Hi,
I am trying to set up our DMZ to run on the same box that already hosts domain machines. Here are the steps I took:
Put the 2 ports on our cisco switch onto the dmz vlan
Create a new vSwitch, and assign the 2 nics
Assigned the VMKernel a DMZ ip address
Am I doing this wrong? Now whenever I try and edit anything on the vswitch, I get this error:
The request failed because of a connection failure.
What am I doing wrong?
thanks
Ok, it looks like when I try and set the default gateway on the 2nd vswitch, it is also setting it on the 1st causing the timeouts when I try and connect to it.
How do I set the DG on just the 2nd vswitch, to what the DMZ machines use, or do I even need to?
How many NICs do you have in the host?
Tom Howarth
VMware Communities User Moderator
No you don't need to do this at all. If you want a DMZ network all you need to do is make sure that you have a physical network connection to at least one network port on the ESX server - and this network connection (vmnic) is assigned to a port group on a vswitch.
We have 4 NICs. Currently 2 are assigned to the 1st vswitch (on the domain), and the other 2 are assigned to vswitch2 (on the dmz).
As it stands, I have the 2nd vswitch set up with a port group with a test machine on there, but cannot ping anything on the dmz.
Are you using certain vlans on your DMZ switch ports?
On the physical switches - yes. The 2 DMZ ports have been put on the dmz vlan - but have not set up any logical vlans within vmware. Do I need to set them up?
Yes you need to specify the correct vlan id on the DMZ port group.
Spot on, thanks that's working now
you have been given the correct answer, please award points by the use of the Helpful and Correct buttons and mark you question as answered
Tom Howarth
VMware Communities User Moderator
Hello,
You should absolutely never place a vmkernel port within the DMZ. If you do this then your systems are under serious threat.... For a DMZ network your VM Network (non vmkernel port) should be in the DMZ and all vmkernel ports should be on the safe side of your network.
The management network, ILO/DRAC/etc network should also be protected and not placed within the DMZ. I would give http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf a read through to understand how to set this up securely.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Thanks, so will it work if I just have a vswitch and a port group? There is already a vmkernel port for vmswitch1, so I need one for the second dmz one?
Yes, a vSwitch and a VM portgroup is enough.
A VMkernel portgroup is not required and shouldn't be there.
VMkernel portgroups are needed for VMotion or iSCSI / NFS access - which you shouldn't have in a DMZ anyway.
Thanks, i've removed the vmkernel port. That leads me onto vmotion.
We're planning on implementing VMware Infrastructure in the near future, including vmotion. What's the best option for redundancy if we have implemented a DMZ on one of our VM boxes, will the HA module work without a vmkernel port?
Hello,
The general safe setup is for the following:
Management Network <->portgroup <-> vSwitch0
vMotion Network <-> VMkernel portgroup <-> vSwitch1
storage Network <-> VMkernel portgroup <-> vSwitch2 or no vSwitch if using FC-HBA for SAN
VM Network Production <-> Portgroup <-> vSwitch3
DMZ Network <-> Portgroup <-> vSwitch4
By using multiple vSwitches you have separation... Note you should not have Production and DMZ on the same vSwitch using VLANs. This gives you added security. There is quite a bit of discussion on this in the Security and Compliance forum as well.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
You can vMotion your DMZ VMs using a vMmotion portgroup in the internal LAN. No need to put vMotion in the DMZ.