VMware Cloud Community
chicagovm
Enthusiast
Enthusiast
‎06-12-2008 08:42 AM
Jump to solution

Networking Dilemma - SC VLAN??

I just started at this company and the networking is not that great.

Server subnet / vlan3 - 10.16.3.x ( prod)

Server subnet 2 / vlan5 - 10.16.5.x ( dev)

OOB ( out of band - iLO) subnet / vlan 6 -10.16.6.x

Vmotion - subnet / vlan 8 - 10.16.8.x

So which subnet would I put my SC for new esx servers on ?? ( In other words the IP for the servers? )

According to the networking team all servers are IP'd with 10.16.3.x ( as these would be prod) ; but I believe SC should not be in on the same subnet as VM traffic..???

Any ideas - Or is it OK to place the SC - IP on the OOB network??

Or create a new vlan/subnet??

Any links to best practices or thoughts would be very welcome and appeciated!!

Cheers for helping.

-- Go Chicago Fire!

Reply
0 Kudos
1 Solution

Accepted Solutions
gary1012
Expert
Expert
‎06-12-2008 09:48 AM
Jump to solution

Yup, use your OOB network. My company uses a strategy similar to this for iLOs and SCs. We use a jump in point to access those devices. Some folks will setup a FW or switch ACLs and VPN in. Depends on hard your network and InfoSec guys like to make your life.

Do you have VirtualCenter? If so, have you considered the placement requirements between the hosts and VC?

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.

View solution in original post

Reply
0 Kudos
9 Replies
gary1012
Expert
Expert
‎06-12-2008 09:23 AM
Jump to solution

Looks like you could share the management network for your SC. Tell them that the SC is only a management interface so it fits nicely into their pre-defined VLANs. Security best practice #1 is to isolate your SC on a segment away from the VMs. Perhaps this might help: http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf, page 5.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
Reply
0 Kudos
chicagovm
Enthusiast
Enthusiast
‎06-12-2008 09:40 AM
Jump to solution

Almost answered..

So what are you stating??

I could use the OOB network for my SC - ip ??

Thanks for the link.. trying to reach it now

Reply
0 Kudos
JaySMX
Hot Shot
Hot Shot
‎06-12-2008 09:48 AM
Jump to solution

You can use either network, really. I believe what the previous person meant was that best practice is to use a segregated management network for your COS IPs and that you can sell that to your networking team by explaining that those IPs are technically for management only.

-Justin
Reply
gary1012
Expert
Expert
‎06-12-2008 09:48 AM
Jump to solution

Yup, use your OOB network. My company uses a strategy similar to this for iLOs and SCs. We use a jump in point to access those devices. Some folks will setup a FW or switch ACLs and VPN in. Depends on hard your network and InfoSec guys like to make your life.

Do you have VirtualCenter? If so, have you considered the placement requirements between the hosts and VC?

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
Reply
0 Kudos
chicagovm
Enthusiast
Enthusiast
‎06-12-2008 11:31 AM
Jump to solution

Placement requirements???

Reply
0 Kudos
JaySMX
Hot Shot
Hot Shot
‎06-12-2008 11:41 AM
Jump to solution

The VC server needs access to the COS IPs of the ESX hosts it is managing. The hosts and VC will all also need to be able to resolve each other by name for features like HA to work. If you use the VC client on your workstation to connect to the VC server, your workstation will also need to be able to resolve and connect to the ESX hosts for the remote console to work.

Best practice is to seperate all that traffic, but that's not always simple when it comes to management. It's the old security/usability trade-off.

-Justin
Reply
0 Kudos
gary1012
Expert
Expert
‎06-12-2008 11:41 AM
Jump to solution

If you have VC, will you put it in your PRD or OOB network or will you dual home the host to both? If your OOB net is truly out of band, then you'll need to be able to get the hosts to communicate with VC by some means either logical or physical.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
Reply
0 Kudos
chicagovm
Enthusiast
Enthusiast
‎06-12-2008 01:25 PM
Jump to solution

Ahhh .. placement'

The VC will be in our PRD network.

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎06-12-2008 02:01 PM
Jump to solution

Hello,

I would seriously consider placing VC on the OOB nerwork. Mainly because this also should be firewalled form the rest of the network and it is really just a pretty management appliance. However, if you must place VC on the PRD network then your PRD must be able to talk in some fashion to the OOB network to route items to the proper host.... ports 902, 80, 443, 905 for starters. There are also several others. Your VC server can act as a proxy for remote console activity but I never really got that to work very well. There is quite a bit to consider about the placement of VC.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos