ddos secure: vmware virtual edition installation guide

DDoS Secure

VMware Virtual Edition Installation Guide

Release

5.13.2-0

Published: 2013-11-25

Copyright © 2013, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Copyright © 2013, Juniper Networks, Inc.

Copyright ©Webscreen Technology 2001-2013

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

DDoS Secure VMware Virtual Edition Installation GuideCopyright © 2013, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2013, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Part 1 VMware Virtual Edition Installation

Chapter 1 DDoS Secure VMware Virtual Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . 3

DDoS Secure VMware Virtual Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition . . . . . . 7

Physical Interface Requirements for Installing a DDoS Secure Appliance VE . . . . . 7

Chapter 3 ESX (i) Server Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Preparing to Configure an ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview . . . . . . . . . . . . 11

Deploying a DDoS Secure Appliance Using the vSphere OVA Package . . . . . . . . . 12

DDoS Secure Appliance Virtual Engine Startup and Shutdown . . . . . . . . . . . . . . . 17

Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual

Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Powering On a DDoS Secure Appliance Virtual Engine . . . . . . . . . . . . . . . . . . . . . 23

Configuring the Management IP Address in a DDoS Secure Appliance . . . . . . . . . 27

Connecting to the DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

First Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Understanding DDoS Secure Appliance Overview Page Information . . . . . . . 33

Configuring a Pair of High Availability DDoS Secure Appliances . . . . . . . . . . . . . . 34

Part 2 Appendix

Appendix A Installing Virtual Switches in a Network Adaptor . . . . . . . . . . . . . . . . . . . . . . 39

Installing Virtual Switches in a Network Adaptor . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Adding JS Protected and Protected LAN Port Groups . . . . . . . . . . . . . . . . . . . 41

Adding a JS Data Share Port Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Adding a JS Internet Port Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Reassigning the Existing VM Network Interfaces to a DDoS Secure

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

iiiCopyright © 2013, Juniper Networks, Inc.

Appendix B Installing an Existing Single NIC ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 69

Installing an Existing Single NIC ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Adding a JS Data Share Port Group to a NIC ESX (i) Server . . . . . . . . . . . . . . 82

Adding a JS Internet Port Group to a NIC ESX (i) Server . . . . . . . . . . . . . . . . . 86

Appendix C Installing and Configuring a New ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 97

Installing and Configuring a New ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Installing an ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Connecting to vSphere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring vSwitch0 in the DDoS Secure Appliance Management

Interface(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Creating Internet Traffic for a DDoS Secure Appliance . . . . . . . . . . . . . . . . . 103

Configuring a Data Share Port Group in a DDoS Secure Appliance . . . . . . . . 110

Setting a DDoS Secure Appliance Protected Interface to Promiscuous

Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Changing the Configuration Settings in an ESX (i) Server VMNIC

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Appendix D Reassigning the Existing VMNetwork Interfaces in a VM Server . . . . . . . . . 113

Reassigning the Existing VM Network Interfaces in a VM Server . . . . . . . . . . . . . . 113

Appendix E Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Reconfiguring a vSphere Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Appendix F Understanding Sizing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Understanding Sizing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Appendix G NUMA Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Tuning in a NUMA Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Copyright © 2013, Juniper Networks, Inc.iv

DDoS Secure VMware Virtual Edition Installation Guide

List of Figures


Chapter 1 DDoS Secure VMware Virtual Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Virtual Edition with DDoS Protection System (External Servers

Protection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Figure 2: Virtual Edition with DDoS Protection System (VM Servers

Protection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5


Figure 3: Deploy OVF Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 4: OVF Template Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 5: EULA - Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 6: EULA Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 7: EULA – Name and Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 8: Disk Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 9: Network Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 10: Ready to Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 11: Deployment Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 12: vSphere Client - Primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 13: VM Startup and Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 14: VM Startup and Shutdown –Startup Order . . . . . . . . . . . . . . . . . . . . . . 18

Figure 15: VM Startup and Shutdown – Automatic Startup . . . . . . . . . . . . . . . . . . 19

Figure 16: VM Autostart Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 17: Startup and Shutdown – Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 18: Startup and Shutdown – Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 19: Primary Virtual Machine Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 20: DDoS Secure Appliance Power On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 21: DDoS Secure Appliance Package Installation . . . . . . . . . . . . . . . . . . . . . 24

Figure 22: DDoS Secure Appliance Package Progression . . . . . . . . . . . . . . . . . . . . 25

Figure 23: DDoS Secure Appliance VMware Tools Screen . . . . . . . . . . . . . . . . . . . 25

Figure 24: DDoS Secure Appliance Package Update Screen . . . . . . . . . . . . . . . . . 26

Figure 25: DDoS Secure Appliance Primary Console . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 26: IP Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 27: Netmask Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 28: Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 29: Input Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 30: Layer 2, Layer 23 or Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 31: Navigation Block Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Figure 32: DDoS Secure Appliance Log in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 33: Security Log in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Figure 34: First Boot Screen Snippets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

vCopyright © 2013, Juniper Networks, Inc.

Figure 35: First Boot Accept Screen Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 36: DDoS Secure Appliance Summary Board . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 37: Configure Interface Page - Data Share Interface . . . . . . . . . . . . . . . . . . 35

Part 2 Appendix

Appendix A Installing Virtual Switches in a Network Adaptor . . . . . . . . . . . . . . . . . . . . . . 39

Figure 38: Example of ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 39: Example of ESX (i) Server with Dual NIC . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 40: ESX (i) Server Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Figure 41: ESX (i) Server Add Network Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Figure 42: ESX (i) Server Wizard - Network Access . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 43: ESX (i) Server Wizard - Connection Settings . . . . . . . . . . . . . . . . . . . . . 44

Figure 44: ESX (i) Server Wizard Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 45: ESX (i) Server Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 46: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 47: vSwitch Network Wizard – Connection Type . . . . . . . . . . . . . . . . . . . . . 47

Figure 48: vSwitch NetworkWizard – Connection Settings . . . . . . . . . . . . . . . . . . 48

Figure 49: vSwitch Network Wizard – Confirmation . . . . . . . . . . . . . . . . . . . . . . . 49


Figure 51: JS Protected Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Figure 52: JS Protected Properties - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 53: vSwitch3 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Figure 54: ESX (i) Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 55: VMware Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 56: Virtual Machine Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 57: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 58: Virtual Machine Connection Settings Completion . . . . . . . . . . . . . . . . 56

Figure 59: Virtual Machine Connections Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 60: Virtual Machine Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 61: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Figure 62: vSwitch Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Figure 63: Virtual Machine Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Figure 64: Network Wizard Completion Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 65: Virtual Machine Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62


Figure 67: JS Internet Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Figure 68: JS Internet Properties - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 69: vSwitch Properties - Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Figure 70: Virtual Machine Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Appendix B Installing an Existing Single NIC ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 69

Figure 71: ESX (i) Server with Single NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Figure 73: JS Protected and Protected LAN Port Groups . . . . . . . . . . . . . . . . . . . . 72

Figure 74: Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Figure 75: Virtual Machine Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73


Figure 77: Virtual Machine Connection Settings Completion . . . . . . . . . . . . . . . . . 75

Copyright © 2013, Juniper Networks, Inc.vi


Figure 78: Virtual Machine Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Figure 79: vSwitch Properties - Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Figure 80: Virtual Machine Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77


Figure 82: Virtual Machine Connection Completion . . . . . . . . . . . . . . . . . . . . . . . . 78

Figure 83: vSwitch Properties Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Figure 84: JS Protected Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Figure 85: JS Protected Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Figure 86: JS Protected Properties - Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 87: Virtual Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Figure 88: Virtual Switch Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Figure 89: Virtual Switch - Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84


Figure 91: Virtual Machine Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Figure 92: Virtual Switch Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87


Figure 94: Virtual Machine Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88


Figure 96: Virtual Machine Connection Completion Page . . . . . . . . . . . . . . . . . . . 90

