vwaware
Contributor
Contributor

networking

I would be grateful if you could give me your expert advice. I have six network card on my esx host. What will be the best way on configuring

VM - 3

iSCSI and Service console and Vmotion 3 Or

VM - 3

iSCSI 1

Service console and Vmotion 2

Thanks Ben

0 Kudos
9 Replies
BryanMcC
Expert
Expert

For best practice you would like to keep your ISCSI netowrk segmented from other vSWicthes using dedicated adapters so I would go with the latter of your choice.

2 pNICs assigned to a vSwitch for Service Console portgroup and a VMkernel portgroup for and VMotion

2 pNIcs assigned to a vSwitch VMkernel for ISCSI

2 pNICs assigned to a vSwitch VMs (you could always trunk these NICs for VLAN tagging as well)






Help me help you by scoring points... Smiley Happy

Help me help you by scoring points.
Texiwill
Leadership
Leadership

Hello,

However for security reasons you may wish to switch to the following:

1 pNIC for Service Console

1 pNIC for vMotion

2 pNICs for iSCSI (redundant)

2 pNICs for VMs (redundant)

You never want vMotion and SC sharing a vSwitch as these are the most security conscious systems on the network. Not only this, but your SC must partiticipate in your iSCSI network, which would mean not only would access to the SC grant me access to the VMDKs but also to the clear text memory image of the VM being vMotion'd to another host as well as access to any other iSCSI traffic. vMotion is a dangerous network to share even when using VLANs, I tend to keep to physical separation for this particular high risk network. Also, vMotion should be as fast as physically possible, tieing it to your SC can slow it down due to other SC requirements.

If it was me I would go for 8 pNICs for full redundancy and security. There is quite a bit of discussion about this in the Security and Compliance forum.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
BryanMcC
Expert
Expert

I agree completely however with reliability on the SC for iSCSI you will really want to add some redundancy here as well.

Help me help you by scoring points.
0 Kudos
BryanMcC
Expert
Expert

The fact is that networking can be done in many different ways. You may go to one job where the company has the same amount of NICs configured differently than another company to accomplish the same goal. You just have to take best practice and practicalilty into consideration when designing and put together something that will accomplish your goals and allow you to sleep good at night.

Help me help you by scoring points.
0 Kudos
v01d
Enthusiast
Enthusiast

Since you have 6 nics to work with.

2 SC/VMotion Teamed + VLAN Trunking

2 iSCSI Teamed

2 VM's Teamed + VLAN Trunking

0 Kudos
Texiwill
Leadership
Leadership

Hello,

Redundancy for the SC may not be an issue as there is not quite a lot of iSCSI traffic over it, it is mainly for authentication (which is not really used but still necessary for the protocol). Since this is the case, I would risk a single link until I could get another dual or quad port card.

Using VLANs for the SC and vMotion can be done as well but even so, it is possible to grab all vMotion traffic even with the VLAN. I still say this is a risk, and should be separated by physical means. But this really depends on how security conscious you want to be.... I.e. how paranoid. I would consider another 2 ports for the machines.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
v01d
Enthusiast
Enthusiast

I am begining to suspect that Texiwill may have been involved in the specification of $15,000 ea. toilet seats for the U.S. government in a previous life.

0 Kudos
biniam
Contributor
Contributor

Thanks all for your advices.

I see the ideal configuration is to have 8 pNIC for security and performance issue.

Regards Ben

0 Kudos
Texiwill
Leadership
Leadership

chuckle

Nah.... I am one of the paranoid ones.... Kidding aside, a few extra NIC ports to give you better security is a cheap solution to a pretty nasty problem. I work with penetration testers and it is very easy to get information off an ESX server that is not secured properly. Remember 70% of all attacks come from inside the corporate bastions, not outside.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos