Hi Guys,
I need your help and ideas. I'm planning a network infrastructure to our network. Currently we have 3 network segments and each segment has 2 servers (clustered: active/passive). My plan is to consolidate all server into one pool of vm's. Now my question is it possible to isolate server per segments? How about security?
If you haven't read Ken's networking articles, its best to start from here http://kensvirtualreality.wordpress.com/2009/03/29/the-great-vswitch-debate-part-1/ and design the way you wanted, but for logistic with segmentation, it would be best to create trunking with VLANs and its great you have multiple switches for redundancies. I would spend time understanding this guide and you're be a rockstar on network designs here.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
VMware vExpert 2009
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Create 3 vlans on your swtich, on the ESX hosts create an Virtual Machine Portgroup for every vlan.
Put each vm in there VLAN and your done
Hi lam,
Thanks..by the way we are separating it by individual switches. my other question is, what if one of the segment A will be compromized is it isolated only by that segment?
Create 3 vSwitches with one ore more uplinks to the physical switch.
Well if the vm's are on a different network, they are isolated from each other.
Janskey,
Almost everything you do on your physical network can be done on your virtual network. There are two ways can achieve network segmentation:
1. The smart way - I call this the smart way because this uses VLAN technology to segregate multiple networks. As you already know network can me segmented using VLAN. It is much easier to separate different network using VLAN on a layer 3 switch. So, if your physical network is segmented using VLAN (if you are not sure, you should be able to ask this to your network engineer) , you can just trunk all the VLANs to your up-link port, and create different port group on your virtual switch with the proper VLAN number tagged on the virtual port group.
- Please see attached image: vSwicth_VLAN_Truncking.jpg.
2. Not so smart way - The old school way to segment the network is to have different physical switches. I don't know anyone who uses this method in an enterprise environment. If your network is segmented using different physical switches, then you will need to create three different virtual switches, each virtual switch needs to have a physical uplink to its own physical switch.
Please award points if you find this post helpful. -- Thanks.
If you haven't read Ken's networking articles, its best to start from here http://kensvirtualreality.wordpress.com/2009/03/29/the-great-vswitch-debate-part-1/ and design the way you wanted, but for logistic with segmentation, it would be best to create trunking with VLANs and its great you have multiple switches for redundancies. I would spend time understanding this guide and you're be a rockstar on network designs here.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
VMware vExpert 2009
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Hello,
Segmentation is a little different than true isolation. After you have read Ken's post you will want to give some thought on why things are segmented or are they isolated? Segmentation of your network uses VLANs. Isolation of your network uses separate switches, etc. It is important to understand which was implemented and just do the same thing within the virtual network.
If you are using VMware vSphere with the virtual distributed switch you can further segment and isolate by creating Private VLANs between portgroups on all your ESX hosts. This employs dvFilter to limit who can access what. A port security mechanism. You can also use something like VMsafe-net to implement a zone to zone firewall. Altor and Reflex have such a firewall. You can also use vShield Zones, but it does things a little differently.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]