Figure 97: Virtual Machine Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Figure 98: vSwitch Properties Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Figure 99: JS Internet Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Figure 100: JS Internet Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Figure 101: JS Internet vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Appendix C Installing and Configuring a New ESX (i) Server . . . . . . . . . . . . . . . . . . . . . . . 97

Figure 102: VMware vSphere Client Log in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Figure 103: VMware vSphere Summary Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Figure 104: vSphere Client Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Figure 105: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Figure 106: VM Network Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Figure 107: vSwitch Properties - Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Figure 108: vSphere Client Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Figure 109: vSwitch Properties - Connection Type . . . . . . . . . . . . . . . . . . . . . . . . 105

Figure 110: Virtual Machine - Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Figure 111: Virtual Machine - Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . 106

Figure 112: Virtual Machine Connection Setting Completion . . . . . . . . . . . . . . . . . 107

Figure 113: Virtual Machine Connection Networking . . . . . . . . . . . . . . . . . . . . . . . 107

Figure 114: vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Figure 115: JS Internet Properties - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Figure 116: JS Internet Properties - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Appendix D Reassigning the Existing VMNetwork Interfaces in a VM Server . . . . . . . . . 113

Figure 117: VM Server Edit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Figure 118: Virtual Machine Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Figure 119: Virtual Machine Properties - Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 115

Figure 120: Virtual Machine Network Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Appendix E Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Figure 121: DDoS Secure Primary Appliance Summary . . . . . . . . . . . . . . . . . . . . . . 117

viiCopyright © 2013, Juniper Networks, Inc.

List of Figures

Appendix G NUMA Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Figure 122: Processor Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Figure 123: Virtual Machine Properties Resources options . . . . . . . . . . . . . . . . . . 122

Figure 124: Virtual Machine Properties - Allocating Maximum vCPUs . . . . . . . . . 122

Copyright © 2013, Juniper Networks, Inc.viii


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii


Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition . . . . . . 7

Table 3: DDoS Secure Appliance VE Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . 7


Table 4: Default Configurations in OVF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Part 2 Appendix

Appendix F Understanding Sizing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 5: Sizing Requirement Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

ixCopyright © 2013, Juniper Networks, Inc.

About the Documentation

• Documentation and Release Notes on page xi

• Documentation Conventions on page xi

• Documentation Feedback on page xiii

• Requesting Technical Support on page xiii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page xii defines notice icons used in this guide.

xiCopyright © 2013, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page xii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

Copyright © 2013, Juniper Networks, Inc.xii


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include

the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

xiiiCopyright © 2013, Juniper Networks, Inc.

About the Documentation

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

Copyright © 2013, Juniper Networks, Inc.xiv


http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

PART 1

VMware Virtual Edition Installation

• DDoS Secure VMware Virtual Edition Overview on page 3

• Prerequisites for Installing a DDoS Secure Appliance Virtual Edition on page 7

• ESX (i) Server Preparation on page 9

• DDoS Secure Appliance Virtual Engine Installation Overview on page 11

1Copyright © 2013, Juniper Networks, Inc.

CHAPTER 1

DDoS Secure VMware Virtual EditionOverview

• DDoS Secure VMware Virtual Edition Overview on page 3

DDoS Secure VMware Virtual Edition Overview

This chapter provides an overview of the VMware Virtual Edition (VE). Figure 1 on page 4

illustrates the Virtual Edition with DDoS external server protection system and

Figure 2 on page 5 illustrates the Virtual Edition with DDoS Secure with VM protection

system.


Figure 1: Virtual Edition with DDoS Protection System (External ServersProtection)



Figure 2: Virtual Edition with DDoS Protection System (VMServersProtection)

TheDDoSSecureapplianceVirtualEditionprovides the freedomandoperational flexibility

to install a fully automatic DDoS protection system for any hardware platform running

VMware ESX (i) v4 or later server software.

The DDoS Secure appliance VMware solution is placed between the JS Internet port

group and the port group JS Protected as a layer 2 device controlling the flow between

the two switches. The solution is scalable for performance by adding in virtual CPUs and

scalable for IP protection by adding in more virtual memory (subject to license key).

High Availability primary and secondary instances of DDoS Secure appliance VE are

connected to the JS Data Share port group. This connection is then used to synchronize

theconfigurationandother informationof theDDoSSecureapplianceVEstandby/active

pair.

RelatedDocumentation

• Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7

• Preparing to Configure an ESX (i) Server on page 9

• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12


Chapter 1: DDoS Secure VMware Virtual Edition Overview

CHAPTER 2

Prerequisites for Installing a DDoS SecureAppliance Virtual Edition


Physical Interface Requirements for Installing a DDoS Secure Appliance VE

Table 3 on page 7 describes the prerequisites to bemet before installing DDoS Secure

appliance VE.

Table 3: DDoS Secure Appliance VE Prerequisites

COMMENTSCOMPONENT TYPE(S)PREREQUISITE

Provides support to run a 64-bit virtual guest. VT is usually enabledthrough the BIOS settings of the host.

Intel-VTxorequivalentwith64-bit support

64-bit hardwareassisted virtualizationsupport enabled

Provides a virtualization layer that abstracts the processor, memory,storage, and networking resources of the physical host into multiplevirtual machines.

You can install ESX (i) installable on any hard drive on your physicalserver.

VMware ESX (i) 4.1 Serveror above

Bare-Metal EmbeddedHypervisor

Installs on aWindows PC and is the primary method of interactionwithVMwarevSphere.ThevSphereclientactsasaconsole tooperatevirtualmachinesandasanadministration interface intoESX(i) hosts.

The vSphere client is downloadable from the vCenter server systemand ESX (i) hosts. The vSphere client includes documentation foradministrators and console users.

VMware vSphere ClientVirtual InfrastructureManagement Tool

Deploys theDDoSSecure applianceVirtual Edition (VE) on to an ESX(i) server using a vSphere client.

The DDoS Secure appliance Virtual Edition (VE) Product package isdownloadable from the from the Juniper Network website:https://juniper.net (login required).

OVA packageDDoS Secure applianceVirtual Edition Productpackage

At least 800MB free of virtual RAM to allocate to each DDoS Secureappliance VE.

Virtualmanaged in vSphereenvironment

RAM


https://juniper.net

Table 3: DDoS Secure Appliance VE Prerequisites (continued)

COMMENTSCOMPONENT TYPE(S)PREREQUISITE

At least 11GB of free space for each DDoS Secure appliance VE.Virtual disk managed invSphere environment

Datastore

At least one virtual CPU. Preferably two or more.Virtual CPUCPU

Connects existing management traffic and DDoS Secure applianceVE(s) together through a port group ManagementLan.

1 x vSwitch

1 x Port Group

Management Network

It is recommended that the physical Internet Gateway router/switchis connected to a vSwitch with a dedicated vmnic. The DDoS Secureappliance Internet interfacemust be connected to this vSwitch usinga JS Internet port group configured in promiscuous mode.

1 x vSwitch

1 x Dedicated

Port Group

Internet Network

It is recommended that firewalls/load balancers/servers and so onare connected to a vSwitch with port group ProtectedLAN so thattheir traffic is routed using the DDoS Secure appliance transparentlyto and from the internet gateway. DDoS Secure appliance protectedinterfaces must be connected to this vSwitch using a dedicated JSProtected port group configured in promiscuous mode.

1 x vSwitch

1 x Dedicated

Port Group

1 x Port Group

Protected Network

DDoSSecure appliance VE can be paired to provide a highly availableactive/standby pair. The port group is labeled as JS Data Share.

1 x vSwitch

1 x Port Group

Data Share Network


• DDoS Secure VMWare Virtual Edition Overview on page 3





CHAPTER 3

ESX (i) Server Preparation


Preparing to Configure an ESX (i) Server

It is possible that the ESX (i) server has been built in many different ways, or the ESX (i)

server has not yet been built.

There are three existing generic build scenarios, andmost existing ESX (i) configurations

should map into one of the following scenarios:

1. Two (or more) NIC interfaces in use—Existing 2+ NIC ESX (i) Installation.

2. Single (possibly teamed)NIC interface in use—ExistingSingleNIC ESX (i) Installation.

3. Initial build of ESX (i) server—New ESX (i) Installation.

Verify which is the most appropriate scenario to use to reconfigure/update the ESX (i)

internal networking layout.

NOTE: This preparation workMUST be done prior to installing the DDoSSecure appliance VMware instance.

The ESX (i) server may be restricted in the number of physical interfaces, soit may not be possible to associate each vSwitch with a dedicated physicalinterface.

The Management Lan port group and JS Data Share port groupmust not beon the same vSwitch, unless they are in different VLANs.

The JS Internet port group and JS Protected port groupmust not be on thesame vSwitch, unless they are in different VLANs.



• DDoS Secure VMWare Virtual Edition Overview on page 3



CHAPTER 4

DDoS Secure Appliance Virtual EngineInstallation Overview

To install theDDoSSecureapplianceVE, youwill need todeployaDDoSSecureappliance

OVFTemplatepackageonto theVMwareESX (i) server via a vSphere client. The vSphere

configurationwizardguides you through the initial configurationandallowsyou tochange

the virtual machine name, disk format and the network mapping.

Thereare twovariantsof theOpenVirtualizationFormat (OVF).Onevariant is for general

use and the other variant is for light use (that is, demo on laptop).

Table 4 on page 11 describes the initial default configuration contained in the OVF:

Table 4: Default Configurations in OVF

VALUEGENERAL VALUERESOURCE

2 vCPU4 vCPUvCPU

15GB100GBVirtual Disk

1000MB6000MBMemory

44Network Interfaces

It is quite likely that these defaults will need to be changed according to bandwidth

requirements, thenumberofprotectedservers, tracked IPaddressesandTCPconnections;

depending on your network usage. Resource values must be changed using the vSphere

client user interface before powering on the virtual machine for the first time.


• DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17

• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual

Engine on page 22

• Powering On a DDoS Secure Appliance Virtual Engine on page 23

• Configuring the Management IP Address in a DDoS Secure Appliance on page 27

• Configuring a Pair of High Availability DDoS Secure Appliances on page 34


Deploying a DDoS Secure Appliance Using the vSphere OVA Package

To deploy an appliance using the vSphere OVA package:

1. Verify that you have created all the necessary port groups.

2. In vSphere client, select the appropriate host or resource pool.

3. Select File > Deploy OVF Template to invoke the Deploy OVF template wizard, as

shown in Figure 3 on page 12.

Figure 3: Deploy OVF Template

The Deploy OVF Templatewizard will be invoked andwill request selection of an OVA

package. Use the OVA package previously downloaded from the DDoS Secure

appliance Technology website. The OVA package can be identified by the following

naming format:

DDoS Secure appliance[VERSION].[ARCH].ova

DDoS Secure applianceFC11_64-4.0.2-2.x86_64.ova

ddossecureCENTOS_6_3-lite-5.13.2-0.x86_64.ova

4. Specify your OVA file or click Browse to browse for it and then click Next to continue.

Figure 4 on page 13 displays the OVF template details.



Figure 4: OVF Template Details

5. TheWizard reads and verifies the OVF template details. Click Next to continue.

Figure 5 on page 13 displays the EULA screen.

Figure 5: EULA - Accept

6. Read and accept the End User License Agreement (EULA). Click Next to continue.

Figure 6 on page 14 displays the screen to enter the name of the EULA.


Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview

Figure 6: EULA Name

7. A suggested default VM name is provided. Rename this to DDoS Secure appliance

Primary (DDoS Secure appliance Secondary, if this is the second instance for a HA

pair), or any other suitable name. Figure 7 on page 14 displays the screen to enter the

name and location.

Figure 7: EULA –Name and Location



8. ClickNext to continue. Figure8onpage 15displays the screenwith disk formatdetails.

Figure 8: Disk Format

9. Select the disk format in which the DDoS Secure appliance VE files are stored. You

must choose Thick provisioned format (the default format).

10. Click Next to continue. Figure 9 on page 15 displays the network mapping screen.

Figure 9: Network Mapping



11. Map the networks used in theOVF template to the networks defined in your inventory.

If the port groups have been labeled up as previously described, no changes are

required. However, if there are differences, for each source network choose an

appropriatedestinationnetworkbyselectingan inventorynetwork fromthedestination

networks drop-down select box.

12. Click Next to continue. Figure 10 on page 16 displays the ready to complete screen.

Figure 10: Ready to Complete

13. Review the configured settings and click Finish to start the deployment process. This

completes the wizard process, the Deploy OVF Template windowwill now close. It

may take a fewminutes for the newmachine to be deployed in the vSphere client

inventory. Figure 11 on page 16 displays the deployment completion message.

Figure 11: Deployment Confirmation

Upon deployment, a window box will appear stating that the deployment has been

successful.

14. Click Close to continue.




DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17•

• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on

page 22



DDoS Secure Appliance Virtual Engine Startup and Shutdown

To start or shutdown a Virtual Machine:

1. Open the vSphere client.

2. Select the ESX (i) host in the inventory.

3. Select the Configuration tab and click Virtual Machine Startup Shutdown.

Figure 12 on page 17 displays the vSphere primary client screen.

Figure 12: vSphere Client - Primary

4. Click Properties on the same line as Virtual Machine startup and shutdown.

Figure 13 on page 18 displays the virtual machine startup and shutdown screen.



Figure 13: VM Startup and Shutdown

5. Select Allow virtual machines to start and stop automatically with the system under

SystemSettings, as shown in Figure 14 on page 18.

Figure 14: VM Startup and Shutdown –Startup Order

6. In the startup order window, select DDoS Secure appliance Primary underManual

Startup and clickMove Up (in this case) twice for automatic startup, as shown in

Figure 15 on page 19.



Figure 15: VM Startup and Shutdown – Automatic Startup

7. Click Edit.

The Virtual Machine Autostart Settingswindow is displayed.

8. Under Shutdown Settings, select Use specified settings and select Guest Shutdown

from the Perform shutdown action drop-down, as shown in Figure 16 on page 20.



Figure 16: VMAutostart Settings

9. ClickOK in the Virtual Machine Startup and Shutdownwindow. Figure 17 on page 21

displays the confirmation screen of Virtual Machine Startup and Shutdown window.



Figure 17: Startup and Shutdown – Confirmation

10. ClickOK in the vSphere Clientwindow. Figure 18 on page 21 displays the completion

screen of Virtual Machine Startup and Shutdown window.

Figure 18: Startup and Shutdown – Complete

StartupandShutdownconfiguration forDDoSSecureappliancePrimary isnowcomplete.

NOTE: If the entry is repeatedmultiple times, select another configurationoption and then switch back to validate the screen above.




Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12•


page 22


• Understanding Sizing Requirements on page 119

Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine

Increasing thenumber of vCPUswill improveperformanceof theDDoSSecureappliance

VE and increasing the memory will increase the number of servers the appliance VE will

be capable of protecting. Increasing disk space will increase the logging retention

capability.

Alterations to vCPUs, memory and disk space can only be done with the appliance

powered off. Furthermore, the disk space cannot be changed after the appliance has

been powered on and the software installed.

Open thevSphereClient, select aappliance virtualmachine fromthe inventory andselect

Edit Settings, this will open the Virtual Machine properties window.

Use the recommendedVirtualMachineProperties.Anymemoryconfigurations suggested

by the vSphere client are not applicable to the appliance VE and should be ignored.

Areas to consider are:

• CPUs

• Memory

• Disk Space

Figure 19 on page 23 displays the Primary Virtual Machine Properties window.



Figure 19: Primary Virtual Machine Properties






Powering On a DDoS Secure Appliance Virtual Engine

Beforepoweringon for the first time, confirm that youhaveconfigured thecorrect amount

of disk space as this cannot be subsequently changed. To power on a DDoS Secure

appliance virtual engine:

1. Open the vSphere client, select a DDoS Secure appliance virtual machine from the

inventory and power on themachine by typing Ctrl-B or using the mouse-click driven

menus, as shown in Figure 20 on page 24.



Figure 20: DDoS Secure Appliance Power On

When powering on your DDoS Secure appliance virtual machine for the first time, the

DDoSSecure appliance softwarewill automatically install andboot theDDoSSecure

applianceVEup to the login: prompt. Itwill pause, requesting thatVMtools Installation

is enabled before this can complete.

2. Monitor the install by selecting theConsolepaneof theDDoSSecure appliance virtual

machine, as shown in Figure 21 on page 24.

Figure 21: DDoS Secure Appliance Package Installation



Figure22onpage25softwarepackagesbeing installedandtheDDoSSecureappliance

is waiting for VMtools to be installed.

Figure 22: DDoS Secure Appliance Package Progression

3. Right click the Guest name in the Inventory and select Interactive Tools Upgrade, as


Figure 23: DDoS Secure Appliance VMware Tools Screen



The update screen appears after the VMtools CD has been detected, as shown in


Figure 24: DDoS Secure Appliance Package Update Screen

When the installation has finished, you will be prompted to login at the console, as


Figure 25: DDoS Secure Appliance Primary Console

An IP address will be allocated by DHCP if it is available. If DHCP is not available, it

will default to 192.168.0.196.






page 22


Configuring theManagement IP Address in a DDoS Secure Appliance

To configure DDoS Secure appliancemanagement IP address:

1. Login from the console with username configure and password configure.

The following sets up the interfacemapping, IP address, netmask, gatewayand speed

of theDDoSSecure appliancemanagement interface. Replace the values shownwith

your appropriate settings to connect to your management network.

2. Enter the management IP address for accessing the DDoS Secure appliance GUI or

CLI, as shown in Figure 26 on page 27. This IP address must not be in use elsewhere.

Figure 26: IP Address Configuration

3. Enter the management IP netmask, as shown in Figure 27 on page 27.

Figure 27: Netmask Configuration

4. Enter the management network gateway. This has to be in the same subnet as the

management IP address, as shown in Figure 28 on page 27.

Figure 28: Gateway Configuration

5. If youare satisfiedwith the input values, thenenter y, as shown inFigure 29onpage27.

Figure 29: Input Values

6. Choose the Layer 2, Layer 23 or Layer 3 operational mode, as shown in




Figure 30: Layer 2, Layer 23 or Layer 3

TheDDoSSecure appliance normally works as a layer 2 device on themain data path

that provides DDoS protection. However, there are circumstances where layer 2 will

not work and the DDoS appliance needs to operate in a layer 3 type environment

without the interfaces being in promiscuousmode. Thismode is catered for, but does

have limitations as described in the selection figure. Normally, you would select n at

this point. Otherwise, you will need to define the appropriate IP addresses.

The DDoS Secure appliance will re-configure and the console will return to the login

prompt.

• Connecting to the DDoS Secure Appliance on page 28

• First Boot on page 31

• Understanding DDoS Secure Appliance Overview Page Information on page 33

Connecting to the DDoS Secure Appliance

To connect to the DDoS Secure appliance:

1. Open a browser window on amanagement PC. It is recommended that the

management PC is connected via the vSwitch associated with the JS Management

port group although access to the DDoS Secure appliance GUI and command line

can also be gained via vSwitches associated with the non-promiscuous Protected or

Internet port groups (provided routing is in place). Whichever method is used, the

managementPCwill need tobeconfiguredwithan IPaddress that is routable to/from

themanagement IP address of the DDoS Secure appliance.

2. Type https://aaa.bbb.ccc.ddd in the address bar, where aaa.bbb.ccc.ddd is the IPaddress of the management interface of the appliance (factory default is

192.168.0.196). A navigation block error is displayed, as shown in Figure 31 on page 29.



Figure 31: Navigation Block Error

NOTE: The URL is prefixed with https://.

All traffic between the Management PC and the DDoS Secure applianceis encrypted.

The DDoS Secure appliance produces a self-signed certificate for use in the secured

communications. This certificate is recreated every time the appliancemanagement

interface IPaddress is reconfigured, or if there is less thanayear to runwhenasoftware

patch isapplied. It is possible for thedate tobe invalid if theclockson theDDoSSecure

appliance and on the browser are significantly out of phase. It is possible to replace

this certificate through the GUI.

3. View the certificate and install it to prevent the security alert every time you connect

to the DDoS Secure appliance.

4. ClickProcess anyway if you are sure that you are trying to connect to the DDoSSecure

appliance. TheDDoSSecureappliance loginpage is displayed in Figure 32onpage30.



Figure 32: DDoS Secure Appliance Log in Page

5. Click Login to access the DDoS Secure appliance.

Alternatively, check UseOriginal GUI to access the older DDoS Secure interface. If the

checkbox is pre-checked, DDoS Secure has determined that your browser does not

support the new UI interface.

6. Enter the username and password when prompted. Figure 33 on page 31 displays the

security log in page.



Figure 33: Security Log in Page

The default user name is user and the password is password.

7. Click Login.

First Boot

On the first connection, the licensing screen appears on the Management PC.

Figure 34 on page 32 displays the first boot screen snippets.

NOTE: The first time of use, you will be asked to accept the DDoS SecureEULA.



Figure 34: First Boot Screen Snippets



1. Read theEndUser LicenseAgreement carefully tomakesure that you fully understand

the Terms and Conditions.

To accept the End User License Agreement:

Click I Accept to accept the terms and conditions.

Click Cancel to proceed no further.

This will cause the system to power-off.

On accepting the Terms and Conditions of the license, the DDoS Secure appliance

will thendisplay a second licensing screen. Figure 35onpage33displays the first boot

accept screen snippet

Figure 35: First Boot Accept Screen Snippet

On accepting the Terms and Conditions of the license, the DDoS Secure appliance

will redirect to the overview page.

Understanding DDoS Secure Appliance Overview Page Information

After successful authentication, theDDoSSecureappliancesummaryboard isdisplayed.

Figure 36 on page 34 displays the DDoS Secure appliance overview page.



Figure 36: DDoS Secure Appliance Summary Board

The options available are:

• Traffic Monitor — Displays the average speed of data processed, both inbound and

outbound, for the appliance.

• Load Status — Displays how busy the DDoS Secure appliance engine is.

• Attack Status — Displays how aggressively the DDoS Secure appliance is dropping

traffic to defend the appropriate resources.

• Good Traffic — Displays the distribution of where good traffic is coming from.

• Bad Traffic — Displays distribution of where the bad traffic is coming from.

• Protected Performance — Displays how busy a protected IP is from an aggregated

Charm perspective, and what the average traffic to and from the IP is.

Configuring a Pair of High Availability DDoS Secure Appliances

DDoS Secure appliance VEs can be HA paired within the same inventory on the same

ESX (i) server or on a different inventory on a different ESX (i) server providing they share

network connectivity in your network design.

Having an Active/Standby pair of DDoS Secure appliances means that (software)

maintenance can be on one of the DDoS Secure appliances (such as an upgrade) while

still having Internet traffic flowing.

DDoS Secure appliance data share interfaces are used to synchronize configurations,

state information and incident information between the active/standby pair.

The Primary DDoS Secure appliance and the Secondary DDoS Secure appliance in a HA

pair both require configuration of their data share IP addresses.



To configure data share IP addresses:

1. Click Login symbol on the DDoS Secure portal.

2. You will then be prompted for a login and password.

3. Enter initial username as user and password as password.

4. ClickOK.

After successful authentication, on the first access, the DDoS Secure appliance page

is displayed.

5. In the Left pane, click Configuration/Logs, which will bring up a new tab.

6. In the Left pane, click Configure Interfaces. The Data Share Interface Definition option

is displayed, as shown in Figure 37 on page 35.

