VMware Horizon Community
Jay001
Contributor
Contributor
‎11-21-2014 06:13 AM

Segenting on Single Network


Hello,

I have VMware ESXi  in the DMZ in test lab.

The DMZ sits between an external and internal firewall see attached image.

What needs to be configured so that Host 1 and Host 2 can access the internet and LAN but cannot communicate or ping each other using saprate networks but keeping the existing ip addressing 192.168.255.0/24 for uplinks to firewalls ?

Guest Host 1 vlan 10 and Guest Host 2 vlan 20 have the same default gateway with is the external firewall.   This acts as router.   The switches are layer 2.

When I use vlans on on hosts they cant ping the LAN.

I was told Pvlans and Vshield enterprise is the way to go to restrict host on single /24 network.

Is vshield good enough or do I need checkpoint.

Any help appreciated.

Regards,

Preview file
12 KB
0 Kudos
2 Replies
rcporto
Leadership
Leadership
‎11-22-2014 04:30 AM

PVLAN is what you need, but take in mind that you will need Enterprise Plus license on ESXi to be able to run Distributed Switch tat support PVLAN.

Take a look at this blog post, and see the DMZ use case: PVLAN – A Widely Underutilized Feature | vXpertise

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
Jay001
Contributor
Contributor
‎11-23-2014 04:25 AM

Thank you for blog post seems to answer most of my questions.

If I don't do PVLans in VMware but apply this to the Cisco Physical switch instead is that still good enough to segment the guest hosts with just Vlans configured on vswitch ?

Also I need a copy of vsphere on DMZ to do PVLANs is it recommended to have vsphere on a DMZ or is it best located on Production LAN and ports opened up to allow  distributed switching on a DMZ ?

0 Kudos