samuk912
Contributor
Contributor

Service Console Port on prodution network

Jump to solution

hi everyone

i have taken over my company's VMware infrastructure and its a right mess so this weekend i am rebuilding my esx hosts due to a number of reasons but that is not what I'M asking.

in the current config of my hosts the service console port is connected to my production network which as far as i can remember is a big no no form VMware

can anyone confirm this and if so can anyone point me towards some documents to support it

0 Kudos
1 Solution

Accepted Solutions

Hi,

A best practice is to keep the service console apart from your production environment. You could consider to introduce a management segment. If your physical switches support VLAN and trunking (dot1q) I would advice to start using those. By putting trunks into your ESX hosts, you can spearate network segments while maintaining failover with ease. Do not forget you need a router or firewall somewhere if you want the segments to be able to talk to each other.

In a small environment you could consider to run everything from one happy LAN segment. It is all about security. In this scenario, users of your production network would have access to the service consoles of the ESX servers. These service consoles are not particularly weak from a security point of view, it is more the "fact of having" this kind of setup that makes it less secure... Ask yourself the question: What does your company have for security measures and rules? Do you have ILO/DRAC like server management consoles inside your production network as well? Because they should be part of an isolated management network as well if you choose to follow that best practice...

Visit my blog at http://www.vmdamentals.com

View solution in original post

0 Kudos
4 Replies
vmroyale
Immortal
Immortal

Hello.

"VMware recommends that you isolate the service console" - p.5 of the Security Hardening Best Practices document.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
jeremypage
Enthusiast
Enthusiast

It's certainly a good security practice to have that (and other administrative ports) on a secured subnet. I'd say that's secondary to making sure you've got your storage and vmotion networks isolated, but with VLAN technology there's not a reason to do all of them. For a large ESX box your network config might look something like this:

NIC 1 VLAN Secure (not routable/or firewalled Service Console 1)

NIC 2 VLAN Secure (not routable/or firewalled Service Console 2) <- You want two SCs if you are going to use HA, put them on different physical NICs.

NIC 3 VLAN IPstorage (Etherchannel with NIC 4) for iSCSI/NFS traffic.

NIC 4 VLAN IPstorage (Etherchannel with NIC 5) for iSCSI/NFS traffic

NIC 5 VLAN Vmotion (not routable) Vmotion only (you may want two of these if you really need Vmotion, I don't rely on Vmotion to the point where I need it to have redundant connections.

NIC 6 Trunk to production network

NIC 7 Trunk to production network - VM traffic, add as many VLANs as you need for your VMs

Hi,

A best practice is to keep the service console apart from your production environment. You could consider to introduce a management segment. If your physical switches support VLAN and trunking (dot1q) I would advice to start using those. By putting trunks into your ESX hosts, you can spearate network segments while maintaining failover with ease. Do not forget you need a router or firewall somewhere if you want the segments to be able to talk to each other.

In a small environment you could consider to run everything from one happy LAN segment. It is all about security. In this scenario, users of your production network would have access to the service consoles of the ESX servers. These service consoles are not particularly weak from a security point of view, it is more the "fact of having" this kind of setup that makes it less secure... Ask yourself the question: What does your company have for security measures and rules? Do you have ILO/DRAC like server management consoles inside your production network as well? Because they should be part of an isolated management network as well if you choose to follow that best practice...

Visit my blog at http://www.vmdamentals.com
0 Kudos
samuk912
Contributor
Contributor

thanks guys

all great help

0 Kudos