Figure 37: Configure Interface Page - Data Share Interface

7. Under Data Share Interface Definition, enter the IP address and the network mask.

NOTE: Both DDoS Secure appliance data share interfaces IP addressmustbe unique and in the same (preferable RFC1918) subnet in order to connect.

NOTE: Both DDoS Secure appliancesmust be connected to the same JSProtected, JS Internet and JSManagement port groups so HA operation tobe established.



page 22

• Installing Virtual Switches in a Network Adaptor on page 39




PART 2

Appendix


• Installing an Existing Single NIC ESX (i) Server on page 69

• Installing and Configuring a New ESX (i) Server on page 97

• Reassigning the Existing VM Network Interfaces in a VM Server on page 113

• Troubleshooting on page 117


• NUMA Tuning on page 121


APPENDIX A

Installing Virtual Switches in a NetworkAdaptor


Installing Virtual Switches in a Network Adaptor

You need to separate the source of your unprotected traffic from the network segment

hosting your servers by using two separate virtual switches, one for each area. The DDoS

Secure appliance Virtual Edition will be bridging these two virtual switches and hence

control what is and is not allowed to flow between them.

The source of unprotected traffic might be an external network (for example, Internet

Gateway) connected to an ESX (i) network adaptor or it might already be on a separate

virtual network which is routed or bridged to your server virtual network.

In the rest of this appendix, we will refer to port groups associated with two virtual

switches as the JS Internet port group (carrying unprotected traffic) and the JSProtected

and Protected LAN port groups (carrying protected traffic).

Wherever unprotected xxx is referred, this is likely to be called something else on the

original ESX (i) configuration, the default being VM Network . Substitute as appropriate.

Figure 38 on page 40 illustrates a simple example of an ESX (i) Server:


Figure 38: Example of ESX (i) Server

The following sections outline the steps required for reconfiguring the example dual NIC

ESX (i) Server:

• Add new vSwitch C and attach a new JS Protected port group (connects to DDoS

Secure appliance) and a new Protected LAN port group (connects to protected

network).

• Set JS Protected port group to support promiscuous mode.

• Add new vSwitch D and attach a new JS Data Share port group.

• Attach a new JS Internet port group with vSwitch A.

• Set JS Internet port group to support promiscuous mode.

• Install the DDoS Secure appliance VE from theOVA file.

• Connect to the GUI using the default IP address https://192.168.0.196, log in with

usernameuserandpasswordpassword. Themanagement IPaddress canbechangedfrom the Configure Interfaces icon on the left-hand pane.

• Log in to the DDoS Secure appliance GUI.

• Reassign your firewall/load balancers/servers from the original Unprotected Network

port group to the Protected LAN port group.

• Place the DDoS Secure appliance VE in desired operating mode.

• Remove the Unprotected Network port group (Optional).



https://192.168.0.196

Figure 39 on page 41 illustrates the ESX (i) Server with a dual NIC after DDoS Secure

appliance installation.

Figure 39: Example of ESX (i) Server with Dual NIC

• Adding JS Protected and Protected LAN Port Groups on page 41

• Adding a JS Data Share Port Group on page 52

• Adding a JS Internet Port Group on page 57

• Reassigning theExistingVMNetwork Interfaces toaDDoSSecureApplianceonpage66

Adding JS Protected and Protected LAN Port Groups

To add port groups JS protected and Protected LAN:

1. Open the vSphere client if not already open.



Appendix A: Installing Virtual Switches in a Network Adaptor

3. Select the Configuration tab and click Networking as shown in Figure 40 on page 42.

Figure 40: ESX (i) Server Console

4. Click Add Networking. The Add NetworkWizard page is displayed, as shown in figure


Figure 41: ESX (i) Server Add NetworkWizard



5. Click the connection type Virtual Machine.

6. Click Next. The ESX (i) server wizard for network access is displayed, as shown in


Figure 42: ESX (i) ServerWizard - Network Access

7. Select Create a virtual switch and uncheck all network adapters.

8. Click Next.

The ESX (i) server wizard for connection settings is displayed, as shown in




Figure 43: ESX (i) ServerWizard - Connection Settings

9. In Port Group Properties area, change the Network Label to Protected LAN.

10. Click Next.

The ESX (i) server wizard confirmation screen is displayed, as shown in




Figure 44: ESX (i) ServerWizard Confirmation

11. Click Finish.

12. Return to the main vSphere client windowwhere your ESX (i) host is selected in the

inventory list.

13. Select the Configuration tab and click Networking. The server configuration page is

displayed, as shown in Figure 45 on page 46.



Figure 45: ESX (i) Server Configuration Page

14. Click Properties of the Virtual Switch with the Protected LAN port group created in

this section. The vSwitch Properties page is displayed, as shown in


Figure 46: vSwitch Properties



15. In the vSwitch properties window, click Add. The wizard connection type page is


Figure 47: vSwitch NetworkWizard – Connection Type

16. Chooseconnection typeVirtualMachineandclickNext. Thewizardconnectionsettings

page is displayed, as shown in Figure 48 on page 48.



Figure 48: vSwitch NetworkWizard – Connection Settings

17. In port group properties, change the Network Label to JS Protected.

18. Click Next. The wizard connection confirmation page is displayed, as shown in

Figure 49 on page 49



Figure 49: vSwitch NetworkWizard – Confirmation

19. Click Finish.

The vSwitch3 Properties page is displayed, as shown in Figure 50 on page 49.




20.Select the JS Protected port group .

21. Click Edit. The JS protected properties for general tab is displayed, as shown in


Figure 51: JS Protected Properties - General

22. In the JS Protected Properties window, select the Security tab.

The JS Protected Properties- Security tab is displayed, as shown in




Figure 52: JS Protected Properties - Security

23.Check PromiscuousMode and select Accept from the list.

24.ClickOK. The vSwitch3Properties page is displayed, as shown in Figure 53onpage52.



Figure 53: vSwitch3 Properties

The ProtectedLAN and JS Protected port group configurations are now complete.

Adding a JS Data Share Port Group

The JS Data Share port group is used to synchronize configuration of a DDoS Secure

appliance HA Pair. The appliance recommend you create HA pairs on the same ESX (i)

host thereby allowing software upgrade of standby whilst the other is active.

Even if a standalone appliance is to be deployed, this port group is still required for the

appliance data share interface to connect to. Follow the instructions below to configure

the JS Data Share port group on a new vSwitch:



3. Select Configuration tab and click Networking. The ESX (i) host configuration page is




Figure 54: ESX (i) Host Configuration

4. Click Add Networking. The VMware connection type page is displayed, as shown in


Figure 55: VMware Connection Type



5. Choose connection type Virtual Machine and click Next. The virtual machine network

access page is displayed, as shown in Figure 56 on page 54.

Figure 56: Virtual Machine Network Access

6. Select create a virtual switch and uncheck all network adapters. The virtual machine

connection settings page is displayed, as shown in Figure 57 on page 55.

In certain circumstances a user may want to pair up with a appliance external to the

ESX (i) server. In this case, select the network adapter that the external appliance

data share interface is connected to.



Figure 57: Virtual Machine Connection Settings

7. In Port Group Properties area, change the network label to JS Data Share.

8. Click Next. The virtual machine connection settings completion page is displayed, as




Figure 58: Virtual Machine Connection Settings Completion

9. Click Finish.

The JS Data Share port group configuration is now complete. The virtual machine

connection page is displayed, as shown in Figure 59 on page 57.



Figure 59: Virtual Machine Connections Page

Adding a JS Internet Port Group

To add JS Internet port group:



3. Select the Configuration tab and click Networking. The virtual machine configuration




Figure 60: Virtual Machine Configuration Page

4. Click Properties next to Virtual Switch with Unprotected Network port group . The

vSwitch Properties page is displayed, as shown in Figure 61 on page 59.

NOTE: Unprotected network is the name for the existing port group.




5. In thevSwitchPropertieswindow, in theConfiguration list pane, clickAdd. ThevSwitch

connection type page is displayed, as shown in Figure 62 on page 59.

