Solved: Default Gateway on different VMkernal

viteos · ‎02-15-2013

Hello,

We have one physical server with 2 nic cards and running ESXi 5.1 Enterprise version. Now we need to configure one nic for Internal network (Internal) and one for DMZ zone on firewall (DMZ). The DMZ nic will be connected directly on DMZ interface of Firewall and Internal nic will be connected on internal switch. I have created Standard vSwitch0 with VMkernal for Internal nic with Internal subnet and gateway. Another vSwitch1 is created with VMkernal for DMZ nic with DMZ IP. But the issue is the default gateway is only for internal gateway. I need to know how we can assign separate default gateway for DMZ vSwitch VMkernal.

Please advise.

Thanks

a_p_ · ‎02-15-2013

I think you misunderstand the use of the Management Network (VMKernel port group). The management network is used by the host (ESXi) itself to connect to the network. There's no need for a VMKernel port group on each vSwitch. Just add a new vSwitch with a Virtual Machine port group for the DMZ network, that's it. All the network configuration (IP address, network mask, gateway) has to be configured on the VM's.

André

View solution in original post

vmroyale · ‎02-15-2013

Are you sure you need a VMkernel interface on the DMZ and not just virtual machine networking?

viteos · ‎02-15-2013

Yes we would prefer to have the VMkernal Interface on DMZ.

If this is not possibile then how can we segaregate the DMZ virtual machines from Internal network.

Please advise

vmroyale · ‎02-15-2013

I guess I don't understand what you have in the DMZ that would require a VMkernel interface. If you just want to have a subset of VMs on the DMZ, then you could create a separate vSwitch with one virtual machine networking port group. Assign one pNIC to this vSwitch and cable this to your physical DMZ switch.

viteos · ‎02-15-2013

ok to explain more, my internal network has IP network as 10.50.x.x with gateway as 10.50.x.254. Whereas my DMZ IP network should be 192.168.x.x with gateway as 192.168.x.254.

Now if I create a new vSwitch with DMZ IP network, the gateway for host remains as internal network gateway. So I am not able to communicate with DMZ machines.

a_p_ · ‎02-15-2013

I think you misunderstand the use of the Management Network (VMKernel port group). The management network is used by the host (ESXi) itself to connect to the network. There's no need for a VMKernel port group on each vSwitch. Just add a new vSwitch with a Virtual Machine port group for the DMZ network, that's it. All the network configuration (IP address, network mask, gateway) has to be configured on the VM's.

André

viteos · ‎02-15-2013

Ok thanks a lot. Looks like it is working. I will test more and update if any issue.

viteos · ‎02-15-2013

Another similar query.

I have another Infrastructure where we have Cisco UCS with Cisco Fabric Interconnect. Now all the Blades of UCS are getting connected to Fabric Interconnect for network which intern gets connected to core switch of internal network.

Ther also I need to make a DMZ zone for virtual machine, I need to know how to configure this setup.

a_p_ · ‎02-15-2013

Do you use a dedicated physical physical switch for the DMZ network or is it set up as a VLAN in your network? In case of a VLAN you could - depending on your current setup - just add another VM port group with the appropriate VLAN-ID configured.

André

viteos · ‎02-15-2013

Currently all the DMZ machine are connected on separately physical switch and we need to continue the same setup.

a_p_ · ‎02-15-2013

With the requirement for a dedicated physical switch you also need to setup a separate virtual switch with an uplink to the physical switch. If this is not possible with the UCS system you need to rethink either your networking concepts or find a workaround (e.g. a dedicated ESXi host for DMZ VMs)!?

André