We're just tinkering with vShield and Cisco N1000V independently and together in the lab as we prepare to deploy vSphere.
The current configuration in our lab is this:
The public side of a vShield VM is connected to an N1000V Port Group
The private side of the vShield VM is connected to a local vSwitch Portgroup with Promiscuous mode permitted. (It's not a dV Port group, but do recognize this would be needed as we evolve the lab)
We have servers on the public side and one server on the protected port group, and can transfer data to and from all these servers from another computer outside the ESX environment.
The protected server is shown as protected in the vShield Manager
I have a script running elsewhere that is generating traffic to and from the protected server. The vShield Manager Status for that vShield is showing all the expected traffic in both the p0 and u0 status.
But, the VMFlow stats for the protected server and its roll-ups shows "No Data Found"
Some questions
I was unable to get the protected Port Group working as an N1000V port group, and have since found information here confirming that. Is the failure to display VMFlow stats related to the fact the public side doesn't really support promiscuous mode? (since it's a N1000V port group)
Is there some other misconfiguration I've done that is preventing the VMFlow data from showing?
Again with the promiscuous issue, am I unlikely to get a second computer in the protected side to work?
I saw a reference to reversing my configuration: Put the public side on a vNetwork switch with uplinks, and put the protected side as an N1000V port group. Is this likely to work better?
I understand Cisco is working on a solution to this problem, but we did want to put in as much "end-state" infrastructure as possible as we prepare for deployment, and doing the uplink side using N1000V seems to make more sense to me.
Thanks for this.
