Guys,
Just trying to understand something better...
If I have a VM running on ESX and I want to run, for example, telnet within that VM, does it actually make connection through ESX's firewall or protocol or does it simply go thru established vSwitches for virtual networking and that request gets "wraped" into that? Another words, does ESX even "see" that telnet request?
Thank you in advance for your help!
ESX does not "see" virtual machine traffic. VM traffic flows from the guest OS to the vNIC to a port group on a vSwitch, through the vSwitch, to a pNIC, and then out into the external network. The service console IS NOT involved in virtual machine networking. The vmkernel is responsible for managing the flow of data through the vSwitch, but all it sees is a bunch of buffers - it does not inspect the buffers (in fact, it is a separate, dedicated process that manages virtual networking). There is no chance of "cross contamination" of traffic between various VMs or between VMs and service console/vmkernel functions.
HTH,
KLC
Ken Cline
Technical Director, Virtualization
TVAR Solutions, A Wells Landers Group Company
VMware Communities User Moderator
By ESX if you mean vSwitch that setup inside ESX then I believe it does sees those date packet. The "promiscuous Mode" setting in the vSwitch wouldn't work is this is not the case. Secondly, ESX firewall affects Service Console connectivity only.
Cheers.
Thank you for reply.
Yes, of course, ESX firewall only deals with Service Console. Is there a way on vSwitch to configure it to NOT allow that kind of traffic or to allow this traffic only for certain users?
If the "promiscuous Mode" is set to reject, then that traffic is safe from evesdrop. On the contrary, if you are running packet sniffer inside a VM and want to look at certain VM's data flow, set the vSwitch to accept Promiscuous mode and then connect the packet sniffing VM on that vSwitch. Now it will be able to see all the traffic flowing through this vSwitch. Basically Promiscuous mode makes vSwitch act like a HUB.
ESX does not "see" virtual machine traffic. VM traffic flows from the guest OS to the vNIC to a port group on a vSwitch, through the vSwitch, to a pNIC, and then out into the external network. The service console IS NOT involved in virtual machine networking. The vmkernel is responsible for managing the flow of data through the vSwitch, but all it sees is a bunch of buffers - it does not inspect the buffers (in fact, it is a separate, dedicated process that manages virtual networking). There is no chance of "cross contamination" of traffic between various VMs or between VMs and service console/vmkernel functions.
HTH,
KLC
Ken Cline
Technical Director, Virtualization
TVAR Solutions, A Wells Landers Group Company
VMware Communities User Moderator