VMware Cloud Community
Vitaly91
VMware Employee
VMware Employee
‎01-19-2009 08:41 AM
Jump to solution

Reality check please...

Guys,

Just trying to understand something better...

If I have a VM running on ESX and I want to run, for example, telnet within that VM, does it actually make connection through ESX's firewall or protocol or does it simply go thru established vSwitches for virtual networking and that request gets "wraped" into that? Another words, does ESX even "see" that telnet request?

Thank you in advance for your help!

0 Kudos
1 Solution

Accepted Solutions
Ken_Cline
Champion
Champion
‎01-19-2009 09:28 AM
Jump to solution

ESX does not "see" virtual machine traffic. VM traffic flows from the guest OS to the vNIC to a port group on a vSwitch, through the vSwitch, to a pNIC, and then out into the external network. The service console IS NOT involved in virtual machine networking. The vmkernel is responsible for managing the flow of data through the vSwitch, but all it sees is a bunch of buffers - it does not inspect the buffers (in fact, it is a separate, dedicated process that manages virtual networking). There is no chance of "cross contamination" of traffic between various VMs or between VMs and service console/vmkernel functions.

HTH,

KLC

Ken Cline

Technical Director, Virtualization

Wells Landers

TVAR Solutions, A Wells Landers Group Company

VMware Communities User Moderator

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/

View solution in original post

0 Kudos
5 Replies
VMWave
Contributor
Contributor
‎01-19-2009 08:49 AM
Jump to solution

By ESX if you mean vSwitch that setup inside ESX then I believe it does sees those date packet. The "promiscuous Mode" setting in the vSwitch wouldn't work is this is not the case. Secondly, ESX firewall affects Service Console connectivity only.

Cheers.

0 Kudos
KKeezer
Contributor
Contributor
‎01-19-2009 08:55 AM
Jump to solution

I am not sure if this is going to be helpful, but here goes...

Kyle

PS: I will keep looking to see if I can find a true answer to your question.

If you found this information useful, please consider awarding points for "Correct" or "Helpful" answers/replies. Thanks!!
Vitaly91
VMware Employee
VMware Employee
‎01-19-2009 08:55 AM
Jump to solution

Thank you for reply.

Yes, of course, ESX firewall only deals with Service Console. Is there a way on vSwitch to configure it to NOT allow that kind of traffic or to allow this traffic only for certain users?

0 Kudos
VMWave
Contributor
Contributor
‎01-19-2009 09:03 AM
Jump to solution

If the "promiscuous Mode" is set to reject, then that traffic is safe from evesdrop. On the contrary, if you are running packet sniffer inside a VM and want to look at certain VM's data flow, set the vSwitch to accept Promiscuous mode and then connect the packet sniffing VM on that vSwitch. Now it will be able to see all the traffic flowing through this vSwitch. Basically Promiscuous mode makes vSwitch act like a HUB.

Ken_Cline
Champion
Champion
‎01-19-2009 09:28 AM
Jump to solution

ESX does not "see" virtual machine traffic. VM traffic flows from the guest OS to the vNIC to a port group on a vSwitch, through the vSwitch, to a pNIC, and then out into the external network. The service console IS NOT involved in virtual machine networking. The vmkernel is responsible for managing the flow of data through the vSwitch, but all it sees is a bunch of buffers - it does not inspect the buffers (in fact, it is a separate, dedicated process that manages virtual networking). There is no chance of "cross contamination" of traffic between various VMs or between VMs and service console/vmkernel functions.

HTH,

KLC

Ken Cline

Technical Director, Virtualization

Wells Landers

TVAR Solutions, A Wells Landers Group Company

VMware Communities User Moderator

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/
0 Kudos