VMware Cloud Community
AthenaL
Contributor
Contributor
‎09-13-2008 04:57 PM

vSwitch Security

Hello everyone

I have a few questions regarding Virtual Switches which I hope somebody can help me with.

1] Why do I need to have a switch port group set to promiscuous in order for a OS level bridge to function?

2] Virtual Switch Security...

I have just finished setting up a complete DMZ network within ESXi which includes a bridge firewall, web server, mail server, dns server and a NAT gateway which then leads to my private LAN. The basic setup is as follows:

INTERNET > vSwitch1 > FreeBSD-Bridge/Firewall > vSwitch2

vSwitch2 > HTTP, SMTP, DNS

vSwitch2 > FreeBSD-NAT/GATEWAY > vSwitch3

vSwitch3 > PRIVATE LAN (Physical LAN)

This all works perfectly but it got me thinking about vSwitch isolation, especially when the switches are in promiscuous mode. Is it impossible or just unlikely that packets could be routed between different vSwitches and what messures are in place to stop said packets from being routed between switches?

Many thanks for reading

Athena

0 Kudos
2 Replies
depping
Leadership
Leadership
‎09-14-2008 12:49 AM

afaik: there are no packets routed to another vswitch unles you specifically send them from a vm on vswitch 1 to a vm on vswitch2, there's no code in the vswitch to have it talking to another vswitch....

Duncan

My virtualisation blog:

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
threeRd
Contributor
Contributor
‎01-06-2009 12:55 AM

I haven't found out why is so, but I know it is. I've spent hours trying to work out a problem transferring a mock network I had on my laptop with Virtualbox to ESXi. I kept thinking it was an issue with the guests. I'd tried bridging several different ways and nothing was working. Finally a search on 'one way arp' brought up a website (on cable design! http://forums.cabling-design.com/cisco/One-way-arp-41247-.htm) that nudged me toward the answer.

This really doesn't have anything to do with the original question, but I just wanted to post it somewhere--bridging will not work properly unless vSwitches are set to promiscuous. I would have posted it on the cable design forum since it provided the inspiration, but they have a 15 day wait period for posting!

0 Kudos