Solved: Re: Service Console planning

jboldt1973 · ‎11-13-2007

All,

I am getting ready to setup my VI3 environment. I have never done this, I took a class about 4 months ago so some of my knowledge has gone away. My question is regarding the service console and the Virtual Center server. Should I have that in a separate VLAN from the normal net?

In other words I have 2 VM Hosts and a desktop system as my VC Server. My SQL db is on another server on my regular net. Should I dual home the VC server connect on VLan to a NIC on each host and the VC server then connect the other NIC on the VC server to the normal net? I will also have 3 NICs on each host that will connect to the normal net? Am I over planning this? Should I just put the Service console ports and the VC server on the normal network?

jonathanp · ‎11-13-2007

If you have just few users it is not a big deal...

This is just to restrain access to VI client / putty etc.. to ESX server...

We have several customer that use to have it on open networks... and put their VM in a VLan..

Decision is yours

Regards

Jon

View solution in original post

jonathanp · ‎11-13-2007

You could have SC and Virtual Center on a Vlan and you production network for VMs on another VLan...

But the SC and Virtual center must be able to communicate together...

Regards

Jon

It is your choice if you want to have it on the same vlan or not.. since SC, VC and SQL are able to communicate...

virtualdud3 · ‎11-13-2007

Since the ESX host, VirtualCenter server, and SQL database all need to communicate, ideally (from a security standpoint) you would want the three of these in a dedicated VLAN (or even a dedicated physical network).

Here is a link that discusses this in greater detail:

http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf

###############

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

############### Under no circumstances are you to award me any points. Thanks!!!

jboldt1973 · ‎11-13-2007

but it would not hurt to have them all on the production net?

virtualdud3 · ‎11-13-2007

I'm not sure what you mean by "hurt".

It likely will not degrade performance, etc. The issue is that you really want to minimize the level of access to the ESX hosts/VirtualCenter. If the Service Console/VirtualCenter are all on their own network (or at least their own VLAN) you greatly reduce the attack surface. While not an absolute "requirement", it is certainly a good idea.

###############

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

############### Under no circumstances are you to award me any points. Thanks!!!

jonathanp · ‎11-13-2007

If you have just few users it is not a big deal...

This is just to restrain access to VI client / putty etc.. to ESX server...

We have several customer that use to have it on open networks... and put their VM in a VLan..

Decision is yours

Regards

Jon

jboldt1973 · ‎11-13-2007

Thanks a lot, security is not my main issue so I think I will keep it open, You guys have been a big help.....