VMware

This Question is Answered

4 Replies Last post: Aug 26, 2009 1:45 AM by JoJoGabor  

Separate physical network for VMotion? posted: Aug 25, 2009 4:39 AM

Click to view JoJoGabor's profile Expert
JoJoGabor
302 posts since
Apr 11, 2008
In my design for a ESXi 3.5 on HP blades I have defined 2 pNICs for Management network and 2 pNICs for VMotion. These go to separate Cisco 3120 blade switches. Now I have stipulated an external switch stack to join switches up for VMotion. The management network switches then go to another management stack. Th customer wants to reduce costs by sharing the external stack for Management and Vmotion traffic and segregating via VLANs and making the VMotion VLAN non-routable. Are there any downfalls for this?

Bear in mind this is a secure environment. Iw as always told that VLANing should not be used as a security separation due to the possibility of VLAN hopping. What are the risks here? Bear in mind that this is a sensitive defence-biased network, so I'm attempting to segregate the networks as much as possible.

Your thoughts are welcome

Re: Separate physical network for VMotion?

1. Aug 25, 2009 11:01 AM in response to: JoJoGabor
Click to view mclark's profile Hot Shot
mclark
158 posts since
Sep 9, 2005
If your management network is only accessible by a limited number of admins and is segmented from the other networks, my opinion is that it's not a big issue to have VMotion on the same network and VLAN it if you want. It's how I have it set up. If the admins have full access to VMs anyway, having access to VMotion traffic doesn't gain them anything.

Re: Separate physical network for VMotion?

2. Aug 25, 2009 11:42 AM in response to: JoJoGabor
Click to view rolohm's profile Enthusiast
rolohm
59 posts since
Nov 23, 2006

I think it's safe what your customer wants to do.

If you haven't found this article yet I recommend it.Tells you how to minimize the target surface for VLAN hopping attacks.

http://blog.scottlowe.org/2008/03/05/vmotion-and-vlan-security/

/R

Re: Separate physical network for VMotion?

3. Aug 25, 2009 12:06 PM in response to: JoJoGabor
Click to view NicholasFarmer's profile Enthusiast
NicholasFarmer
32 posts since
Jan 23, 2008


If you have the hardware (switches) to separate out the networking infrastructure then I would do it for pure performance reasons.

We use a physical firewall to block anything and everything from entering our management and VMotion networks.

They are both vlans behind the firewall but we can still allow special access from the administrator's workstations or a management server to reduce the foot print. This method allows us to manage the network with special exceptions.

Its pure risk vs cost. If you think you have a high chance of someone Vlan hopping on your internal network then using physical security is the best bet. If it's low risk, then just segment it off with vlans and use access-lists and switch ports to reduce the chances of vlan hopping.

Hope this helps you decide.

Re: Separate physical network for VMotion?

4. Aug 26, 2009 1:45 AM in response to: NicholasFarmer
Click to view JoJoGabor's profile Expert
JoJoGabor
302 posts since
Apr 11, 2008

Thanks All - useful information. I think I'm going to stick to my guns and recommend a physically separate network due to security considerations. They are very paranoid about security, every aspect of this design has been based around security so for the price of saving on a 3750 stack I dont think its worth compromising.

Thanks for your feedback

Actions

VMware Beta Programs

Want to be Considered for Future Beta Programs?

Learn More

VMware Developer

Download SDKs, APIs, videos,
training, and more in the Developer community.

Learn More

Developer
Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld
Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

Only VMware ... Delivers Nexus 1000V

Ensure consistent, policy-based network capabilities to virtual machines across your data center.

Learn More

Communities