Hey Tex,
When creating a secure VLAN for VMotion traffic, what servers, besides the ESX hosts, need to be on this VLAN?
________________________________
Jason D. Langdon
I'll answer and let Edward expand if he wishes. There are NO other servers necessary on the VMotion network other than the ESX hosts that are participating in the cluster. Actually, that VLAN or physical LAN should not even be routable as there is no reason to ever need to connect to that network. BTW...no need for points here.
Should I answer this or wait until its answer better off waiting for Edward.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
If you provide a correct or helpful answer, I promise I'll give you some points.
________________________________
Jason D. Langdon
I'll answer and let Edward expand if he wishes. There are NO other servers necessary on the VMotion network other than the ESX hosts that are participating in the cluster. Actually, that VLAN or physical LAN should not even be routable as there is no reason to ever need to connect to that network. BTW...no need for points here.
like rrandell said there is no reason to have any other computer/server on this vlan besides the esx servers that you want vmotion traffic to go to. The reason for creating this secure vlan for vmotion is to isolate it from the rest of your network, it doesn't need internet access, no default gateway, it doesn't need to talk to your computer it just transfers the VMs around.
The biggest security issue with vmotion is that it uses the root credentials and has them in plain text over the network. I would think you would want to keep that type of information safe and not have an infected windows box listening on that vlan and happen to stumble onto your ESX root password.... alll bad....
Kyle
I would place Virtual Center server, Service Console and VMotion networks in a Management Network secure with VLAN as well. VMotion traffic needs to be secure because its clear text file can be breach but I don't know any tools that can read .vmdk successful yet. As mentioned, you can substitute it with non routable IPs.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Hello,
As rrandell states, On the VMotion network there should be nothing but VMotion VMkernel ports.
Remembers VLANs to not grant you security, they can not be used to 'secure' networks. They allow aggregation of networks on the same wire which in turn implies there is data comingling on the wire. VM to VM within the vSwitch is protected, outside the vSwitch, VLAN attacks can still occur.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Stefan,
If you have your Virtual Center server placed on the secured VLAN, how do you access it? My original though was to do this also and I was going to install the VIC on a Citrix server which was premitted to access the secured VLAN through a firewall on specific ports only.
________________________________
Jason D. Langdon
Jason,
That is a great way to do it. You could also just enable RDP on a Window box and use that as your "jump box". I have other customers that I've talked to that require the administrators to "VPN" into the protected network as well. There are a number of things you can do, the goal is to just put up as many hurdles as possible for an attacker.
Rob
Hello,
I place VC, and ESX SC on the same Administrative Network that is protected by a firewall (smoothwall) which just happens to have a OpenVPN server within it. I then use RDP over OpenVPN to access my management workstation which in my case is a VM.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
We have two solutions and we still use Cisco VPN and Citrix Secure web access. Most of the time, our VMware consulants login with RDP published in Citrix farm and access it from there. We act it as a jump server where it mostly use for management purpose.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
I never thought to add RDP access to the Citrix server. Great tip.
________________________________
Jason D. Langdon
You can also publish VI Client also standard Putty & WinSCP those we used a lot.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Hello,
I create a Virtual Management Windows XP VM that I use to manage my servers. On this I place RCLI, Putty, VIC, VI SDK (Perl in my case), Powershell for somethings as well. Plus any VIC plugins I use. I do not use citrix and if Citrix goes down can you still manage the system?
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
If you people with Citrix and knowing Citrix server farm has multiple servers and all applications published across, so the administrator tools themselve will be always available unless our data center is wipe All components of Citrix are fully redundant especially on web interface servers. But yes, always have standby solutions as well so putting extra XP VM just for that purpose is cheap and easy solution.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant