VMware Cloud Community
phowarth
Contributor
Contributor
‎12-24-2008 07:29 AM
Jump to solution

ESXi 3.5 - Management Port Now a Vmkernel Port

I built my first ESXi 3.5 box. Wow I love the install. Had a complete working server in less than 15 min from start to the time it was in vc 2.5. I noticed after the install when I went to add a new vswitch for vmotion that at the end of the wizzard I wasn't able to create a vmkernel port on the same subnet as another vmkernel port. I looked an noticed that vswif (vswitch0) didn't have a console port. The management port has been merged/rolled into being a vmkernel port. I checked an it has the ability to make this a vmotion port.

My question is... Is it okay or best practice or not a good idea to use the vswitch hosting the management port for passing vmotion traffic using ESXi?

Pete

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎12-24-2008 08:40 AM
Jump to solution

Hello,

Moved to ESXi forum.

My question is... Is it okay or best practice or not a good idea to use the vswitch hosting the management port for passing vmotion traffic using ESXi?

I would treat the management port just like you would treat any management network, keep it separate. However, most people do combine VMotion and Management onto the same vSwitch. In general from a security perspective, management is separate from VMotion. Vmotion is a clear text protocol so access to it should be limited to JUST ESX hosts.

If it was me, I would create another vmkernel for VMotion on a different subnet and give it, it's own pNIC.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
3 Replies
Texiwill
Leadership
Leadership
‎12-24-2008 08:40 AM
Jump to solution

Hello,

Moved to ESXi forum.

My question is... Is it okay or best practice or not a good idea to use the vswitch hosting the management port for passing vmotion traffic using ESXi?

I would treat the management port just like you would treat any management network, keep it separate. However, most people do combine VMotion and Management onto the same vSwitch. In general from a security perspective, management is separate from VMotion. Vmotion is a clear text protocol so access to it should be limited to JUST ESX hosts.

If it was me, I would create another vmkernel for VMotion on a different subnet and give it, it's own pNIC.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
nick_couchman
Immortal
Immortal
‎12-27-2008 07:16 PM
Jump to solution

Also, in ESXi, since the Service Console has pretty much been eliminated, there are only Management interfaces - there is no distinction in ESXi between Service Console and VMKernel interfaces. I think it's great - it greatly simplifies iSCSI and NFS configurations and the issues associated with needing both an SC interface and a VMK interface when configuring those items.

EPSIServer
Contributor
Contributor
‎04-29-2009 06:25 PM
Jump to solution

I really need help here because I think I'm in way over my head. I have an ESXi 3.5 server and can only access it with th VM Infrastucture Client. I was attempting to add an NFS datastore and was getting the "unable to access NFS" error. So I looked it up and found some posts that suggested deleting and recreating the vmkernel port group. So I wen under networking and found my vmkernel port group (Management Port) and deleted it. I immediately got booted out of the VM infrastructure client and can no longer access the VM ESXi host via the VI Infrastucture client! I feel very lost and quite silly. What have I done, and what must I do to regain acces to my VM ESXi host??

0 Kudos