VMware

This Question is Answered

5 Replies Last post: Jan 17, 2008 12:15 PM by depping  

Which pNics can I combine for SC, VMotion, DRS, HA, DMZ Lan with six pNics? posted: Jan 15, 2008 12:01 AM

Click to view marcushueller's profile Enthusiast
marcushueller
21 posts since
Dec 3, 2007

Hello Community!

I can use six pNics and the following services must be available in the DMZ:

Service Console, VMotion, DRS, HA, DMZ with high security, fail over and load balancing.

Afaik, VMotion traffic is not encrypted.

Thank you,

Marcus

Re: Which pNics can I combine for SC, VMotion, DRS, HA, DMZ Lan with six pNics?

1. Jan 15, 2008 12:43 AM in response to: marcushueller
Click to view ascari's profile Expert
ascari
284 posts since
Jan 3, 2007

Hi Marcus

hummm, six NIC... Gbit? depending also from your phisical network configuration. For example: if you have 2 main phisical switch, you can do this:

a couple of nic for SC and vmotion in teaming configuration (remember, for vmotion you need a gbit nic)

a couple of nic (teaming) for VM in internal lan and a couple of nic (temaning) for dmz lan. You can do many variant for this configuration. Remember thah you can use vlan in vSwitch using port group. If you use port group, you can use 4 NIC for your VM traffic.

bye Alberto

Re: Which pNics can I combine for SC, VMotion, DRS, HA, DMZ Lan with six pNics?

2. Jan 15, 2008 7:08 AM in response to: marcushueller
Click to view Texiwill's profile Guru User Moderators vExpert
Texiwill
10,432 posts since
Jan 13, 2004
Hello,

If the ESX Server ONLY has DMZ VMs on it, which is recommended from a security perspective and either using local, iSCSI-HBA, or FC-HBA SAN based storage, then you can use:

2 pNIC for SC/HA
2 pNIC for vMotion/DRS
2 pNIC for DMZ

If the ESX Server host DMZ and Production VMs on it, which is NOT recommended from a security perspective and either using local, iSCSI-HBA, or FC-HBA/SAN based storage, then you can use:

1 pNIC for SC/HA backup device is vMotion pNIC
1 pNIC for vMotion/DRS backup device is SC pNIC
2 pNIC for DMZ
2 pNIC for Production

If the ESX Server ONLY has DMZ VMs on it, which is recommended from a security perspective and either using iSCSI or NFS based storage, then you can use:

1 pNIC for SC/HA backup device is vMotion pNIC
1 pNIC for vMotion/DRS backup device is SC pNIC
2 pNIC for Storage Network
2 pNIC for DMZ

If the ESX Server has DMZ and Production VMs on it, which is recommended from a security perspective and either using iSCSI or NFS based storage, then you can use:

1 pNIC for SC/HA backup device is vMotion pNIC
1 pNIC for vMotion/DRS backup device is SC pNIC
2 pNIC for Storage Network
1 pNIC for Production (no redundancy)
1 pNIC for DMZ Network (no redundancy)

The last 3 configurations are really not 100% secure and I would try not to use them at all.

For #2 you should try not to ever MIX DMZ and Production VMs on the Same ESX Server as there is no security to prevent a Production VM from appearing on the DMZ. This could be inadvertent or a purposeful change. In addition, in a failure state, it is possible for the SC to see all vMotion traffic, and this could be an issue if the ESX admin does not really have privs on the hosts of the server. You should have 8 pNIC for this

For #3 you have the same issue where the SC could possibly see vMotion traffic. You need 8 pNIC for this.

For #4 you have the same issue and the fact that there is no real redundancy for the DMZ/Production network You should have 10 pNIC for this configuration.

Outside the first configuration I may go with the 3rd configuration with only 6 pNICs but never #2 or #4.... Too much risk.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: Which pNics can I combine for SC, VMotion, DRS, HA, DMZ Lan with six pNics?

3. Jan 17, 2008 4:28 AM in response to: Texiwill
Click to view marcushueller's profile Enthusiast
marcushueller
21 posts since
Dec 3, 2007

Hello Texiwill

thank you! It looks like that we have the problem that we can only use 6 ports at all in these servers. If we have to service two different DMZs, can I combine SC/HA/vMotion/DRS on two ports to have 4 ports available for two DMZs?

What about the management with ESX hosts in different DMZs? Afaik, VC can not deal with hosts infront of and behind a firewall ...

Kind Regards, Marcus

Re: Which pNics can I combine for SC, VMotion, DRS, HA, DMZ Lan with six pNics?

4. Jan 17, 2008 11:26 AM in response to: marcushueller
Click to view Texiwill's profile Guru User Moderators vExpert
Texiwill
10,432 posts since
Jan 13, 2004
Hello Marcus,

Is it possible to only run one DMZs on a pair of hosts (or more) and the other DMZ on a completely different set of hosts? This would be the best security for your configuration.

Barring that, it is possible to have pNIC0 used for the SC and pNIC1 for vMotion with each other backing the other up (requiring just one vSwitch). You then have to worry about the VMs from one DMZ appearing on the other DMZ, etc.

BTW, HA and DRS just confuse the matter, HA uses the SC and DRS uses vMotion so in essence you are really only talking about 2 networks not 4.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: Which pNics can I combine for SC, VMotion, DRS, HA, DMZ Lan with six pNics?

5. Jan 17, 2008 12:15 PM in response to: marcushueller
Click to view depping's profile Champion VMware Employees User Moderators
depping
3,205 posts since
Jan 17, 2005

I would set it up like this:

vswitch0: nic0 + nic1, service console active on nic0 and standby on nic1, vmotion(vmkernel) active on nic1 and standby on nic0. it would be benificial to have vlan's in place.
vswitch1: nic2 + nic3, dmz1
vswitch2: nic4 + nic5, dmz2

this is the most secure in my opinion and provides you with the most redundancy.

Duncan
My virtualisation blog:
http://www.yellow-bricks.com

Actions

VMware Beta Programs

Want to be Considered for Future Beta Programs?

Learn More

VMware Developer

Download SDKs, APIs, videos,
training, and more in the Developer community.

Learn More

Developer
Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld
Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

Only VMware ... Delivers Nexus 1000V

Ensure consistent, policy-based network capabilities to virtual machines across your data center.

Learn More

Communities