Hi,
I need to build a VMware farm. To this end I understand that the VMotion network is local and does not need to be routed. However, does the service console network need to be routeable for VMs to communicate to the outside world.
I'm not sure whether the service console network is local or opened up to communicate to the outside world.
Cheers
Yes if it needs to connect to an NTP time source outside if its local network then it will need to have the DFG. HA also pings the DFG to determine if it is isolated from the network in the event it cannot reach the other hosts. But as stated before you need to protect this network and access to the SC from public networks. You can use your firewall to only allow your NTP out from the hosts. You may need other ports allowed as well but that depends on your configuration.
The Vmotion traffic is not encrypted so this certainly needs to be isolated.
It needs to be accessible to your local network but isolated from VM network traffic. It should be treated as a management network since that is what it mainly is.
If you found this at all helpful please award points by using the correct or helpful buttons! Thanks!
No, service console access is not used for VM network traffic at all, it is only for ESX management, and HA heartbeats between ESX hosts.
It depends on your management network design whether you need to route service console traffic, for example if you wish to isolate ESX service consoles with routing firewall then you need to route SC traffic.
Never expose ESX service console to public networks.
Tomi
The VMs will be on a separate vswitch and connected to another VLAN. However, regards to SC VLAN it can be assigned a gateway IP and hence routed. I understand locally to serves the function of HA heartbeats and management, but will it require routing for example, to connect to a NTP time source e.g. a PDC on the network
Yes if it needs to connect to an NTP time source outside if its local network then it will need to have the DFG. HA also pings the DFG to determine if it is isolated from the network in the event it cannot reach the other hosts. But as stated before you need to protect this network and access to the SC from public networks. You can use your firewall to only allow your NTP out from the hosts. You may need other ports allowed as well but that depends on your configuration.
The Vmotion traffic is not encrypted so this certainly needs to be isolated.
And, I would highly recommend setting up your own local NTP servers which would be the only ones going out to the internet for time sync, and having internal systems use the internal NTP servers.