Thanks for your reply, my thinking is that im going to setup a DMZ port group and I only have one server to connect to it.. if I could set only 1 port on the vswitch then surely this would make it more secure as anyone who setup a new VM and tried to connect to the DMZ port group couldnt?

The minimum numbers is 8 + 8 for a total of 16 - there is not a way to set only one port to a vswich - I think the best way to avoid some accidentally ocnnecting to it is to set the switch something that slearly states the danger of connecting to this port group -

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct -

... I have to say that an option to provide permissions per vnic - vlan assignment in VC would be quite nice.

I appreciate that for the most part engineers who are granted access to any companies VI environment should have the required skillsets to operate the console, however "pomiwi's" issue here does raise a possible good addition to the VI client.

Additionally, whilst some engineers may accidentally assign a vNIC to the incorrect VLAN it would never the less add an additional layer of security if the engineer was not permitted to do so.

Carl

That's why you keep vSwitch ports separate from VM switches, so they can't assign a VM to a DMZ. If you are worried some people will break stuff you have other issues, that's why you have trained professionals, if someone needs something done people that know and have a vested interest in making secure should do it, no questions asked, and no problems. That's called proper management.

Here we go, RParker on the offensive again... , seem's to be his thing..

I simply stated it would be a usefull feature. As for being worried about people breaking stuff, that really doesnt have anything to do with it because we never stated anything was being broken, I stated that it would be nice to effectively restrict access to assigning a virtual to a specific VLAN (port group), that may not necessarily be a DMZ network on another vSwitch

What if I have 30 production VLAN's and I only want specific admins to be able to assign to specific VLAN's?, take in to account that in many environments after delivery to a client they do have many VM admins working in the environment.

Additionally I arleady stated that whilst people who do have the required skillset, or as you say "trained professionals" that does not necessarily mean people are trust worthy

Effectively what I was trying to say is that granular control at the VM network assignment level would be quite usefull because many of the consultants on this forum dont work for one company all day, we move on to other clients and those clients would certainly find the option of granular control quite handy. Its a feature request.

Carl

Thanks for both your comments - interesting discussion.

What I was attempting to do was protect against an admin connecting a new or existing VM to a port group, which in turn connects to a DMZ and exposes the virtual machine to an environment to which it was not design or protected for.

i.e. If i have one vswitch for production VMs thats connected to my internal network, and another vswitch for a single ISA server which connects one nic to the Production network and another to the DMZ network, I was trying to protect against an admin connecting another VM accidently to the DMZ..

If there was a setting to setup that only 1 x port was allowed on the DMZ vSwitch this would fix the issue

I agree that users should be trained etc etc, however I work in technical design and implementation myself and I see it everyday.. they want you in and out as quick as possible and after that even with the best intentions admins are given free reign without any training etc... sad but it happens.

makes sense to me..

Carl