VMware Networking Community
tumumsc
Contributor
Contributor

Experts, Need your input. "Spending lot of money on NSX just to protect the one VLAN that is using for only BACKUP the VM environment?"

Hello All,

I really need a solution to my queries, as I'm new to NSX and network security. Please help me.

We have been using Cisco 1000v/VSG to secure the backup VLAN which is used dedicated for taking backups of VM and Physical Servers.

After VMWare announced discontinuing the third party switches; We have got recommendation from VMware to use NSX to replace VSG and VDS to replace the Cisco 1000v.

My question is, do I really need to spend lot of money just to protect one VLAN which is used for taking backups of VM's?

the best practice to backup VM/Physical servers is  using a dedicated network. But, Is this is correct which we have been following?

Can't we have a protected Backup VLAN using just VDS and without NSX?

Why should I secure a backup network VLAN using a software firewall (Cisco VSG or VMWare NSX)?  Can't we secure the Backup VLAN at Physical Switch Level?

We are taking snapshot backups and that too encrypted; What issues I may face if I don't have a layer of Security using software (NSX)?

Thanks again for your valuable time.

Regards

Ravi

Reply
0 Kudos
3 Replies
sk84
Expert
Expert

What do you want me to answer? I don't know if you want to spend the money on it. NSX has even more advantages.

But if it is only about the backup, I would like to ask the following question:

Why do you need a dedicated VLAN for backups and thus connect all VMs to each other? In this case you don't need firewalls or further VLANs because it's a security nightmare...

Possible solution: Private VLANs. But the physical switches must support it.

Or, another solution could be: Using a backup solution that works at VM level, for example: Veeam. These backup solutions work with the vCenter and connect to the ESXi hosts and datastores directly and do not necessarily require a network connection to the VM (apart from Application Aware backups).

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
tumumsc
Contributor
Contributor

Thank You For your time and reply.

Why do you need a dedicated VLAN for backups and thus connect all VMs to each other? In this case you don't need firewalls or further VLANs because it's a security nightmare...

Possible solution: Private VLANs. But the physical switches must support it.

Dedicated VLAN/Physical Network for VM backups and Physical Server backups helps to run backups smoothly and run production with out any bandwidth issues.

Firewall required for security purpose. To make sure no one else trying to login VM Guests using that extra NIC/IP.

Can you give me details about Private VLAN's?

Or, another solution could be: Using a backup solution that works at VM level, for example: Veeam. These backup solutions work with the vCenter and connect to the ESXi hosts and datastores directly and do not necessarily require a network connection to the VM (apart from Application Aware backups).

We are taking snapshot backups using Commvault, But that requires an agent which takes backups on network. Commvault do have other SAN level backup options, but that has some challenges with data store design.

Thanks & Regards

Ravi

Reply
0 Kudos
sk84
Expert
Expert

Firewall required for security purpose. To make sure no one else trying to login VM Guests using that extra NIC/IP.

And what happens if VM A is compromised and the attacker accesses VM B via the backup VLAN? Since it is the same L2 connection, the traffic does not necessarily pass through the firewall.

Can you give me details about Private VLAN's?

Understanding Private VLANs - TechLibrary - Juniper Networks

VMware Knowledge Base

We are taking snapshot backups using Commvault, But that requires an agent which takes backups on network. Commvault do have other SAN level backup options, but that has some challenges with data store design.

There are backup solutions that work at the ESXi and vCenter levels and do not require an agent in the VM or a network connection to the VM.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos