How many NICs do you have in the host?

Tom Howarth

VMware Communities User Moderator

No you don't need to do this at all. If you want a DMZ network all you need to do is make sure that you have a physical network connection to at least one network port on the ESX server - and this network connection (vmnic) is assigned to a port group on a vswitch.

We have 4 NICs. Currently 2 are assigned to the 1st vswitch (on the domain), and the other 2 are assigned to vswitch2 (on the dmz).

As it stands, I have the 2nd vswitch set up with a port group with a test machine on there, but cannot ping anything on the dmz.

Are you using certain vlans on your DMZ switch ports?

On the physical switches - yes. The 2 DMZ ports have been put on the dmz vlan - but have not set up any logical vlans within vmware. Do I need to set them up?

Yes you need to specify the correct vlan id on the DMZ port group.

Spot on, thanks that's working now

you have been given the correct answer, please award points by the use of the Helpful and Correct buttons and mark you question as answered

Tom Howarth

VMware Communities User Moderator

Hello,

You should absolutely never place a vmkernel port within the DMZ. If you do this then your systems are under serious threat.... For a DMZ network your VM Network (non vmkernel port) should be in the DMZ and all vmkernel ports should be on the safe side of your network.

The management network, ILO/DRAC/etc network should also be protected and not placed within the DMZ. I would give http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf a read through to understand how to set this up securely.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Thanks, so will it work if I just have a vswitch and a port group? There is already a vmkernel port for vmswitch1, so I need one for the second dmz one?

Yes, a vSwitch and a VM portgroup is enough.

A VMkernel portgroup is not required and shouldn't be there.

VMkernel portgroups are needed for VMotion or iSCSI / NFS access - which you shouldn't have in a DMZ anyway.

Thanks, i've removed the vmkernel port. That leads me onto vmotion.

We're planning on implementing VMware Infrastructure in the near future, including vmotion. What's the best option for redundancy if we have implemented a DMZ on one of our VM boxes, will the HA module work without a vmkernel port?

Hello,

The general safe setup is for the following:

Management Network <->portgroup <-> vSwitch0
vMotion Network <-> VMkernel portgroup <-> vSwitch1
storage Network <-> VMkernel portgroup <-> vSwitch2 or no vSwitch if using FC-HBA for SAN
VM Network Production <-> Portgroup <-> vSwitch3
DMZ Network <-> Portgroup <-> vSwitch4

By using multiple vSwitches you have separation... Note you should not have Production and DMZ on the same vSwitch using VLANs. This gives you added security. There is quite a bit of discussion on this in the Security and Compliance forum as well.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

You can vMotion your DMZ VMs using a vMmotion portgroup in the internal LAN. No need to put vMotion in the DMZ.