I have it running this way and have no issues. I have a seperate nic and vSwitch for the DMZ and as long as you make sure that the VM's do not have a nic in prod and DMZ you will be fine

Hello,

The mixing of internal/external hosts truly depends on how your networking is setup.

A vSwitch can not communicate with another vSwitch unless there is a link between them either through a VM on both vSwitches or something external like a patch cable. Within a vSwitch the same holds true for a port gorup.

If you have very few NIC ports say 4. Then I would not mix them as your VM Network NICs are using 2 of those ports, vMotion for another, and the SC for the 4th. If you add more NIC ports say 2, then you can add anothe network to the ESX server and you can mix them easily.

At this point it really is a networking question. Never, ever place the SC ports or vMotion in your DMZ however. Those have major security concerns.

Best regards,

Edward

This thread http://www.vmware.com/community/thread.jspa?threadID=96550 indicates that there may be cause for concern with this architecture.

If VI3 can be broken into, then this architecture creates a bridge between your DMZ and your internal network.

Even if there was no evidence of exploits against VI3, I'd say that it all depends on your paranoia level and the strength of your belief in Murphy's Law.

For myself, I am a strong believer in Murphy and the essentially flawed nature of any complex piece of software. I would never choose to configure VI3 this way. If you can't avoid it, then I strongly recommend you look at improving your secondary controls (firewall, IPS ...) to detect and prevent an exploit of VI3 from a complete breakout into your internal network.

Michael

Thank you for the responses. This was my understanding, however I'm wondering if VMware suggests not doing so. I need to CYA.

Thanks

Rob