VMware Cloud Community
PoNi
Contributor
Contributor
‎03-09-2009 12:24 PM

How to Create a DMZ inside a VI 3.5 Blade enviroment?

OK I have a Dell M1000e enviroment with 5 blades. Each Physical server has 6 nics which point back to 6 Mezzanie cards in the Blade Chassis. From what I can tell our setup is like so :

NIC 0 - Fabric A1 - Service Console

NIC 1 - Fabric A2 - VMotion

NIC 2 and NIC 3 - Fabrics B1 and B2 for VMs (Lan Access)

NIC 4 and NIC 5 - Fabrics C1 and C2 for iSCSI (Priv Lan Access)

I am wondering how I could setup a DMZ enviroment with this setup? Please let me know if I need to explain further

Preview file
94 KB
0 Kudos
4 Replies
Lightbulb
Virtuoso
Virtuoso
‎03-09-2009 01:25 PM

What do you mean by DMZ?

As I see it at thi time you have only one vswitch (vswitch2) that houses VMs.

Do you mean an internal testing netowk on the ESX host, which would still need access to LAN?

0 Kudos
SkyC
Enthusiast
Enthusiast
‎03-09-2009 01:32 PM

In an unrelated note, looking at your configuration in the JPG. You might want to consolidate the vSwitch0 and vSwitch1, assign vmnic0 as active and vmnic1 as standby to the Service Console port group, and do the reverse for your VMotion VMkernel port group. That way if the uplink for vmnic0 is accidentally unplugged you still can access the service console.

0 Kudos
Texiwill
Leadership
Leadership
‎03-10-2009 11:51 AM

Hello,

Check out my Topology Blog for a comment on how to do this.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
thehyperadvisor
Enthusiast
Enthusiast
‎03-10-2009 12:43 PM

Have you read this document yet? VMware DMZ It explains the different ways on configuring a dmz with VI3. I also agree on consolidating your vswitches so that they at least have redundant nic team for each vswitch. No real need for 2 separate service consoles if the one is properly redundanct.

Also, check with your security team and/or security policy. We can't mix VLAN's for dmz and production on a single switch at my job, which mean dedicated hardware (blades and switch modules).

hope this helps - thehyperadvisor.com

VCP3,4,5, VCAP4-DCA, vExpert hope this helps - http://www.thehyperadvisor.com If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".