Figure 62: vSwitch Connection Type



6. Choose connection type as Virtual Machine.

7. Click Next. The Virtual Machines - Connection Settings page is displayed, as shown

in Figure 63 on page 60.


8. In the Port Group Properties area, change the Network Label to JS Internet.

9. Click Next. The network wizard completion page is displayed, as shown in




Figure 64: NetworkWizard Completion Page

10. Click Finish.

11. Return to main vSphere client windowwhere your ESX (i) host is selected in the

inventory list.

12. Select the Configuration tab and click Networking. The virtual machine configuration

page is displayed, as shown in Figure 65 on page 62



Figure 65: Virtual Machine Configuration Page

13. Click Properties of the Virtual Switch with the JS Internet port group created in this

section. The vSwitch0Properties page is displayed, as shown in Figure 66 on page 63.




14. Select the port group JS Internet and click Edit. The JS Internet properties page is




Figure 67: JS Internet Properties - General

15. In the JS InternetPropertieswindow, select theSecurity tab. The JS Internet properties

for the security tab is displayed, as shown in Figure 68 on page 65.



Figure 68: JS Internet Properties - Security

16. Check PromiscuousMode and select Accept from the list.

17. ClickOK. ThevSwitch3Propertiespage isdisplayed, as shown inFigure69onpage66.



Figure 69: vSwitch Properties - Ports

The JS Internet port group configuration is now complete.

Reassigning the Existing VMNetwork Interfaces to a DDoS Secure Appliance

All virtual machines connected to existing Unprotected Network port group will need

reconfiguring to use the Protected LAN port group.



1. Select the virtual machine in the vSphere Client inventory and open the properties

window using option Edit Settings.

The virtual machine properties for hardware is displayed, as shown in


Figure 70: Virtual Machine Properties

2. In the Hardware tab, select the Network Adaptor previously connected to the

Unprotected Network port group. This will be visible in the Hardware Summary but

appear as a blank selection under the Network Connection pane.

3. Choose Protected LAN port group from the drop-down select box of Network

Connections.

4. ClickOK.

5. Repeat reconfiguration for each virtualmachine connected to theport group renamed

from Unprotected Network to Protected LAN.



APPENDIX B

Installing an Existing Single NIC ESX (i)Server

• Installing an Existing Single NIC ESX (i) Server on page 69

Installing an Existing Single NIC ESX (i) Server

Youmust retain the association between the single physical interface, the virtual switch

and vmKernel which carries the ESX (i)/vSphere management traffic. Removing this

association will lead to loss of communication with your ESX (i) Server andmay require

an ESX (i) server rebuild.

Youwill need toseparate thesourceof yourunprotected traffic fromthenetwork segment

hosting your firewall/load balancer/servers by placing them on two separate virtual

switches. The DDoS Secure appliance Virtual Edition will be bridging these two virtual

switches and hence controls the flow between them.

The source of unprotected traffic might be an external network (for example: Internet

Gateway) connected to an ESX (i) network adaptor or it might already be on a separate

virtual network which is routed or bridged to your server virtual network.

In the rest of this chapterwewill refer to port groups associatedwith two virtual switches

as the JS Internet port group (carrying unprotected traffic) and the JS Protected and

Protected LAN port groups (carrying protected traffic).

Wherever Unprotected xxx is referred, this is likely to be called something else on the

original ESX configuration, the default being VMNetwork. Substitute as appropriate.

Figure 71 on page 70 illustrates a simple example of an ESX (i) Server with a single NIC.


Figure 71: ESX (i) Server with Single NIC

The following sections outline the steps required for reconfiguring the example single

NIC ESX (i) Server:

• Add new vSwitch B and associate a new JS Protected port group (connects to DDoS

Secure appliance) and a new Protected LAN port group (connects to protected

network).

• Set JS Protected port group to support promiscuous mode.

• Add new switch C and associate a new JS Data Share port group.

• Associate a new JS Internet port group with vSwitch A.

• Set JS Internet port group to support Promiscuous mode.

• Install the DDoS Secure appliance VE from the .OVA file.

• Connect to the GUI using the default IP address https://192.168.0.196, login with

username user and password password. Themanagement IP address can be changed

from the Configure Interfaces icon within the (Admin) left-hand pane.

• Logon to the DDoS Secure appliance GUI and apply a new license.

• Reassign your firewall/load balancers/servers from the original Unprotected Network

port group to the Protected LAN port group.

• Place the DDoS Secure appliance VE in desired operating mode.

Figure 72 on page 71illustrates the ESX (i) Server with a single NIC after DDoS Secure

appliance installation.



https://192.168.0.196

Figure 72: ESX (i) Server with Single NIC after DDoS Secure ApplianceInstallation

• Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server on page 71

• Adding a JS Data Share Port Group to a NIC ESX (i) Server on page 82

• Adding a JS Internet Port Group to a NIC ESX (i) Server on page 86

Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server

To add JS Protected and ProtectedLAN port groups:



3. Select the Configuration tab and click Networking. The JS protected and Protected

LAN port groups are displayed, as shown in Figure 73 on page 72.


Appendix B: Installing an Existing Single NIC ESX (i) Server

Figure 73: JS Protected and Protected LAN Port Groups

4. Click Add Networking. The network Connection Type page is displayed, as shown in


Figure 74: Connection Type



5. Choose connection type Virtual Machine.

6. Click Next. The virtual machine network access page is displayed, as shown in


Figure 75: Virtual Machine Network Access


8. Click Next. The virtual machine connection settings page is displayed, as shown in





9. In port group Properties, change the Network Label to Protected LAN.

10. Click Next. The virtual machine connection setting completion page is displayed, as




Figure 77: Virtual Machine Connection Settings Completion

11. Click Finish.


inventory list, andselect theConfiguration tabandclickNetworking. Thevirtualmachine

inventory page is displayed, as shown in Figure 78 on page 76.



Figure 78: Virtual Machine Inventory

13. Click Properties of the Virtual Switch with the Protected LAN port group, as shown in


Figure 79: vSwitch Properties - Port



14. In the vSwitch propertieswindow, and clickAdd. The virtualmachine connection type

wizard page is displayed, as shown in Figure 80 on page 77.

Figure 80: Virtual Machine Connection Type

15. Chooseconnection typeVirtualMachine, andclickNext. Thevirtualmachineconnection

settings page is displayed, as shown in Figure 81 on page 78.




16. In port group Properties, change the Network Label to JS Protected, and click Next.

The virtual machine connection complete page is displayed, as shown in


Figure 82: Virtual Machine Connection Completion



17. Click Finish to return to vSwitch properties window, as shown in Figure 83 on page 79.

Figure 83: vSwitch Properties Port

18. Select the port group JS Protected and click Edit. The JS protected properties page is




Figure 84: JS Protected Properties

19. In the JS Protected Properties window, select Security tab, as shown in




Figure 85: JS Protected Properties - General

20.CheckPromiscuousMode and selectAccept from the drop-down select box, and click

OK, as shown in Figure 86 on page 82.



Figure 86: JS Protected Properties - Port

The Protected LAN and JS Protected port group configurations are now complete.

Adding a JS Data Share Port Group to a NIC ESX (i) Server

The JS Data Share port group is used to synchronize configuration of a DDoS Secure

appliance HAPair. DDoS Secure appliance recommend you create HA pairs on the same

ESX (i) host thereby allowing software upgrade of standby whilst the other is active.

Even if a Standalone DDoS Secure appliance is to be deployed, this port group is still

required for the DDoS Secure appliance data share interface to connect to.

Follow the instructions below to configure the JS Data Share port group:



3. Select the Configuration tab and click Networking, as shown in Figure 87 on page 83.



Figure 87: Virtual Switch

4. Click Add Networking. The connection type page is displayed, as shown in


Figure 88: Virtual Switch Connection Type

5. Choose connection type Virtual Machine, and click Next, as shown in




Figure 89: Virtual Switch - Network Access


In certain circumstances, a user may want to pair up with a DDoS Secure appliance

external to the ESX (i) server. In this case select the network adapter that the external

DDoS Secure appliance data share Interface is connected to, as shown in





7. In Port Group Properties area, change the Network Label to JS Data Share.

8. Click Next. The virtual machine summary page is displayed, as shown in




Figure 91: Virtual Machine Summary

9. Click Finish.

The JS Data Share port group configuration is now complete.

Adding a JS Internet Port Group to a NIC ESX (i) Server

To add JS Internet port group:



3. Select the Configuration tab and click Networking, as shown in Figure 92 on page 87.



Figure 92: Virtual Switch Configuration Page

4. ClickPropertiesnext toVirtualSwitchwithUnprotectedNetworkport group, as shown


NOTE: Unprotected Network is the name for the existing port group.




5. In the vSwitch properties window, in the Configuration list pane, click Add, as shown


Figure 94: Virtual Machine Connection Type

6. Choose connection type Virtual Machine.

7. Click Next. The virtual machine connection settings page is displayed, as shown in





8. In Properties port group, change the Network Label to JS Internet.

9. ClickNext. Figure 96 on page 90 displays the virtual machine connection completion

page.



Figure 96: Virtual Machine Connection Completion Page

10. Click Finish.


inventory list, select the Configuration tab and click Networking. The virtual machine

inventory configuration page is displayed, as shown in Figure 97 on page 91.



Figure 97: Virtual Machine Inventory

12. Click Properties of the Virtual Switch with the JS Internet port group created in this

section. The vSwitch properties summary page is displayed, as shown in




Figure 98: vSwitch Properties Summary

13. Select the port group JS Internet and click Edit, as shown in Figure 99 on page 93.



Figure 99: JS Internet Properties

14. In the JS Internet Propertieswindow, select the Security tab, as shown in





15. Check PromiscuousMode and select Accept from the drop-down and clickOK. The

vSwitch0 properties page is displayed, as shown in Figure 101 on page 95.



Figure 101: JS Internet vSwitch Properties




APPENDIX C

Installing and Configuring a New ESX (i)Server

• Installing and Configuring a New ESX (i) Server on page 97

Installing and Configuring a New ESX (i) Server

• Installing an ESX (i) Server on page 97

• Connecting to vSphere on page 97

• Configuring vSwitch0 in the DDoS Secure Appliance Management

Interface(s) on page 98

• Creating Internet Traffic for a DDoS Secure Appliance on page 103

• Configuring a Data Share Port Group in a DDoS Secure Appliance on page 110

• SettingaDDoSSecureApplianceProtected Interface toPromiscuousModeonpage 111

• Changing the Configuration Settings in an ESX (i) Server VMNIC Interface on page 112

Installing an ESX (i) Server

Read the VMware step-by-step guide on installing and configuring ESX (i) . After

successful installation of ESX (i) server, several configuration steps are essential. In

particular, some licensing, networking, and security configuration are necessary.

For more details on these configuration tasks, see the following guides in the vSphere

Documentation:

• The ESX (i) Installable Server Setup Guide for information on licensing

• The ESX (i) Configuration Guide for information on networking and security

Connecting to vSphere

Read the VMware step-by-step guide on installing and configuring vSphere Client onto

aWindows PC.

Start the vSphere Client on yourWindows PC. Enter the IP address assigned to your ESX

(i) server. Figure 102 on page 98 displays the VMware vSphere client log in page. For the

first login, use the user root and there is no password.


Figure 102: VMware vSphere Client Log in Page

Set the root password for the ESX (i) server and update the VMware license key to the

one obtained from VMware.

Configuring vSwitch0 in the DDoS Secure ApplianceManagement Interface(s)

vSwitch0 (default) is set up at ESX (i) installation with a vmKernel port labeled

Management Networkwhich provides management network access to the kernel and

virtual machine VM Network port group connectivity using vmnic0.

Follow the steps below to configure vSwitch0 to add in the DDoS Secure appliance

management interface(s). Figure 103onpage99displays theVMwarevSpheresummary

page.



Figure 103: VMware vSphere Summary Page


Appendix C: Installing and Configuring a New ESX (i) Server

1. Select the Configuration tab and click Networking. The vSphere client configuration


Figure 104: vSphere Client Configuration Page

2. Click Properties on the same line as Virtual Switch: vSwitch0, as shown in





3. In the vSwitch propertieswindow, in the Ports tab, select the VM Network port group

and click Edit. The virtual machine general tab is displayed, as shown in




Figure 106: VMNetwork Properties - General

4. On the General tab, rename the Network Label toManagementLan and clickOK.

5. In the vSwitch Propertieswindow, click Close, as shown in Figure 107 on page 103.



Figure 107: vSwitch Properties - Ports

The ManagementLan port group configuration is now complete.

Creating Internet Traffic for a DDoS Secure Appliance

Youcould route your Internet connection through the samevSwitchas yourManagement

port group. However, DDoS Secure appliance recommends you create a separate

vSwitch/port group/NIC for internet traffic to guarantee separation between the Internet

andmanagement traffic.

This section describes the creation of the JS Internet port group which exchanges traffic

between DDoS Secure appliance Internet interface and the Internet.

The DDoSSecure appliance Internet interface is set to promiscuousmode and therefore

must be connected to a port group that is configured to accept promiscuous traffic on

the vSwitch. The port group is named JS Internet. Do not connect any other VM instance

to this port group as this could create an unacceptable security risk.

The following instructions guide you through the configuration of a vSwitch, adding a

port group with network label JS Internet and setting this to promiscuous mode.

In our running example, the next vSwitch (vSwitch1) is used for internet traffic.



1. Return to theConfiguration tabandclickNetworking, asshown inFigure 108onpage 104.

Figure 108: vSphere Client Configuration Page

2. Click Add Networking. The vSwitch properties for connection type is displayed, as




Figure 109: vSwitch Properties - Connection Type

3. Choose connection type VirtualMachine, and clickNext. The virtual machine network

access page is displayed, as shown in Figure 110 on page 105.

Figure 110: Virtual Machine - Network Access



4. SelectCreate a virtual switch and select one unclaimed network adapters. In this case

select vmnic1, as shown in Figure 111 on page 106.

Figure 111: Virtual Machine - Connection Settings

5. In Port Group Properties, change the Network Label to JS Internet.

6. Click Next. The virtual machine connection setting completion page is displayed, as




Figure 112: Virtual Machine Connection Setting Completion

7. Click Finish.


inventory list, select the Configuration tab and click Networking, as shown in


Figure 113: Virtual Machine Connection Networking

9. Click Properties of the Virtual Switch with Virtual Machine port group JS Internet, as





10. Select JS Internet port group configuration and click Edit. The JS Internet properties

for General tab is displayed, as shown in Figure 115 on page 109.




11. In the JS Internet Propertieswindow, select the Security tab, as shown in




Figure 116: JS Internet Properties - Security

12. CheckPromiscuousMode and selectAccept from the drop-down select box, and click

OK.


Configuring a Data Share Port Group in a DDoS Secure Appliance

The JS Data Share port group is used to synchronize configurations of a DDoS Secure

applianceHAPair. DDoSSecureappliance recommendsyoucreateHApairs on the same

ESX (i) host which allows, for example, software maintenance with no disruption to

traffic flows. Even if a standalone DDoS Secure appliance is to be used, this port group

is still required for the DDoS Secure appliance Data Share interface to connect to.

To configure the data share port group:

1. Return to the Configuration tab and click Networking.

2. Click Add Networking.

3. Choose connection type Virtual Machine and click Next.



4. Select Create a virtual switch and uncheck all network adapters. If the DDoS Secure

appliance is to be pairedwith a DDoS Secure appliance external to the ESX (i) server,

a suitable vmnic that will connect to the external DDoS Secure appliance needs to

be added in.

5. In port group Properties, change the Network Label to JS Data Share and click Next.

6. Click Finish.

7. The JS Data Share configuration is now complete.

NOTE: Promiscuousmode should not be set in this port group.

Setting a DDoS Secure Appliance Protected Interface to PromiscuousMode

TheDDoSSecureapplianceProtected interface is set topromiscuousmodeand therefore

must be connected to a dedicated port group that is configured to accept promiscuous

traffic on it is associated vSwitch. Do not connect any other VM instance to this port

group as this could create an unacceptable security risk. Protected Servers should be

connected to adifferent port groupon the vSwitch that has promiscuousmodedisabled.

The following instructions guide you through the configuration of a vSwitch, adding a

port group with network label ProtectedLANwith promiscuous mode disabled and a

port group with network label JS Protected with promiscuous mode enabled.

1. Return to the Configuration tab and click Networking.

2. Click Add Networking.

3. Choose connection type Virtual Machine, and click Next.

4. Select Create a virtual switch. If you are in the process of migrating from a physical

network to a virtual network then youmay want to protect both virtual and physical

servers. By adding a vmnic network adaptor to the vSwitch associatedwith protected

trafficmeans these traffic flows can reach physical servers. To addanetwork adapter,

andselect f theadapterwhich isphysically connected to thephysical network segment

on which the physical server(s) is used to access the internet.

5. Click Next.

6. In port group Properties change the Network Label to Protected LAN, click Next.

7. Click Finish.


inventory list, select the Configuration tab and click Networking.

9. Click on Properties of the Virtual Switch with the port group Protected LAN created in

this section.

10. In the vSwitch propertieswindow, and click Add.

11. Choose connection type Virtual Machine and click Next.

12. In port group Properties, change the Network Label to JS Protected, and click Next.



13. Click Finish.

14. Return to vSwitch properties window.

15. Select the port group JS Protected and click Edit.

16. In the JS Protected Propertieswindow, select the Security tab.

17. Check PromiscuousMode and selectAccept from the drop-down select box, clickOK.

The vSwitch configuration for the JS Protected is now complete.

Changing the Configuration Settings in an ESX (i) Server VMNIC Interface

TheESX(i)Server vmnic interfacesmusthave thesamespeed/duplex settingsdefinitions

as the device (router or switch) that they are connected to prevent unnecessary packet

loss.

For example, if the router interface is set to auto, then the vmnic that it is connectedmust

also be set to auto. If the router interface is set to 100 full duplex, then the vmnic that it

is connectedmust also be set to 100 full duplex.

The following steps must be taken in order to change the configuration settings of a

network adaptor in your configuration if there (potentially) is a mismatch:

1. Open the vSphere client.


3. Select the Configuration tab and click Networking.

4. Click on the Properties of the vSwitch which has the appropriate vmnic.

5. In the vSwitch propertieswindow, select the Network Adapters tab.

6. Compare the speed of the Network Adapter to that of your router. If these steps do

not match then select the Network Adapter, click Edit.

7. Configure the speed from the drop-down select box so that it matches the Router

configuration.



APPENDIX D

Reassigning the Existing VM NetworkInterfaces in a VM Server


Reassigning the Existing VMNetwork Interfaces in a VMServer

As the names of port groups may have been changed, any pre-existing VMs need to be

re-visited to make sure that their management/protected interfaces are connected to

the correct port groups. To re-assign the existing VM network interfaces in a VM server:


2. Select the ESX (i) host in the inventory. The VM server edit setting page is displayed,

as shown in Figure 117 on page 113.

Figure 117: VM Server Edit Settings


3. For each server (apart from the DDoS Secure appliance VMs) listed in the inventory

clickEditSettingsbyusing themouse-clickdrivenmenus. Figure 118onpage 114displays

the virtual machine properties screen.

Figure 118: Virtual Machine Properties

4. Select each Network Adapter, as shown in Figure 119 on page 115.



Figure 119: Virtual Machine Properties - Hardware

5. For everyNetworkConnection that is blank, select the appropriate port group (usually

ProtectedLAN) from the Network Connection drop down, as shown in



Appendix D: Reassigning the Existing VM Network Interfaces in a VM Server

Figure 120: Virtual Machine Network Adapter

6. ClickOK

The Server interface has now been connected to the ProtectedLAN network.


• Reconfiguring a vSphere Client on page 117


• Tuning in a NUMA Environment on page 121



APPENDIX E

Troubleshooting


Reconfiguring a vSphere Client

The DDoS Secure appliance VE is configured to run on a 64-bit Guest Operating System

on a host which is VT-capable. The host may be VT-capable but if VT is disabled in the

BIOS then the following message, as shown in Figure 121 on page 117 may appear when

installing the DDoS Secure appliance VE.

Figure 121: DDoS Secure Primary Appliance Summary

In this case, you should follow the instructions in themessage, entering the BIOS of your

host, enable VT and disable trusted execution.



• Creating vSwitch/Port Group/NIC for internet traffic in a DDoS Secure Appliance on

page 103





APPENDIX F

Understanding Sizing Requirements


Understanding Sizing Requirements

Table 5 on page 119 provides the sizing requirement details.

Table 5: Sizing Requirement Details

MINDISK(GB)MIN RAM(MB)MTUTCP CONNSTRACKED IPS

PROTECTEDIPS

128001500262K1048K2

128001500262K1048K4

128001500262K1048K8

1310001500524K2097K16

1310001500524K2097K32

1310001500524K2097K64

1514001500524K4194K128

15140015001048K4194K256

15150015001048K4194K512

1310009000262K1048K2

1310009000262K1048K4

1310009000262K1048K8

1412009000524K2097K16

1412009000524K2097K32


Table 5: Sizing Requirement Details (continued)

MINDISK(GB)MIN RAM(MB)MTUTCP CONNSTRACKED IPS

PROTECTEDIPS

1412009000524K2097K64

1519009000524K4194K128

15190090001048K4194K256

16200090001048K4194K512

NOTE: TheDDoSSecureappliancestores log filesonthedisk.Morehistoricallogs are available on larger disks.







APPENDIX G

NUMA Tuning


Tuning in a NUMA Environment

It is vital that DDoS Secure is configured to use a single CPU socket andmemory usage

local to that CPU. In VMware ESX (i) it is possible a CPU gets assigned remote memory

(memory within another NUMA node). To check if your ESX (i) host is Non-Uniform

Memory Access (NUMA) enabled: go to the Processor information on the Host

Configuration tab.

If Processor Sockets are more than one, then the DDoS Secure VMmust be configured

to run on a single NUMA node, as shown in Figure 122 on page 121.

Figure 122: Processor Sockets

ToassignDDoSSecure resource, first calculatehowmuchmemory is availableperNUMA

Node. This is Memory / Processor Sockets.

For this example we will use an ESX (i) host with 2x processor sockets (6 cores per

socket) and 64GBmemory, so each NUMA node will have 32GB local memory.

NOTE: Withhyperthreading enabled, ESX (i) creates 24 logical vCPUs.Usingthe free VMware ESX license, themaximumof 8 vCPUs can be allocated perVM. In this instance, it would be preferable to disable hyperthreading(Configuration > Processors > Properties – uncheck Enable hyperthreading) to

utilize the physical CPU cores. Thiswould reduce the logical processor countto 12.


Allocate 31GB of memory to the DDoS Secure virtual machine (allowing 1GB for ESX

systemmemory).

On the Resources tab of the JDDS Virtual Machine Properties, select AdvancedMemory.

Select Usememory from nodes and select 0 as shown in Figure 123 on page 122.

Figure 123: Virtual Machine Properties Resources options

Select Advanced CPU.

In Scheduling Affinity, add the processor numbers that are associated with NUMA node

0.

Allocate up to themaximumvCPUs contained in oneNUMAnode. Figure 124 on page 122

displays an example of allocating maximum vCPUs contained in one NUMAmode.

Figure 124: Virtual Machine Properties - AllocatingMaximum vCPUs



page 22






Appendix G: NUMA Tuning