VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts)
9 Replies Last post: Nov 7, 2007 6:30 AM by Texiwill  

networking posted: Nov 4, 2007 7:58 AM

Click to view vwaware's profile Novice
vwaware
6 posts since
Oct 19, 2007

I would be grateful if you could give me your expert advice. I have six network card on my esx host. What will be the best way on configuring

VM - 3
iSCSI and Service console and Vmotion 3 Or

VM - 3
iSCSI 1
Service console and Vmotion 2

Thanks Ben

Re: networking

1. Nov 4, 2007 8:28 AM in response to: vwaware
Click to view BryanMcC's profile Expert
BryanMcC
280 posts since
Feb 20, 2007
For best practice you would like to keep your ISCSI netowrk segmented from other vSWicthes using dedicated adapters so I would go with the latter of your choice.

2 pNICs assigned to a vSwitch for Service Console portgroup and a VMkernel portgroup for and VMotion
2 pNIcs assigned to a vSwitch VMkernel for ISCSI
2 pNICs assigned to a vSwitch VMs (you could always trunk these NICs for VLAN tagging as well)






Help me help you by scoring points... :)

Re: networking

2. Nov 5, 2007 12:47 PM in response to: BryanMcC
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

However for security reasons you may wish to switch to the following:

1 pNIC for Service Console
1 pNIC for vMotion
2 pNICs for iSCSI (redundant)
2 pNICs for VMs (redundant)

You never want vMotion and SC sharing a vSwitch as these are the most security conscious systems on the network. Not only this, but your SC must partiticipate in your iSCSI network, which would mean not only would access to the SC grant me access to the VMDKs but also to the clear text memory image of the VM being vMotion'd to another host as well as access to any other iSCSI traffic. vMotion is a dangerous network to share even when using VLANs, I tend to keep to physical separation for this particular high risk network. Also, vMotion should be as fast as physically possible, tieing it to your SC can slow it down due to other SC requirements.

If it was me I would go for 8 pNICs for full redundancy and security. There is quite a bit of discussion about this in the Security and Compliance forum.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: networking

3. Nov 5, 2007 1:00 PM in response to: Texiwill
Click to view BryanMcC's profile Expert
BryanMcC
280 posts since
Feb 20, 2007
I agree completely however with reliability on the SC for iSCSI you will really want to add some redundancy here as well.

Re: networking

4. Nov 5, 2007 1:33 PM in response to: Texiwill
Click to view BryanMcC's profile Expert
BryanMcC
280 posts since
Feb 20, 2007
The fact is that networking can be done in many different ways. You may go to one job where the company has the same amount of NICs configured differently than another company to accomplish the same goal. You just have to take best practice and practicalilty into consideration when designing and put together something that will accomplish your goals and allow you to sleep good at night.

Re: networking

5. Nov 5, 2007 1:35 PM in response to: vwaware
Click to view v01d's profile Enthusiast
v01d
35 posts since
Nov 5, 2007

Since you have 6 nics to work with.

2 SC/VMotion Teamed + VLAN Trunking

2 iSCSI Teamed

2 VM's Teamed + VLAN Trunking

Re: networking

6. Nov 6, 2007 6:11 AM in response to: v01d
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Redundancy for the SC may not be an issue as there is not quite a lot of iSCSI traffic over it, it is mainly for authentication (which is not really used but still necessary for the protocol). Since this is the case, I would risk a single link until I could get another dual or quad port card.

Using VLANs for the SC and vMotion can be done as well but even so, it is possible to grab all vMotion traffic even with the VLAN. I still say this is a risk, and should be separated by physical means. But this really depends on how security conscious you want to be.... I.e. how paranoid. I would consider another 2 ports for the machines.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: networking

7. Nov 6, 2007 6:15 AM in response to: Texiwill
Click to view v01d's profile Enthusiast
v01d
35 posts since
Nov 5, 2007
I am begining to suspect that Texiwill may have been involved in the specification of $15,000 ea. toilet seats for the U.S. government in a previous life.

Re: networking

8. Nov 7, 2007 2:01 AM in response to: vwaware
Click to view biniam's profile Novice
biniam
18 posts since
Jun 19, 2007

Thanks all for your advices.

I see the ideal configuration is to have 8 pNIC for security and performance issue.

Regards Ben

Re: networking

9. Nov 7, 2007 6:30 AM in response to: v01d
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
chuckle

Nah.... I am one of the paranoid ones.... Kidding aside, a few extra NIC ports to give you better security is a cheap solution to a pretty nasty problem. I work with penetration testers and it is very easy to get information off an ESX server that is not secured properly. Remember 70% of all attacks come from inside the corporate bastions, not outside.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities