VMware Cloud Community
joeflint
Enthusiast
Enthusiast
‎11-05-2010 06:36 AM
Jump to solution

Service Console - Isolated or Routable?

Hi,

I need to build a VMware farm. To this end I understand that the VMotion network is local and does not need to be routed. However, does the service console network need to be routeable for VMs to communicate to the outside world.

I'm not sure whether the service console network is local or opened up to communicate to the outside world.

Cheers

0 Kudos
1 Solution

Accepted Solutions
Chamon
Commander
Commander
‎11-05-2010 07:11 AM
Jump to solution

Yes if it needs to connect to an NTP time source outside if its local network then it will need to have the DFG. HA also pings the DFG to determine if it is isolated from the network in the event it cannot reach the other hosts. But as stated before you need to protect this network and access to the SC from public networks. You can use your firewall to only allow your NTP out from the hosts. You may need other ports allowed as well but that depends on your configuration.

The Vmotion traffic is not encrypted so this certainly needs to be isolated.

View solution in original post

0 Kudos
5 Replies
jamesbowling
VMware Employee
VMware Employee
‎11-05-2010 06:49 AM
Jump to solution

It needs to be accessible to your local network but isolated from VM network traffic. It should be treated as a management network since that is what it mainly is.

If you found this at all helpful please award points by using the correct or helpful buttons! Thanks!

James B. | Blog: http://www.vSential.com | Twitter: @vSential --- If you found this helpful then please awards helpful or correct points accordingly. Thanks!
0 Kudos
thakala
Hot Shot
Hot Shot
‎11-05-2010 06:50 AM
Jump to solution

No, service console access is not used for VM network traffic at all, it is only for ESX management, and HA heartbeats between ESX hosts.

It depends on your management network design whether you need to route service console traffic, for example if you wish to isolate ESX service consoles with routing firewall then you need to route SC traffic.

Never expose ESX service console to public networks.

Tomi

http://v-reality.info

Tomi http://v-reality.info
joeflint
Enthusiast
Enthusiast
‎11-05-2010 06:53 AM
Jump to solution

The VMs will be on a separate vswitch and connected to another VLAN. However, regards to SC VLAN it can be assigned a gateway IP and hence routed. I understand locally to serves the function of HA heartbeats and management, but will it require routing for example, to connect to a NTP time source e.g. a PDC on the network

0 Kudos
Chamon
Commander
Commander
‎11-05-2010 07:11 AM
Jump to solution

Yes if it needs to connect to an NTP time source outside if its local network then it will need to have the DFG. HA also pings the DFG to determine if it is isolated from the network in the event it cannot reach the other hosts. But as stated before you need to protect this network and access to the SC from public networks. You can use your firewall to only allow your NTP out from the hosts. You may need other ports allowed as well but that depends on your configuration.

The Vmotion traffic is not encrypted so this certainly needs to be isolated.

0 Kudos
sysxperts
Enthusiast
Enthusiast
‎11-05-2010 07:23 AM
Jump to solution

And, I would highly recommend setting up your own local NTP servers which would be the only ones going out to the internet for time sync, and having internal systems use the internal NTP servers.

Paul Valentino - VCP, EMCCA - @sysxperts @vcommunitytrust - Help the vCommunity one certification at a time! http://www.vcommunitytrust.org/ http://igg.me/p/212476?a=1091980