How do I separate networks (DMZ for mail server) o...

Jaikudo · ‎02-08-2012

Hi guys,

I am trying to plan and get our Mail server on a separate network and i am kind of stuck as I am no expert in ESXi or vSphere.

To give you guys a quick walkthrough: At the moment our mail server isn't accessible from outside. The company wants the email server on the Internet for many reasons so now I have to do something like having it in DMZ.

Our setup:

We have 2 HP DL380 G6 hosts with ESXi 5 (Essential plus)

1 HP SAN (No redundancy, but might add one in future if can)

2 physical switches for the hosts and SAN

Draytek 3200 Firewall/VPN

All servers are virtual including proxy (Squid)

No Vlan setup anywhere

--

On ESXi configuration there are two standard vSwitches - vsw0 and vsw1 (we only have 4 physical nics each, which are using for reduduncy as well. See screenshots)

My plan:

is to have the mail server on a different subnet than our LAN and have it on the Internet using our current Draytek Firewall Router or a separate one.

Our mail server will then only be allowed few ports from the internet and will not allow to access LAN, but LAN will be able to pull emails server.

What I would like:

is to create another vswitch or vlan so I can have mail server on that vswitch and rest of LAN on the one we have currently.

Is this possible? I know it is with distributed but we dont have enterprise plus.

I have attached the screenshots of config to give you guys an idea.

I am having a feeling i would require additional physical NICs on both ESXi hosts.. but does that mean need some additional expansion card for DL380 g6?

Thanks.

Screenshots:

Network Adapters:

Networking:

vSwitch0 Properties:

vSwitch0 Network Adpt:

vSwitch1 Properties:

vSwitch1 Network Adpt:

vSwitch 1 iSCSI 1 Properties:

vSwitch1 iSCSI 2 Properties:

I would appreciate if someone can point me to the right direction so I dont have to have the mail server out as a physical server.

Thanks,

weinstein5 · ‎02-08-2012

What you are planning is definitely doable - with standard vswitches you can apply vlan tags to the entire switch or to the individual virtual machine port groups - so I would create a virtual machine port group for your Exchange servers assign its own vlan id - Remember you will have to configure he ports on the physical switch as a trunk port identifying all the vlans that will be coming across that port

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Jaikudo · ‎02-08-2012

Thanks Weinstein,

Sorry I forgot to mention, the Physical switch we have our ESXi hosts and SAN on are not manageable.

Does that mean is not doable until we replace the switches (ProCurve 1400 G8) with the ones we can identify vlans on?

weinstein5 · ‎02-08-2012

It is still possible you just would not use vlan tags but completely seperate networks - for example 192.168.1.x/24 and 192.168.2.x/24

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Jaikudo · ‎02-08-2012

Ahh i see. So then will have to create another Standard vSwitch and map it to a physical NIC? Which brings me to another hurdle - no spare physical NICs on the Hosts :s... I may need to add extra on the Host then.

weinstein5 · ‎02-08-2012

You do not have to create another virtual switch - the traffic from the two VMs can share the same physical port even though they are on different network segments - remember switches are layer two device and use the MAC address of machine and do not care about IP addresses which are layer three -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

AnthonyChow · ‎02-08-2012

Interesting. I am planning to do something like this at work.

thanks for the information.

Jaikudo · ‎02-13-2012

Hi Weinstein5,

Sorry for the late reply, i was testing and then also searching for some managed switch so I can test it.

I had tried creating DMZ machine on a same vSwitch, but because the network adaptor of that switch has our LAN IPs, the DMZ is picking up LANs IP from DHCP.

I can exclude the IP from DHCP Server and also exclude the MAC address of it (Win 2k3 hack), but it's not a proper DMZ.

Can I use one of the network card from the vSwitch 1 pic below (for iSCSI) and assign it for DMZ network, leaving one for iSCSI?

Now while i am writing this, i am having a feeling this might not be a good idea for iscsi hmm..

will it be just easier to add another physical adaptor to hosts and have that assigned a different network? I think i am getting more confused now.

Jaikudo · ‎02-13-2012

I am thinking to replace the main switch with the manageable swtich http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/12883-12883-4172267-4172281-4172281-3963985-3963987.ht...

The plan is to then set vlans and have LAN on, lets say, vlan ID 50, and DMZ on vlan ID 60. vlan ID 50 will be given to the LAN network on esxi hosts, and i will create a new v network with the ID 50 and that would be for DMZ.

Do you think it will work?

iSCSI will keep the current switches which are unmanaged.

Jaikudo · ‎02-17-2012

Ok I have bought HP Procurve v1810G-24 and I am testing the vLAN setup on testing environment.

I will then try it on VMware and see if it works.

I will keep you guys updated.

rickardnobel · ‎02-17-2012

Jaikudo wrote:
Ok I have bought HP Procurve v1810G-24 and I am testing the vLAN setup on testing environment

The 1810 line is a good, but somewhat simple, switch. It does have VLAN support and link aggregation and while lacking command line interface for management still performs very well. Getting 24 gigabit port for such low cost is good value for money.

My VMware blog: www.rickardnobel.se

All

How do I separate networks (DMZ for mail server) on vSphere/Esxi5?