VMware Cloud Community
samuk912
Contributor
Contributor
‎01-27-2009 03:53 AM
Jump to solution

Service Console Port on prodution network

hi everyone

i have taken over my company's VMware infrastructure and its a right mess so this weekend i am rebuilding my esx hosts due to a number of reasons but that is not what I'M asking.

in the current config of my hosts the service console port is connected to my production network which as far as i can remember is a big no no form VMware

can anyone confirm this and if so can anyone point me towards some documents to support it

0 Kudos
1 Solution

Accepted Solutions
Erik_Zandboer
Expert
Expert
‎01-27-2009 06:01 AM
Jump to solution

Hi,

A best practice is to keep the service console apart from your production environment. You could consider to introduce a management segment. If your physical switches support VLAN and trunking (dot1q) I would advice to start using those. By putting trunks into your ESX hosts, you can spearate network segments while maintaining failover with ease. Do not forget you need a router or firewall somewhere if you want the segments to be able to talk to each other.

In a small environment you could consider to run everything from one happy LAN segment. It is all about security. In this scenario, users of your production network would have access to the service consoles of the ESX servers. These service consoles are not particularly weak from a security point of view, it is more the "fact of having" this kind of setup that makes it less secure... Ask yourself the question: What does your company have for security measures and rules? Do you have ILO/DRAC like server management consoles inside your production network as well? Because they should be part of an isolated management network as well if you choose to follow that best practice...

Visit my blog at http://www.vmdamentals.com

View solution in original post

0 Kudos
4 Replies
vmroyale
Immortal
Immortal
‎01-27-2009 05:13 AM
Jump to solution

Hello.

"VMware recommends that you isolate the service console" - p.5 of the Security Hardening Best Practices document.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
jeremypage
Enthusiast
Enthusiast
‎01-27-2009 05:23 AM
Jump to solution

It's certainly a good security practice to have that (and other administrative ports) on a secured subnet. I'd say that's secondary to making sure you've got your storage and vmotion networks isolated, but with VLAN technology there's not a reason to do all of them. For a large ESX box your network config might look something like this:

NIC 1 VLAN Secure (not routable/or firewalled Service Console 1)

NIC 2 VLAN Secure (not routable/or firewalled Service Console 2) <- You want two SCs if you are going to use HA, put them on different physical NICs.

NIC 3 VLAN IPstorage (Etherchannel with NIC 4) for iSCSI/NFS traffic.

NIC 4 VLAN IPstorage (Etherchannel with NIC 5) for iSCSI/NFS traffic

NIC 5 VLAN Vmotion (not routable) Vmotion only (you may want two of these if you really need Vmotion, I don't rely on Vmotion to the point where I need it to have redundant connections.

NIC 6 Trunk to production network

NIC 7 Trunk to production network - VM traffic, add as many VLANs as you need for your VMs

Erik_Zandboer
Expert
Expert
‎01-27-2009 06:01 AM
Jump to solution

Hi,

A best practice is to keep the service console apart from your production environment. You could consider to introduce a management segment. If your physical switches support VLAN and trunking (dot1q) I would advice to start using those. By putting trunks into your ESX hosts, you can spearate network segments while maintaining failover with ease. Do not forget you need a router or firewall somewhere if you want the segments to be able to talk to each other.

In a small environment you could consider to run everything from one happy LAN segment. It is all about security. In this scenario, users of your production network would have access to the service consoles of the ESX servers. These service consoles are not particularly weak from a security point of view, it is more the "fact of having" this kind of setup that makes it less secure... Ask yourself the question: What does your company have for security measures and rules? Do you have ILO/DRAC like server management consoles inside your production network as well? Because they should be part of an isolated management network as well if you choose to follow that best practice...

Visit my blog at http://www.vmdamentals.com
0 Kudos
samuk912
Contributor
Contributor
‎01-27-2009 07:55 AM
Jump to solution

thanks guys

all great help

0 Kudos