VMware Cloud Community
janskey
Contributor
Contributor
‎08-31-2009 07:42 AM
Jump to solution

network segment isolation

Hi Guys,

I need your help and ideas. I'm planning a network infrastructure to our network. Currently we have 3 network segments and each segment has 2 servers (clustered: active/passive). My plan is to consolidate all server into one pool of vm's. Now my question is it possible to isolate server per segments? How about security?

0 Kudos
1 Solution

Accepted Solutions
azn2kew
Champion
Champion
‎08-31-2009 04:20 PM
Jump to solution

If you haven't read Ken's networking articles, its best to start from here http://kensvirtualreality.wordpress.com/2009/03/29/the-great-vswitch-debate-part-1/ and design the way you wanted, but for logistic with segmentation, it would be best to create trunking with VLANs and its great you have multiple switches for redundancies. I would spend time understanding this guide and you're be a rockstar on network designs here.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

View solution in original post

0 Kudos
6 Replies
r_lam
Enthusiast
Enthusiast
‎08-31-2009 07:47 AM
Jump to solution

Create 3 vlans on your swtich, on the ESX hosts create an Virtual Machine Portgroup for every vlan.

Put each vm in there VLAN and your done

janskey
Contributor
Contributor
‎08-31-2009 07:52 AM
Jump to solution

Hi lam,

Thanks..by the way we are separating it by individual switches. my other question is, what if one of the segment A will be compromized is it isolated only by that segment?

0 Kudos
r_lam
Enthusiast
Enthusiast
‎08-31-2009 09:38 AM
Jump to solution

Create 3 vSwitches with one ore more uplinks to the physical switch.

Well if the vm's are on a different network, they are isolated from each other.

0 Kudos
mnasir
Enthusiast
Enthusiast
‎08-31-2009 02:17 PM
Jump to solution

Janskey,

Almost everything you do on your physical network can be done on your virtual network. There are two ways can achieve network segmentation:

1. The smart way - I call this the smart way because this uses VLAN technology to segregate multiple networks. As you already know network can me segmented using VLAN. It is much easier to separate different network using VLAN on a layer 3 switch. So, if your physical network is segmented using VLAN (if you are not sure, you should be able to ask this to your network engineer) , you can just trunk all the VLANs to your up-link port, and create different port group on your virtual switch with the proper VLAN number tagged on the virtual port group.

- Please see attached image: vSwicth_VLAN_Truncking.jpg.

2. Not so smart way - The old school way to segment the network is to have different physical switches. I don't know anyone who uses this method in an enterprise environment. If your network is segmented using different physical switches, then you will need to create three different virtual switches, each virtual switch needs to have a physical uplink to its own physical switch.

Please award points if you find this post helpful. -- Thanks.

Preview file
96 KB
azn2kew
Champion
Champion
‎08-31-2009 04:20 PM
Jump to solution

If you haven't read Ken's networking articles, its best to start from here http://kensvirtualreality.wordpress.com/2009/03/29/the-great-vswitch-debate-part-1/ and design the way you wanted, but for logistic with segmentation, it would be best to create trunking with VLANs and its great you have multiple switches for redundancies. I would spend time understanding this guide and you're be a rockstar on network designs here.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
0 Kudos
Texiwill
Leadership
Leadership
‎09-20-2009 09:34 AM
Jump to solution

Hello,

Segmentation is a little different than true isolation. After you have read Ken's post you will want to give some thought on why things are segmented or are they isolated? Segmentation of your network uses VLANs. Isolation of your network uses separate switches, etc. It is important to understand which was implemented and just do the same thing within the virtual network.

If you are using VMware vSphere with the virtual distributed switch you can further segment and isolate by creating Private VLANs between portgroups on all your ESX hosts. This employs dvFilter to limit who can access what. A port security mechanism. You can also use something like VMsafe-net to implement a zone to zone firewall. Altor and Reflex have such a firewall. You can also use vShield Zones, but it does things a little differently.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos