Hi there,
we are using tagged VLANs on our Core Switches (Nortel 8000) (Layer 3) and Nortel 5530 Switches (Layer 2) where the ESX servers connected to.
In VI3 we configured the virtual switches in VST Mode according to white paper http://www.vmware.com/pdf/esx3_vlan_wp.pdf.
My question is: What happens, if I configure a vSwitch with VLAN 101 and create a VM with IP 10.10.1.100 connected to that vSwitch, but this VLAN is not configured on the physical switch?
Thank you in advance
Tidian
PS: We have no problem with that, it's just a question regarging security.
we are using tagged VLANs on our Core Switches (Nortel 8000) (Layer 3) and Nortel 5530 Switches (Layer 2) where the ESX servers connected to.
In VI3 we configured the virtual switches in VST Mode according to white paper .vmware.com/pdf/esx3_vlan_wp.pdf.
My question is: What happens, if I configure a vSwitch with VLAN 101 and create a VM with IP 10.10.1.100 connected to that vSwitch, but this VLAN is not configured on the physical switch?
Thank you in advance
Tidian
PS: We have no problem with that, it's just a question regarging security.
The traffic will not reach the guest as it is configured only to responde to VLAN 101 tagged traffic. all other tagged and untagged traffic will be dropped
If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points
Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts
Hello Tom,
thank you for your help. Hopefully your answer will satisfy my colleagues from network team.
Best regards
Tino
Check out the section 'Virtual Switch Protection and VLANs' in the ESX 3 Configuration Guide (page 200-201).
http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_3_server_config.pdf
This also has some good material to give you some ammo with the security guys.
http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf
With VST, tagged incoming packets are untagged and sent to the appropriate port group. So if an incoming packet for VLAN 101 came to your vSwitch, it would only be able to send traffic to the port group assign to VLAN 101. If a VM is on that vSwitch but it not assigned to VLAN 101, it cannot see this traffic. It might be possible to sniff tagged traffic on a vSwitch if you had Promiscuous Mode enabled.
Check out the section 'Virtual Switch Protection and VLANs' in the ESX 3 Configuration Guide (page 200-201).
This also has some good material to give you some ammo with the security guys.
With VST, tagged incoming packets are untagged and sent to the appropriate port group. So if an incoming packet for VLAN 101 came to your vSwitch, it would only be able to send traffic to the port group assign to VLAN 101. If a VM is on that vSwitch but it not assigned to VLAN 101, it cannot see this traffic. It might be possible to sniff tagged traffic on a vSwitch if you had Promiscuous Mode enabled.correct, however if it is untagged or differently tagged traffic it would be dropped or not even passed.
If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points
Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts