VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
11 Replies Last post: Sep 28, 2007 4:28 AM by Texiwill  

Virtual Switch Port Security posted: Sep 25, 2007 11:56 PM

Click to view icoaus's profile Novice
icoaus
19 posts since
Sep 19, 2007

Hi There,

I am looking into ways of blocking traffic between virtual machines that are connected to the same vSwitch.

So for example, all my VM's are connected to a vSwitch and they are all configured on the same subnet, so 192.168.200.XX, so I can actually ping / fileshare etc between the VM's.

I need the machines to NOT be able to talk to each other directly.

Can anyone point me in the right direction on how this can be achieved?

Thanks,

ICO

Re: Virtual Switch Port Security

1. Sep 26, 2007 12:00 AM in response to: icoaus
Click to view davidbarclay's profile Master
davidbarclay
1,100 posts since
Sep 20, 2006

A vSwitch is a unmanaged layer 2 switch. In short, it can't do what you are asking.

However, multiple portgroups on the same vSwitch can have different VLAN IDs, so if you switching infrastructure is configured to support this your VMs in each port group would then be isolated.

Dave

Re: Virtual Switch Port Security

2. Sep 26, 2007 5:29 AM in response to: davidbarclay
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

If all your VMs can not talk directly to each other then you would need one portgroup per VM which is really a nightmare for management. You could use multiple vSwitches as well. How many VMs are you talking about? 1 or 2, use portgroups, if it is 20-30 I would consider other options.

Consider this, how would you do this within a physical switch? If it can not be done there, it can not be done within a vSwitch.

I am very interested in understanding the quantity of machines and how you handle this outside vSwitches? If you use firewalls for example, then you can do the same within the virtual environment. However you may loose vMotion capability depending on how you implement it.

Could you send a diagram of what you are trying to do? You can PM me if you desire.

Best regards,
Edward

Re: Virtual Switch Port Security

3. Sep 26, 2007 4:13 PM in response to: Texiwill
Click to view icoaus's profile Novice
icoaus
19 posts since
Sep 19, 2007

Hi Edward,

We are using ESX server in a hosting environment, so this is why the VM's should not be able to communicate, as they are owned and run by separate customers.

Currently in our physical infrastructure, each customer does have a dedicated firewall, so no issue there - however this is not the case in our virtual environment.

We do actually offer virtualisation through Microsoft Virtual Server from which we are migrating from - the existing configuration for this is 1 firewall for all virtuals, and in the Microsoft product we create a separate network for each customer, so essentially a separate unmanaged switch for each. This cannot be done in ESX as you can only map a physical interface to a single vSwitch.

We are looking at 20-30+ VM's per host, so port groups / VLANing is not an option.

If you still think you need a diagram, let me know, but it's a fairly simple set up, so I don't think it's really necessary,

Regards,

Matt

Re: Virtual Switch Port Security

4. Sep 26, 2007 4:29 PM in response to: icoaus
Click to view davidbarclay's profile Master
davidbarclay
1,100 posts since
Sep 20, 2006

What if each customer had a vSwitch without a pNIC and a firewall/router appliance, the aggregate the firewall appliances back to a central vSwitch with the pNICs?

Dave

Re: Virtual Switch Port Security

5. Sep 26, 2007 4:48 PM in response to: davidbarclay
Click to view jlauro's profile Expert
jlauro
660 posts since
Feb 18, 2004
davidbarclay's idea should work for you, with the only drawback is you can only support 3 nets (max 4 total, but 1 as uplink to phy) behind each firewall vm. Less of an issue if some customer's vms could share the same net. (ie: the customer has 3 vms, and so those 3 can talk to each other directly).

The other option if the firewall is external, would be to put each vm on a different switch/vlan and they could then share the same phy, and then have your firewall appliance reassemble them from the vlans.

Re: Virtual Switch Port Security

6. Sep 26, 2007 5:23 PM in response to: jlauro
Click to view icoaus's profile Novice
icoaus
19 posts since
Sep 19, 2007

Hi jlauro,

The firewall VM would not work with the number of VM's we are looking at per host.

Having separate vSwitches would solve the problem - wouldn't even need VLANing, but ESX doesn't allow multiple vSwitches to map to a single physical NIC, unless i am missing something?

Regards,

Matt

Re: Virtual Switch Port Security

7. Sep 26, 2007 5:31 PM in response to: icoaus
Click to view davidbarclay's profile Master
davidbarclay
1,100 posts since
Sep 20, 2006

so port groups / VLANing is not an option.

Are you talking about a technical limitation or management burden?

Up to 512 portgroups are supported, so that shouldn't be a problem. You have have between 20 and 32 NICs (depending on brand), so that shouldn't be a limitation.

Now management - it could be a burden...but automation could help you (API etc).

Am I missing something?

Dave


Re: Virtual Switch Port Security

8. Sep 26, 2007 6:16 PM in response to: davidbarclay
Click to view icoaus's profile Novice
icoaus
19 posts since
Sep 19, 2007

I think the best way to explain whaqt we are trying to do is to show how it would be done in a physical switch environment.

There is a diagram and explanation of what we are trying to do on the following page:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sec/configuration/guide/swpvlan.html

Using the terminology on the page above, we want the firewall on a Primary Vlan and all of the guest VM's to be on one Isolated Vlan. This page also has a nice explanation of why we need the feature.

There is a more primitive way to acheive this goal on a switch that does not have Private Vlans but does have port ACL's.

You would configure a Layer 2 or Layer 3 ACL for each of the Guest VM's that permitted them to communicate only with the firewall. The port for the firewall would have no ACL and thius be allowed to communicate with all ports on the VLAN.

There was some suggestion that on a previous implementation of ESX Server that the nfshaper filter (for bandwidth shaping) was implemented as a packet filter module and really if we had another packet filter module that could implement layer 2 ACL's that would solve the problem.

In Microsoft Virtual Server, this is addressed by setting up seperate virtual networks for each Guest. (Similar to the concept of the vSwitch). These virtual networks are able to share a physical adapter so that we have isolation of virtual machines.

I hope this highlights the issue a little better for everyone.

Matt

Re: Virtual Switch Port Security

9. Sep 26, 2007 7:51 PM in response to: icoaus
Click to view jlauro's profile Expert
jlauro
660 posts since
Feb 18, 2004

If you use vlan tagging, you can tie multiple networks into the same virtual switches to the single physical NIC (or bond). Each tagged vlan by definition is isolated from the others.

Based on your document, it sounds like you could setup a private-vlan isolated for each VM, and then on the switch do private-vlan association tieing them all together. Never did that before, so I might be reading more into it then I think...

Hmmm... actually it looks like it's possible to add multiple configurations to the same virtual switch... Click properties on the virtual switch, then add, and setup another configuration. I never did that before without vlan tagging, but it just let me do it. The question is if you have two vms, each using a different configuration, if they are isolated or not...

Re: Virtual Switch Port Security

10. Sep 28, 2007 3:38 AM in response to: icoaus
Click to view ThomasNederman's profile Enthusiast
ThomasNederman
75 posts since
Sep 28, 2007

I am not sure if this would be a option, but how about assigning each of the hosts a ownn IP range, that way no traffic would be forwarded from the other hosts to that port (you configure subnets within your IP range 192.168.200.xx/30

You can also on a port group enable the promiscolose mode for the client's not to be able to listend to the traffic.

On the router level you can then configure how can communicate with how

Thomas Nederman
http://www.thomasnederman.com

Re: Virtual Switch Port Security

11. Sep 28, 2007 4:28 AM in response to: ThomasNederman
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004

Hello,

Your only option from a virtual environment is to use a vFW. between each customers network. Remembering that each VM can only have up to 4 vNICs.... I suggest using a separate firewall for each customer instead of aggregating on just one or two. It increases management sometimes BUT will help with organization. There are plenty of firewall appliances. I.e


vSwitch vFW vSwitch VM1 Customer 1



VM2

vFW vSwitch VM1 Customer 2



VM2







The one drawback to the above however is that when a VM is on a private vSwitch (no pNIC attached) vMotion will not work without first disconnecting the vNIC.... The solution is to take a pNIC and associate it with the vSwitch but do not have it connected to anything externally. I would put tape over the port on the box if it is not a blade. Or to just remember to change the vNIC to disconnected, vMotion, then change it back.

I use a Smoothwall v3 appliance in just this way and it works very well for segragating traffic. One vSwitch for all traffic but firewalled from each other. IN addition, the vFW could be a NAT device with the appropriate pre-routing of ports if you desire. Pretty much anything you can do in physical hardware you can do in virtual hardware, it just may appear odd and have some limitations.

The other option is to use external firewalls.

Best regards,

Edward

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities