edition Installation Guide Figure 81: Virtual Machine Connection Settings 16. In port group Properties, change the Network Label to JS Protected, and click Next. The virtual machine connection complete page is displayed, as shown in Figure 82 on page 78. Figure 82: Virtual Machine Connection Completion 78

93 Appendix B: Installing an Existing Single NIC ESX (i) Server 17. Click Finish to return to vswitch properties window, as shown in Figure 83 on page 79. Figure 83: vswitch Properties Port 18. Select the port group JS Protected and click Edit. The JS protected properties page is displayed, as shown in Figure 84 on page

94 DDoS Secure VMware Virtual Edition Installation Guide Figure 84: JS Protected Properties 19. In the JS Protected Properties window, select Security tab, as shown in Figure 85 on page

95 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 85: JS Protected Properties - General 20. Check Promiscuous Mode and select Accept from the drop-down select box, and click OK, as shown in Figure 86 on page

96 DDoS Secure VMware Virtual Edition Installation Guide Figure 86: JS Protected Properties - Port The Protected LAN and JS Protected port group configurations are now complete. Adding a JS Data Share Port Group to a NIC ESX (i) Server The JS Data Share port group is used to synchronize configuration of a DDoS Secure appliance HA Pair. DDoS Secure appliance recommend you create HA pairs on the same ESX (i) host thereby allowing software upgrade of standby whilst the other is active. Even if a Standalone DDoS Secure appliance is to be deployed, this port group is still required for the DDoS Secure appliance data share interface to connect to. Follow the instructions below to configure the JS Data Share port group: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Networking, as shown in Figure 87 on page

97 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 87: Virtual Switch 4. Click Add Networking. The connection type page is displayed, as shown in Figure 88 on page 83. Figure 88: Virtual Switch Connection Type 5. Choose connection type Virtual Machine, and click Next, as shown in Figure 89 on page

98 DDoS Secure VMware Virtual Edition Installation Guide Figure 89: Virtual Switch - Network Access 6. Select Create a virtual switch and uncheck all network adapters. In certain circumstances, a user may want to pair up with a DDoS Secure appliance external to the ESX (i) server. In this case select the network adapter that the external DDoS Secure appliance data share Interface is connected to, as shown in Figure 90 on page

99 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 90: Virtual Machine Connection Settings 7. In Port Group Properties area, change the Network Label to JS Data Share. 8. Click Next. The virtual machine summary page is displayed, as shown in Figure 91 on page

100 DDoS Secure VMware Virtual Edition Installation Guide Figure 91: Virtual Machine Summary 9. Click Finish. The JS Data Share port group configuration is now complete. Adding a JS Internet Port Group to a NIC ESX (i) Server To add JS Internet port group: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Networking, as shown in Figure 92 on page

101 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 92: Virtual Switch Configuration Page 4. Click Properties next to Virtual Switch with Unprotected Network port group, as shown in Figure 93 on page 87. NOTE: Unprotected Network is the name for the existing port group. Figure 93: vswitch Properties 87

102 DDoS Secure VMware Virtual Edition Installation Guide 5. In the vswitch properties window, in the Configuration list pane, click Add, as shown in Figure 94 on page 88. Figure 94: Virtual Machine Connection Type 6. Choose connection type Virtual Machine. 7. Click Next. The virtual machine connection settings page is displayed, as shown in Figure 95 on page

103 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 95: Virtual Machine Connection Settings 8. In Properties port group, change the Network Label to JS Internet. 9. Click Next. Figure 96 on page 90 displays the virtual machine connection completion page. 89

104 DDoS Secure VMware Virtual Edition Installation Guide Figure 96: Virtual Machine Connection Completion Page 10. Click Finish. 11. Return to main vsphere client window where your ESX (i) host is selected in the inventory list, select the Configuration tab and click Networking. The virtual machine inventory configuration page is displayed, as shown in Figure 97 on page

105 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 97: Virtual Machine Inventory 12. Click Properties of the Virtual Switch with the JS Internet port group created in this section. The vswitch properties summary page is displayed, as shown in Figure 98 on page

106 DDoS Secure VMware Virtual Edition Installation Guide Figure 98: vswitch Properties Summary 13. Select the port group JS Internet and click Edit, as shown in Figure 99 on page

107 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 99: JS Internet Properties 14. In the JS Internet Properties window, select the Security tab, as shown in Figure 100 on page

108 DDoS Secure VMware Virtual Edition Installation Guide Figure 100: JS Internet Properties - General 15. Check Promiscuous Mode and select Accept from the drop-down and click OK. The vswitch0 properties page is displayed, as shown in Figure 101 on page

109 Appendix B: Installing an Existing Single NIC ESX (i) Server Figure 101: JS Internet vswitch Properties The JS Internet port group configuration is now complete. 95

110 DDoS Secure VMware Virtual Edition Installation Guide 96

111 APPENDIX C Installing and Configuring a New ESX (i) Server Installing and Configuring a New ESX (i) Server on page 97 Installing and Configuring a New ESX (i) Server Installing an ESX (i) Server on page 97 Connecting to vsphere on page 97 Configuring vswitch0 in the DDoS Secure Appliance Management Interface(s) on page 98 Creating Internet Traffic for a DDoS Secure Appliance on page 103 Configuring a Data Share Port Group in a DDoS Secure Appliance on page 110 Setting a DDoS Secure Appliance Protected Interface to Promiscuous Mode on page 111 Changing the Configuration Settings in an ESX (i) Server VMNIC Interface on page 112 Installing an ESX (i) Server Read the VMware step-by-step guide on installing and configuring ESX (i). After successful installation of ESX (i) server, several configuration steps are essential. In particular, some licensing, networking, and security configuration are necessary. For more details on these configuration tasks, see the following guides in the vsphere Documentation: The ESX (i) Installable Server Setup Guide for information on licensing The ESX (i) Configuration Guide for information on networking and security Connecting to vsphere Read the VMware step-by-step guide on installing and configuring vsphere Client onto a Windows PC. Start the vsphere Client on your Windows PC. Enter the IP address assigned to your ESX (i) server. Figure 102 on page 98 displays the VMware vsphere client log in page. For the first login, use the user root and there is no password. 97

112 DDoS Secure VMware Virtual Edition Installation Guide Figure 102: VMware vsphere Client Log in Page Set the root password for the ESX (i) server and update the VMware license key to the one obtained from VMware. Configuring vswitch0 in the DDoS Secure Appliance Management Interface(s) vswitch0 (default) is set up at ESX (i) installation with a vmkernel port labeled Management Network which provides management network access to the kernel and virtual machine VM Network port group connectivity using vmnic0. Follow the steps below to configure vswitch0 to add in the DDoS Secure appliance management interface(s). Figure 103 on page 99 displays the VMware vsphere summary page. 98

113 Appendix C: Installing and Configuring a New ESX (i) Server Figure 103: VMware vsphere Summary Page 99

114 DDoS Secure VMware Virtual Edition Installation Guide 1. Select the Configuration tab and click Networking. The vsphere client configuration page is displayed, as shown in Figure 104 on page 100. Figure 104: vsphere Client Configuration Page 2. Click Properties on the same line as Virtual Switch: vswitch0, as shown in Figure 105 on page

115 Appendix C: Installing and Configuring a New ESX (i) Server Figure 105: vswitch Properties 3. In the vswitch properties window, in the Ports tab, select the VM Network port group and click Edit. The virtual machine general tab is displayed, as shown in Figure 106 on page

116 DDoS Secure VMware Virtual Edition Installation Guide Figure 106: VM Network Properties - General 4. On the General tab, rename the Network Label to ManagementLan and click OK. 5. In the vswitch Properties window, click Close, as shown in Figure 107 on page

117 Appendix C: Installing and Configuring a New ESX (i) Server Figure 107: vswitch Properties - Ports The ManagementLan port group configuration is now complete. Creating Internet Traffic for a DDoS Secure Appliance You could route your Internet connection through the same vswitch as your Management port group. However, DDoS Secure appliance recommends you create a separate vswitch/port group/nic for internet traffic to guarantee separation between the Internet and management traffic. This section describes the creation of the JS Internet port group which exchanges traffic between DDoS Secure appliance Internet interface and the Internet. The DDoS Secure appliance Internet interface is set to promiscuous mode and therefore must be connected to a port group that is configured to accept promiscuous traffic on the vswitch. The port group is named JS Internet. Do not connect any other VM instance to this port group as this could create an unacceptable security risk. The following instructions guide you through the configuration of a vswitch, adding a port group with network label JS Internet and setting this to promiscuous mode. In our running example, the next vswitch (vswitch1) is used for internet traffic. 103

118 DDoS Secure VMware Virtual Edition Installation Guide 1. Return to the Configuration tab and click Networking, as shown in Figure 108 on page 104. Figure 108: vsphere Client Configuration Page 2. Click Add Networking. The vswitch properties for connection type is displayed, as shown in Figure 109 on page

119 Appendix C: Installing and Configuring a New ESX (i) Server Figure 109: vswitch Properties - Connection Type 3. Choose connection type Virtual Machine, and click Next. The virtual machine network access page is displayed, as shown in Figure 110 on page 105. Figure 110: Virtual Machine - Network Access 105

120 DDoS Secure VMware Virtual Edition Installation Guide 4. Select Create a virtual switch and select one unclaimed network adapters. In this case select vmnic1, as shown in Figure 111 on page 106. Figure 111: Virtual Machine - Connection Settings 5. In Port Group Properties, change the Network Label to JS Internet. 6. Click Next. The virtual machine connection setting completion page is displayed, as shown in Figure 112 on page

121 Appendix C: Installing and Configuring a New ESX (i) Server Figure 112: Virtual Machine Connection Setting Completion 7. Click Finish. 8. Return to main vsphere client window where your ESX (i) host is selected in the inventory list, select the Configuration tab and click Networking, as shown in Figure 113 on page 107. Figure 113: Virtual Machine Connection Networking 9. Click Properties of the Virtual Switch with Virtual Machine port group JS Internet, as shown in Figure 114 on page

122 DDoS Secure VMware Virtual Edition Installation Guide Figure 114: vswitch Properties 10. Select JS Internet port group configuration and click Edit. The JS Internet properties for General tab is displayed, as shown in Figure 115 on page

123 Appendix C: Installing and Configuring a New ESX (i) Server Figure 115: JS Internet Properties - General 11. In the JS Internet Properties window, select the Security tab, as shown in Figure 116 on page

124 DDoS Secure VMware Virtual Edition Installation Guide Figure 116: JS Internet Properties - Security 12. Check Promiscuous Mode and select Accept from the drop-down select box, and click OK. The JS Internet port group configuration is now complete. Configuring a Data Share Port Group in a DDoS Secure Appliance The JS Data Share port group is used to synchronize configurations of a DDoS Secure appliance HA Pair. DDoS Secure appliance recommends you create HA pairs on the same ESX (i) host which allows, for example, software maintenance with no disruption to traffic flows. Even if a standalone DDoS Secure appliance is to be used, this port group is still required for the DDoS Secure appliance Data Share interface to connect to. To configure the data share port group: 1. Return to the Configuration tab and click Networking. 2. Click Add Networking. 3. Choose connection type Virtual Machine and click Next. 110

125 Appendix C: Installing and Configuring a New ESX (i) Server 4. Select Create a virtual switch and uncheck all network adapters. If the DDoS Secure appliance is to be paired with a DDoS Secure appliance external to the ESX (i) server, a suitable vmnic that will connect to the external DDoS Secure appliance needs to be added in. 5. In port group Properties, change the Network Label to JS Data Share and click Next. 6. Click Finish. 7. The JS Data Share configuration is now complete. NOTE: Promiscuous mode should not be set in this port group. Setting a DDoS Secure Appliance Protected Interface to Promiscuous Mode The DDoS Secure appliance Protected interface is set to promiscuous mode and therefore must be connected to a dedicated port group that is configured to accept promiscuous traffic on it is associated vswitch. Do not connect any other VM instance to this port group as this could create an unacceptable security risk. Protected Servers should be connected to a different port group on the vswitch that has promiscuous mode disabled. The following instructions guide you through the configuration of a vswitch, adding a port group with network label ProtectedLAN with promiscuous mode disabled and a port group with network label JS Protected with promiscuous mode enabled. 1. Return to the Configuration tab and click Networking. 2. Click Add Networking. 3. Choose connection type Virtual Machine, and click Next. 4. Select Create a virtual switch. If you are in the process of migrating from a physical network to a virtual network then you may want to protect both virtual and physical servers. By adding a vmnic network adaptor to the vswitch associated with protected traffic means these traffic flows can reach physical servers. To add a network adapter, and select f the adapter which is physically connected to the physical network segment on which the physical server(s) is used to access the internet. 5. Click Next. 6. In port group Properties change the Network Label to Protected LAN, click Next. 7. Click Finish. 8. Return to main vsphere client window where your ESX (i) host is selected in the inventory list, select the Configuration tab and click Networking. 9. Click on Properties of the Virtual Switch with the port group Protected LAN created in this section. 10. In the vswitch properties window, and click Add. 11. Choose connection type Virtual Machine and click Next. 12. In port group Properties, change the Network Label to JS Protected, and click Next. 111

126 DDoS Secure VMware Virtual Edition Installation Guide 13. Click Finish. 14. Return to vswitch properties window. 15. Select the port group JS Protected and click Edit. 16. In the JS Protected Properties window, select the Security tab. 17. Check Promiscuous Mode and select Accept from the drop-down select box, click OK. The vswitch configuration for the JS Protected is now complete. Changing the Configuration Settings in an ESX (i) Server VMNIC Interface The ESX (i) Server vmnic interfaces must have the same speed/duplex settings definitions as the device (router or switch) that they are connected to prevent unnecessary packet loss. For example, if the router interface is set to auto, then the vmnic that it is connected must also be set to auto. If the router interface is set to 100 full duplex, then the vmnic that it is connected must also be set to 100 full duplex. The following steps must be taken in order to change the configuration settings of a network adaptor in your configuration if there (potentially) is a mismatch: 1. Open the vsphere client. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Networking. 4. Click on the Properties of the vswitch which has the appropriate vmnic. 5. In the vswitch properties window, select the Network Adapters tab. 6. Compare the speed of the Network Adapter to that of your router. If these steps do not match then select the Network Adapter, click Edit. 7. Configure the speed from the drop-down select box so that it matches the Router configuration. 112

127 APPENDIX D Reassigning the Existing VM Network Interfaces in a VM Server Reassigning the Existing VM Network Interfaces in a VM Server on page 113 Reassigning the Existing VM Network Interfaces in a VM Server As the names of port groups may have been changed, any pre-existing VMs need to be re-visited to make sure that their management/protected interfaces are connected to the correct port groups. To re-assign the existing VM network interfaces in a VM server: 1. Open the vsphere client if not already open. 2. Select the ESX (i) host in the inventory. The VM server edit setting page is displayed, as shown in Figure 117 on page 113. Figure 117: VM Server Edit Settings 113

128 DDoS Secure VMware Virtual Edition Installation Guide 3. For each server (apart from the DDoS Secure appliance VMs) listed in the inventory click Edit Settings by using the mouse-click driven menus. Figure 118 on page 114 displays the virtual machine properties screen. Figure 118: Virtual Machine Properties 4. Select each Network Adapter, as shown in Figure 119 on page

129 Appendix D: Reassigning the Existing VM Network Interfaces in a VM Server Figure 119: Virtual Machine Properties - Hardware 5. For every Network Connection that is blank, select the appropriate port group (usually ProtectedLAN) from the Network Connection drop down, as shown in Figure 120 on page

130 DDoS Secure VMware Virtual Edition Installation Guide Figure 120: Virtual Machine Network Adapter 6. Click OK The Server interface has now been connected to the ProtectedLAN network. Related Documentation Reconfiguring a vsphere Client on page 117 Understanding Sizing Requirements on page 119 Tuning in a NUMA Environment on page

131 APPENDIX E Troubleshooting Reconfiguring a vsphere Client Reconfiguring a vsphere Client on page 117 The DDoS Secure appliance VE is configured to run on a 64-bit Guest Operating System on a host which is VT-capable. The host may be VT-capable but if VT is disabled in the BIOS then the following message, as shown in Figure 121 on page 117 may appear when installing the DDoS Secure appliance VE. Figure 121: DDoS Secure Primary Appliance Summary In this case, you should follow the instructions in the message, entering the BIOS of your host, enable VT and disable trusted execution. 117

132 DDoS Secure VMware Virtual Edition Installation Guide Related Documentation Creating vswitch/port Group/NIC for internet traffic in a DDoS Secure Appliance on page 103 Reassigning the Existing VM Network Interfaces in a VM Server on page 113 Understanding Sizing Requirements on page

133 APPENDIX F Understanding Sizing Requirements Understanding Sizing Requirements Understanding Sizing Requirements on page 119 Table 5: Sizing Requirement Details Table 5 on page 119 provides the sizing requirement details. PROTECTED IPS TRACKED IPS TCP CONNS MTU MIN RAM(MB) MIN DISK(GB) K 262K K 262K K 262K K 524K K 524K K 524K K 524K K 1048K K 1048K K 262K K 262K K 262K K 524K K 524K

134 DDoS Secure VMware Virtual Edition Installation Guide Table 5: Sizing Requirement Details (continued) PROTECTED IPS TRACKED IPS TCP CONNS MTU MIN RAM(MB) MIN DISK(GB) K 524K K 524K K 1048K K 1048K NOTE: The DDoS Secure appliance stores log files on the disk. More historical logs are available on larger disks. Related Documentation Reassigning the Existing VM Network Interfaces in a VM Server on page 113 Reconfiguring a vsphere Client on page 117 Tuning in a NUMA Environment on page

135 APPENDIX G NUMA Tuning Tuning in a NUMA Environment Tuning in a NUMA Environment on page 121 It is vital that DDoS Secure is configured to use a single CPU socket and memory usage local to that CPU. In VMware ESX (i) it is possible a CPU gets assigned remote memory (memory within another NUMA node). To check if your ESX (i) host is Non-Uniform Memory Access (NUMA) enabled: go to the Processor information on the Host Configuration tab. If Processor Sockets are more than one, then the DDoS Secure VM must be configured to run on a single NUMA node, as shown in Figure 122 on page 121. Figure 122: Processor Sockets To assign DDoS Secure resource, first calculate how much memory is available per NUMA Node. This is Memory / Processor Sockets. For this example we will use an ESX (i) host with 2x processor sockets (6 cores per socket) and 64GB memory, so each NUMA node will have 32GB local memory. NOTE: With hyperthreading enabled, ESX (i) creates 24 logical vcpus. Using the free VMware ESX license, the maximum of 8 vcpus can be allocated per VM. In this instance, it would be preferable to disable hyperthreading (Configuration > Processors > Properties uncheck Enable hyperthreading) to utilize the physical CPU cores. This would reduce the logical processor count to

136 DDoS Secure VMware Virtual Edition Installation Guide Allocate 31GB of memory to the DDoS Secure virtual machine (allowing 1GB for ESX system memory). On the Resources tab of the JDDS Virtual Machine Properties, select Advanced Memory. Select Use memory from nodes and select 0 as shown in Figure 123 on page 122. Figure 123: Virtual Machine Properties Resources options Select Advanced CPU. In Scheduling Affinity, add the processor numbers that are associated with NUMA node 0. Allocate up to the maximum vcpus contained in one NUMA node. Figure 124 on page 122 displays an example of allocating maximum vcpus contained in one NUMA mode. Figure 124: Virtual Machine Properties - Allocating Maximum vcpus Related Documentation Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Reconfiguring a vsphere Client on page

137 Appendix G: NUMA Tuning Understanding Sizing Requirements on page

138 DDoS Secure VMware Virtual Edition Installation Guide 124