My orgnization wants to implement the DMZ network, all they got for this is a ne wNIC with 4 ports.
My suggestion to them is to have a seprate vSwitch connected to this NIC card and dedicate this NIC for DMZ network, however i got one suggestion that we can use 2 ports for SC and 2 for DMZ. I want to understand is this safe to have this config?
You'll set das.isolationaddressX - see page 121 http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_resource_mgmt.pdf
and some good threads on this.
http://communities.vmware.com/message/772632
http://communities.vmware.com/message/941218
See also the PDF in this KB article - http://kb.vmware.com/kb/1002080 - in particular page 12.
So does the server just have a single 4 port NIC? It will be safe to split the 4 ports over the DMZ and SC (i.e. 2 ports for the DMZ vSwtich and another 2 ports for the SC vSwitch). Each port will be treated as a seperate NIC so it's not that ESX will have to figure out which port to use for any new connections. See page 8 in this guide regarding vswitch isolation - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf.
Thanks Dave,
I already have one SC vSwitch with 2 NIC's in Active/active configuration.Is it safe to have one more SC?
It's safe to do, but it may not give you any benefit. Is the host running LAN VMs as well? If so it could go for those. If you're using VirtualCenter it will just manage the host with the primary SC IP so adding a second won't help there. A second SC can be helpful if you're setting up an HA cluster and you want HA to be able to use two SC IPs to check against instead of just one.
yes dave, we do have HA configured, so this means we can have second SC now. Do i have to specify anywhere about this SC for HA to get this noticed?
You'll set das.isolationaddressX - see page 121 http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_resource_mgmt.pdf
and some good threads on this.
http://communities.vmware.com/message/772632
http://communities.vmware.com/message/941218
See also the PDF in this KB article - http://kb.vmware.com/kb/1002080 - in particular page 12.
I'm assuming you have 6 NICs together with 2 NICs built in as well. I would configure this combinations;
1. NIC1-2->SC/VMotion standby
2. NIC3-4->VMotion/SC standby
3. NIC5-6->DMZ Networks
I'm assuming you create VLAN on your physical Cisco switch and utilize Etherchannel for it. I would suggest placing your DMZ network in a seperate ESX cluster to prevent from VMs being placed within your DMZ machines.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Hello,
It is not suggested that you put your SC within the DMZ. If you setup a 4 port pNIC with all ports going to the same vSwitch and you are not using VLANs, then your SC is within the DMZ. If you are using VLANs then there is a chance that the SC can be attacked from the DMZ. It is better to go with physical separation. Granted at the moment VLANs are pretty safe, but there is still a risk.
Since each pNIC on the quad port device is separate from the others within the realm of ESX you should create 1 vSwitch with 2 ports for the SC and another vSwitch with 2 ports for the DMZ. If you have an internal network as well, you may wish to change this allotment.
Not sure I understand why you need a secondary SC in this configuration?
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization