VMware Cloud Community
JDLangdon
Expert
Expert
Jump to solution

Secure VLAN for VMotion Traffic

Hey Tex,

When creating a secure VLAN for VMotion traffic, what servers, besides the ESX hosts, need to be on this VLAN?

________________________________

Jason D. Langdon

Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
Jump to solution

I'll answer and let Edward expand if he wishes. Smiley Wink There are NO other servers necessary on the VMotion network other than the ESX hosts that are participating in the cluster. Actually, that VLAN or physical LAN should not even be routable as there is no reason to ever need to connect to that network. BTW...no need for points here. Smiley Wink

View solution in original post

Reply
0 Kudos
14 Replies
azn2kew
Champion
Champion
Jump to solution

Should I answer this or wait until its answer Smiley Happy better off waiting for Edward.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
JDLangdon
Expert
Expert
Jump to solution

If you provide a correct or helpful answer, I promise I'll give you some points. Smiley Happy

________________________________

Jason D. Langdon

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

I'll answer and let Edward expand if he wishes. Smiley Wink There are NO other servers necessary on the VMotion network other than the ESX hosts that are participating in the cluster. Actually, that VLAN or physical LAN should not even be routable as there is no reason to ever need to connect to that network. BTW...no need for points here. Smiley Wink

Reply
0 Kudos
khughes
Virtuoso
Virtuoso
Jump to solution

like rrandell said there is no reason to have any other computer/server on this vlan besides the esx servers that you want vmotion traffic to go to. The reason for creating this secure vlan for vmotion is to isolate it from the rest of your network, it doesn't need internet access, no default gateway, it doesn't need to talk to your computer it just transfers the VMs around.

The biggest security issue with vmotion is that it uses the root credentials and has them in plain text over the network. I would think you would want to keep that type of information safe and not have an infected windows box listening on that vlan and happen to stumble onto your ESX root password.... alll bad....

  • Kyle

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "
Reply
0 Kudos
azn2kew
Champion
Champion
Jump to solution

I would place Virtual Center server, Service Console and VMotion networks in a Management Network secure with VLAN as well. VMotion traffic needs to be secure because its clear text file can be breach but I don't know any tools that can read .vmdk successful yet. As mentioned, you can substitute it with non routable IPs.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Texiwill
Leadership
Leadership
Jump to solution

Hello,

As rrandell states, On the VMotion network there should be nothing but VMotion VMkernel ports.

Remembers VLANs to not grant you security, they can not be used to 'secure' networks. They allow aggregation of networks on the same wire which in turn implies there is data comingling on the wire. VM to VM within the vSwitch is protected, outside the vSwitch, VLAN attacks can still occur.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
JDLangdon
Expert
Expert
Jump to solution

Stefan,

If you have your Virtual Center server placed on the secured VLAN, how do you access it? My original though was to do this also and I was going to install the VIC on a Citrix server which was premitted to access the secured VLAN through a firewall on specific ports only.

________________________________

Jason D. Langdon

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Jason,

That is a great way to do it. You could also just enable RDP on a Window box and use that as your "jump box". I have other customers that I've talked to that require the administrators to "VPN" into the protected network as well. There are a number of things you can do, the goal is to just put up as many hurdles as possible for an attacker.

Rob

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

I place VC, and ESX SC on the same Administrative Network that is protected by a firewall (smoothwall) which just happens to have a OpenVPN server within it. I then use RDP over OpenVPN to access my management workstation which in my case is a VM.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
azn2kew
Champion
Champion
Jump to solution

We have two solutions and we still use Cisco VPN and Citrix Secure web access. Most of the time, our VMware consulants login with RDP published in Citrix farm and access it from there. We act it as a jump server where it mostly use for management purpose.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
JDLangdon
Expert
Expert
Jump to solution

I never thought to add RDP access to the Citrix server. Great tip.

________________________________

Jason D. Langdon

Reply
0 Kudos
azn2kew
Champion
Champion
Jump to solution

You can also publish VI Client also standard Putty & WinSCP those we used a lot.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

I create a Virtual Management Windows XP VM that I use to manage my servers. On this I place RCLI, Putty, VIC, VI SDK (Perl in my case), Powershell for somethings as well. Plus any VIC plugins I use. I do not use citrix and if Citrix goes down can you still manage the system?


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
azn2kew
Champion
Champion
Jump to solution

If you people with Citrix and knowing Citrix server farm has multiple servers and all applications published across, so the administrator tools themselve will be always available unless our data center is wipe Smiley Happy All components of Citrix are fully redundant especially on web interface servers. But yes, always have standby solutions as well so putting extra XP VM just for that purpose is cheap and easy solution.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos