Hello,

If all your VMs can not talk directly to each other then you would need one portgroup per VM which is really a nightmare for management. You could use multiple vSwitches as well. How many VMs are you talking about? 1 or 2, use portgroups, if it is 20-30 I would consider other options.

Consider this, how would you do this within a physical switch? If it can not be done there, it can not be done within a vSwitch.

I am very interested in understanding the quantity of machines and how you handle this outside vSwitches? If you use firewalls for example, then you can do the same within the virtual environment. However you may loose vMotion capability depending on how you implement it.

Could you send a diagram of what you are trying to do? You can PM me if you desire.

Best regards,

Edward

Hi Edward,

We are using ESX server in a hosting environment, so this is why the VM's should not be able to communicate, as they are owned and run by separate customers.

Currently in our physical infrastructure, each customer does have a dedicated firewall, so no issue there - however this is not the case in our virtual environment.

We do actually offer virtualisation through Microsoft Virtual Server from which we are migrating from - the existing configuration for this is 1 firewall for all virtuals, and in the Microsoft product we create a separate network for each customer, so essentially a separate unmanaged switch for each. This cannot be done in ESX as you can only map a physical interface to a single vSwitch.

We are looking at 20-30+ VM's per host, so port groups / VLANing is not an option.

If you still think you need a diagram, let me know, but it's a fairly simple set up, so I don't think it's really necessary,

Regards,

Matt

What if each customer had a vSwitch without a pNIC and a firewall/router appliance, the aggregate the firewall appliances back to a central vSwitch with the pNICs?

Dave

davidbarclay's idea should work for you, with the only drawback is you can only support 3 nets (max 4 total, but 1 as uplink to phy) behind each firewall vm. Less of an issue if some customer's vms could share the same net. (ie: the customer has 3 vms, and so those 3 can talk to each other directly).

The other option if the firewall is external, would be to put each vm on a different switch/vlan and they could then share the same phy, and then have your firewall appliance reassemble them from the vlans.

Hi jlauro,

The firewall VM would not work with the number of VM's we are looking at per host.

Having separate vSwitches would solve the problem - wouldn't even need VLANing, but ESX doesn't allow multiple vSwitches to map to a single physical NIC, unless i am missing something?

Regards,

Matt

so port groups / VLANing is not an option.

Are you talking about a technical limitation or management burden?

Up to 512 portgroups are supported, so that shouldn't be a problem. You have have between 20 and 32 NICs (depending on brand), so that shouldn't be a limitation.

Now management - it could be a burden...but automation could help you (API etc).

Am I missing something?

Dave

I think the best way to explain whaqt we are trying to do is to show how it would be done in a physical switch environment.

There is a diagram and explanation of what we are trying to do on the following page:

Using the terminology on the page above, we want the firewall on a Primary Vlan and all of the guest VM's to be on one Isolated Vlan. This page also has a nice explanation of why we need the feature.

There is a more primitive way to acheive this goal on a switch that does not have Private Vlans but does have port ACL's.

You would configure a Layer 2 or Layer 3 ACL for each of the Guest VM's that permitted them to communicate only with the firewall. The port for the firewall would have no ACL and thius be allowed to communicate with all ports on the VLAN.

There was some suggestion that on a previous implementation of ESX Server that the nfshaper filter (for bandwidth shaping) was implemented as a packet filter module and really if we had another packet filter module that could implement layer 2 ACL's that would solve the problem.

In Microsoft Virtual Server, this is addressed by setting up seperate virtual networks for each Guest. (Similar to the concept of the vSwitch). These virtual networks are able to share a physical adapter so that we have isolation of virtual machines.

I hope this highlights the issue a little better for everyone.

Matt

If you use vlan tagging, you can tie multiple networks into the same virtual switches to the single physical NIC (or bond). Each tagged vlan by definition is isolated from the others.

Based on your document, it sounds like you could setup a private-vlan isolated for each VM, and then on the switch do private-vlan association tieing them all together. Never did that before, so I might be reading more into it then I think...

Hmmm... actually it looks like it's possible to add multiple configurations to the same virtual switch... Click properties on the virtual switch, then add, and setup another configuration. I never did that before without vlan tagging, but it just let me do it. The question is if you have two vms, each using a different configuration, if they are isolated or not...

Hello,

Your only option from a virtual environment is to use a vFW. between each customers network. Remembering that each VM can only have up to 4 vNICs.... I suggest using a separate firewall for each customer instead of aggregating on just one or two. It increases management sometimes BUT will help with organization. There are plenty of firewall appliances. I.e

The one drawback to the above however is that when a VM is on a private vSwitch (no pNIC attached) vMotion will not work without first disconnecting the vNIC.... The solution is to take a pNIC and associate it with the vSwitch but do not have it connected to anything externally. I would put tape over the port on the box if it is not a blade. Or to just remember to change the vNIC to disconnected, vMotion, then change it back.

I use a Smoothwall v3 appliance in just this way and it works very well for segragating traffic. One vSwitch for all traffic but firewalled from each other. IN addition, the vFW could be a NAT device with the appropriate pre-routing of ports if you desire. Pretty much anything you can do in physical hardware you can do in virtual hardware, it just may appear odd and have some limitations.

The other option is to use external firewalls.

Best regards,

Edward