VMware Cloud Community
Amit_Mishra
Contributor
Contributor
‎05-14-2008 11:28 PM
Jump to solution

DMZ NETWORK

My orgnization wants to implement the DMZ network, all they got for this is a ne wNIC with 4 ports.

My suggestion to them is to have a seprate vSwitch connected to this NIC card and dedicate this NIC for DMZ network, however i got one suggestion that we can use 2 ports for SC and 2 for DMZ. I want to understand is this safe to have this config?

0 Kudos
1 Solution

Accepted Solutions
Dave_Mishchenko
Immortal
Immortal
‎05-15-2008 02:18 AM
Jump to solution

You'll set das.isolationaddressX - see page 121 http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_resource_mgmt.pdf

and some good threads on this.

http://communities.vmware.com/message/772632

http://communities.vmware.com/message/941218

See also the PDF in this KB article - http://kb.vmware.com/kb/1002080 - in particular page 12.

View solution in original post

0 Kudos
7 Replies
Dave_Mishchenko
Immortal
Immortal
‎05-14-2008 11:45 PM
Jump to solution

So does the server just have a single 4 port NIC? It will be safe to split the 4 ports over the DMZ and SC (i.e. 2 ports for the DMZ vSwtich and another 2 ports for the SC vSwitch). Each port will be treated as a seperate NIC so it's not that ESX will have to figure out which port to use for any new connections. See page 8 in this guide regarding vswitch isolation - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf.

0 Kudos
Amit_Mishra
Contributor
Contributor
‎05-15-2008 12:59 AM
Jump to solution

Thanks Dave,

I already have one SC vSwitch with 2 NIC's in Active/active configuration.Is it safe to have one more SC?

0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎05-15-2008 01:28 AM
Jump to solution

It's safe to do, but it may not give you any benefit. Is the host running LAN VMs as well? If so it could go for those. If you're using VirtualCenter it will just manage the host with the primary SC IP so adding a second won't help there. A second SC can be helpful if you're setting up an HA cluster and you want HA to be able to use two SC IPs to check against instead of just one.

0 Kudos
Amit_Mishra
Contributor
Contributor
‎05-15-2008 02:06 AM
Jump to solution

yes dave, we do have HA configured, so this means we can have second SC now. Do i have to specify anywhere about this SC for HA to get this noticed?

0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎05-15-2008 02:18 AM
Jump to solution

You'll set das.isolationaddressX - see page 121 http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_resource_mgmt.pdf

and some good threads on this.

http://communities.vmware.com/message/772632

http://communities.vmware.com/message/941218

See also the PDF in this KB article - http://kb.vmware.com/kb/1002080 - in particular page 12.

0 Kudos
azn2kew
Champion
Champion
‎05-15-2008 06:17 AM
Jump to solution

I'm assuming you have 6 NICs together with 2 NICs built in as well. I would configure this combinations;

1. NIC1-2->SC/VMotion standby

2. NIC3-4->VMotion/SC standby

3. NIC5-6->DMZ Networks

I'm assuming you create VLAN on your physical Cisco switch and utilize Etherchannel for it. I would suggest placing your DMZ network in a seperate ESX cluster to prevent from VMs being placed within your DMZ machines.


If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
0 Kudos
Texiwill
Leadership
Leadership
‎05-15-2008 06:28 AM
Jump to solution

Hello,

It is not suggested that you put your SC within the DMZ. If you setup a 4 port pNIC with all ports going to the same vSwitch and you are not using VLANs, then your SC is within the DMZ. If you are using VLANs then there is a chance that the SC can be attacked from the DMZ. It is better to go with physical separation. Granted at the moment VLANs are pretty safe, but there is still a risk.

Since each pNIC on the quad port device is separate from the others within the realm of ESX you should create 1 vSwitch with 2 ports for the SC and another vSwitch with 2 ports for the DMZ. If you have an internal network as well, you may wish to change this allotment.

Not sure I understand why you need a secondary SC in this configuration?


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos