ESXi

I have read a few threads on this, but here goes:

I have a standalone ESXi 4 host in a DMZ network. I have a vCenter server and ESXi 4 hosts in a LAN network. There is a cisco firewall seperating the two.

The reason for the ESXi in the DMZ was to host a few production VMs that are accessed externally. This host as a management network also in the DMZ. So all access via vSphere client is via its DMZ IP address.

I want to add this host into our existing vCenter structure ... for logging of performance data, ease of manageability and to allow our LAN-hosted Vmware Data Recovery VM to take backups of the DMZ VMs.

I thought about opening ports, etc ... but that seems a pain. What I would rather do is:

- create a new vSwitch with a VMKernel port/Mangement network directly connected to the LAN (there is a spare network interface for this) and give it a LAN IP address.

- delete the existing VMKernel and management ports from the DMZ-facing vSwitch, but retain the existing VM Network, to allow DMZ VM's to not lose access to the DMZ network. These are production systems.

I need to do this without any downtime for the DMZ VMs... is this scenario viable?

In the end, I would have:

vSwitch0 (in the DMZ), with its VM Network port group.

vSwitch1 (in the LAN), with a VMKernel Port and Manangement Network.

vCenter, vDR would access this host with its LAN IP address via vSwitch1, hence no issues should arise with adding the host, managing it, migrating VMs, backing up VMs with vDR (as that is all done via the management network, right??)

Also, I have a LAN datacenter defined in vCenter. Wondering if I should add the new host to it or create a seperate DMZ one. Would that impact VM Template deployment (from LAN host to DMZ host), backups, etc.

There is no dedicated network security team here, so I need to use my own judgement, but I do want to have a structure that is easy to setup and maintain (and add on to).

Thanks.

>•create a new vSwitch with a VMKernel port/Mangement network directly connected to the LAN (there is a spare network interface for this) and give it a LAN IP address.

>•delete the existing VMKernel and management ports from the DMZ-facing vSwitch, but retain the existing VM Network, to allow DMZ VM's to not lose >access to the DMZ network. These are production systems.

This is exactly what you want to do and you could make the change without impacting your virtual machines. In the current configuration your virtual machines colud be used to attack the management port of ESXi. After the change ESXi should have no vmkernel IP in the DMZ and thus a comprimised VM couldn't launch a network attack against it.

Where is the storage located that you'll use for vDR? If you're backing up to LAN then you would have the appliance running on the DMZ host and you would have to create a VM port group to allow it to have LAN access.

Dave

VMware Communities User Moderator

Now available - vSphere Quick Start Guide

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.

Hi,

Thanks for the input. The vDR appliance is in the LAN, with storage on a LAN datastore and LAN host accessible SAN LUN. So it wouldnt work if the vDR appliance and its storage was on the LAN, but backing up DMZ VMs? I could create a new vDR in the DMZ, but there is not much free datastore space on the host. I have a SAN that could be used to host the storage, but this would require a dedicated vSwitch into the SAN network, and I will be out of vmnics on the host once I create the new vSwitch for the LAN.

Hi All,

This is what I Implement in my DMZ ESXi environtment, my Server got 2 pNIC there fore i assign each uplinks as:

vSwitch0 - Management Network

Uplinks: Internal LAN switch

This vswitch is connected to the Internal LAN therefore i can perform backup and connect it directly to this freeESXi using my vsphere client

and no VM is currently using this vSwitch.

vSwitch1 - DMZ Network

Uplinks: connects directly to the CISCO router (with different IP subnet)

This is where all of the VM connects to, so any DMZ traffic is communicating directly with/through this vSwitch

therefore it is simple and straight forward setup without the needs of vShield appliance.

hope this helps.

So, adding a new vSwitch with VMKernel and management network in the LAN is the ideal solution ... it increases security and allows for vCenter management without messy firewall rules. I need advice on the steps to take to get this done without VM disruption. Would this work:

- Add 2nd vSwitch, choose VMKernel as the connection type, assign the spare NIC to it. Select "use thi port group for VMotion, Fault Tolerance Logging and Managment Traffic". (I dont use vmotion or FT at all, and likely never will for this host). I guess I could de-select those options instead??

- Give the new NIC some static IP settings on the LAN network. I guess I would need to change the VMKernel default gateway to the LAN's default gw?

My big question is .... after I create the new managment network, will that mean the ESXi host now has 2 managment networks, and could simultaneously be accessed from either one? If so, I could access it from its LAN managment IP and then remove the DMZ management network?

I wish I had an extra ESXi host to test with, I would probably have a lot fewer questions!

I will address your testing issue. Use VMware Workstation and create virtual ESX(i) servers (a supported VM OS). You can add virtual routers and to some degree recreate your environment. Your workstation machine will need at least 4GB RAM (8 is better) but it sure makes it easy to test.

Thanks for the replies so far.

So can anyone answer whether its OK to add a new vSwitch with a new managment network (having 2 managment networks) and simply remove the DMZ managment network, keepin the LAN one? I would hate to fubar things up and lose management access.

It's no problem to do. You can even leave the old one around for a bit until you're comfortable with the change.




Dave

VMware Communities User Moderator

Now available - vSphere Quick Start Guide

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.

Thanks, I created the new vSwitch in the LAN and moved the managment network over to it. Worked great, no downtime for any DMZ VMs.

And btw, the vDR appliance on the LAN backs up the DMZ VMs without any issues or reconfiguration required. A nice bonus!