Solved: Re: Separate physical network for VMotion?

JoJoGabor · ‎08-25-2009

In my design for a ESXi 3.5 on HP blades I have defined 2 pNICs for Management network and 2 pNICs for VMotion. These go to separate Cisco 3120 blade switches. Now I have stipulated an external switch stack to join switches up for VMotion. The management network switches then go to another management stack. Th customer wants to reduce costs by sharing the external stack for Management and Vmotion traffic and segregating via VLANs and making the VMotion VLAN non-routable. Are there any downfalls for this?

Bear in mind this is a secure environment. Iw as always told that VLANing should not be used as a security separation due to the possibility of VLAN hopping. What are the risks here? Bear in mind that this is a sensitive defence-biased network, so I'm attempting to segregate the networks as much as possible.

Your thoughts are welcome

NicholasFarmer · ‎08-25-2009

If you have the hardware (switches) to separate out the networking infrastructure then I would do it for pure performance reasons.

We use a physical firewall to block anything and everything from entering our management and VMotion networks.

They are both vlans behind the firewall but we can still allow special access from the administrator's workstations or a management server to reduce the foot print. This method allows us to manage the network with special exceptions.

Its pure risk vs cost. If you think you have a high chance of someone Vlan hopping on your internal network then using physical security is the best bet. If it's low risk, then just segment it off with vlans and use access-lists and switch ports to reduce the chances of vlan hopping.

Hope this helps you decide.

View solution in original post

mclark · ‎08-25-2009

If your management network is only accessible by a limited number of admins and is segmented from the other networks, my opinion is that it's not a big issue to have VMotion on the same network and VLAN it if you want. It's how I have it set up. If the admins have full access to VMs anyway, having access to VMotion traffic doesn't gain them anything.

rolohm · ‎08-25-2009

I think it's safe what your customer wants to do.

If you haven't found this article yet I recommend it.Tells you how to minimize the target surface for VLAN hopping attacks.

http://blog.scottlowe.org/2008/03/05/vmotion-and-vlan-security/

/R

NicholasFarmer · ‎08-25-2009

If you have the hardware (switches) to separate out the networking infrastructure then I would do it for pure performance reasons.

We use a physical firewall to block anything and everything from entering our management and VMotion networks.

They are both vlans behind the firewall but we can still allow special access from the administrator's workstations or a management server to reduce the foot print. This method allows us to manage the network with special exceptions.

Its pure risk vs cost. If you think you have a high chance of someone Vlan hopping on your internal network then using physical security is the best bet. If it's low risk, then just segment it off with vlans and use access-lists and switch ports to reduce the chances of vlan hopping.

Hope this helps you decide.

JoJoGabor · ‎08-26-2009

Thanks All - useful information. I think I'm going to stick to my guns and recommend a physically separate network due to security considerations. They are very paranoid about security, every aspect of this design has been based around security so for the price of saving on a 3750 stack I dont think its worth compromising.

Thanks for your feedback