VMware Cloud Community
deploylinux
Enthusiast
Enthusiast
Jump to solution

ESX support for private vlans?

Hello,

Cisco and other networking vendors have been pushing the concept of private vlans to handle certain security scenarios where you want a large l2 network where each node in the network is only allowed to talk to specified servers. We've found that helpful when deploying backup services for multiple departments/clients/etc, but we're not sure how to make it work with vmware. We can configure private vlans on the switch, but vmware has its own virtual switches which break the security paradigm (I dont see anyway to have a dozen vm's subscribe to the same physical nic w/o letting the vm's speak at l2 with each other, or create one vlan per vm). Anyone figure this one out?

Reply
0 Kudos
1 Solution

Accepted Solutions
Anders
Expert
Expert
Jump to solution

PVLAN is being considered for a future release.

In the mean time we're looking at a quick solution providing layer2 security in the same manner.

\- Anders

View solution in original post

Reply
0 Kudos
8 Replies
esiebert7625
Immortal
Immortal
Jump to solution

You can use 802.1Q VLAN tagging for this, give these a read...

VMware ESX Server 3 802.1Q VLAN Solutions - http://www.vmware.com/pdf/esx3_vlan_wp.pdf

Networking Virtual Machines - http://download3.vmware.com/vmworld/2006/TAC9689-A.pdf

Networking Scenarios & Troubleshooting - http://download3.vmware.com/vmworld/2006/tac9689-b.pdf

ESX3 Networking Internals - http://www.vmware-tsx.com/download.php?asset_id=41

High Performance ESX Networking - http://www.vmware-tsx.com/download.php?asset_id=43

Network Throughput in a Virtual Infrastructure - http://www.vmware.com/pdf/esx_network_planning.pdf

fyi...if you find this post helpful, please award points using the Helpful/Correct buttons....thanks

Reply
0 Kudos
Dave_Mishchenko
Immortal
Immortal
Jump to solution

Here's a brief guide to get you started:

http://www.vmware.com/pdf/esx3_vlan_wp.pdf

Reply
0 Kudos
deploylinux
Enthusiast
Enthusiast
Jump to solution

No, I dont see an answer to my question in your response. I'm not looking for just multiple vlans, but \*private* vlans. e.g. create virtualswitch1 and virtual machines A, B, and C which are attached to that virtual switch. A and B should be able to talk to C, but not to each other - even at layer 2. Private vlans are heavily recommended for security sensitive large layer 2 applications. VMware ESX is a great solution but I'm not seeing a solution anywhere for this within vmware.

Reply
0 Kudos
jasonboche
Immortal
Immortal
Jump to solution

I've you're saying that hosts on two different VLANs on the same virtual switch can evesdrop on each other, I would be surprised. We're using VLAN tagging on the ESX virtual switches but I guess I've never seen the opportunity for VMs on separate VLANs to talk to each other because each VLAN is a different subnet, and thus the VMs configured for VLAN1 aren't IP'd for and thus can't talk to VLAN2

I definitely know port groups can evesdrop on each other on a virtual switch. Been there, done that. Port groups and VLANs do share some similar characteristics, but nonetheless they are different.

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
Reply
0 Kudos
deploylinux
Enthusiast
Enthusiast
Jump to solution

actually, the situation I'm in is:

We maintain a few physical servers for backing ESX systems belonging to different clients/departments/etc, many of which have their own san storage or more likely, local storage for vmfs. Given the amount of data that needs to be archived nightly, we do not want to run the backup application through some kind of firewall or l3 device, even if it was just inside a switch. At the very least, it would be an enourmous waste of ip addresses, subnets, and management/setup time.

According to Cisco, we should be able to put all the virtual machines/etc for all clients and departments on one single vlan with jumbo frames, and then apply \*presto private vlan magic* to ensure that all the devices in that vlan are restricted to layer2 communication with and only with the physical switch ports assigned to the backup servers. This actually does seem to work outside of vmware.

Unfortunately, I cant see any way to restrict communication from one virtual machine to another when they are assigned to the same virtual switch, even with seperate port-groups defined.

Reply
0 Kudos
Anders
Expert
Expert
Jump to solution

PVLAN is being considered for a future release.

In the mean time we're looking at a quick solution providing layer2 security in the same manner.

\- Anders

Reply
0 Kudos
jpfurtak
Contributor
Contributor
Jump to solution

We are facing the same issue within my organization. We like to conduct back-ups on a large subnet using layer-2 security. We can handle this well at the network level but we are facing 2 major hurdles. First, the virtual machines need to be backed up individually and their is a lot of resistance to dedicating a physical nic to every virtual machine for backup. While private vlan's would be a great feature in vmware, any layer-2 security would be greatly appreciated. I'm surprised their isn't any yet.

Reply
0 Kudos
wcwong
Contributor
Contributor
Jump to solution

We started to look at PVLANs recently and while ESX networking currently (3.0.x) doesn't support private VLANs from Cisco out of the box, it look like it should be that hard to fudge.

It appears that you can trunk the pvlans to the ESX server and it can't tell the difference between a pvlan and a 'regular' vlan since the encoding on the ethernet frame is the same.

As such you just create a portgroup with the correct vlan ID and put the appropriate VM into that vlan ID.

If you put multiple machines into the same portgroup then it becomes a 'community' vlan and if you only have one machine in that portgroup then it is a 'isolated vlan'.

As of 3.0.1 there are a maximum number of 512 portgroups so you are limited by that number and managing all those VLANs will be a real pain when the number gets large. My plan is to do a little scripting to make this easier and hope that pvlan support gets integrated before this becomes too unwieldy.

Reply
0 Kudos