VMware Cloud Community
Sly
Contributor
Contributor
Jump to solution

Isolating VMotion traffic

I cannot find any other reason to isolate VMotion traffic, other than keeping the unsecurred information from being exposed to the rest of the network. Is a VLAN for VMotion only a security precaution?

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
Jump to solution

Hello,

It is not required to dedicate vSwitch for VMotion, setting right NICs usage policy is enough.

Not sure I agree with this but that is because of Layer 2 issues more than anything else. This is correct if you TRUST VLANs. If you do not trust VLANs because of possible layer 2 attacks within your physical network then this is not acceptable.

There are two reasons to segregate VMotion traffic:

1) Performance. When you need VMotion you want it as quick as possible, you do not want it contending with Disk IO or any other network IO. In generally it has been acceptable to share VMotion and SC networks as SC is generally low utilization unless you are cold migrating VMs from node to node, etc.

2) Security. You absolutely want VMOtion to be segregated. Think what you are doing, you are transferring the VMs memory image across a wire in CLEAR TEXT. That is unless you flip the bit that says to use SSL to secure this. Even so, SSL MiTM may be possible (have not tested this yet). Memory images contain credential information. Hackers love that type of data.

So yes, Security is the primary reason.... Are VLANs enough? That depends on your levels of TRUST in VLANs as well as your Security Policy.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
8 Replies
AntonVZhbankov
Immortal
Immortal
Jump to solution

VMotion process also produces a heavy network load.

It's not a requirement to separate VMotion to another VLAN, just a security recommendation. But at least dedicate NIC for VMotion.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
joshp
Enthusiast
Enthusiast
Jump to solution

I question the benefits of having a seperate network for vMotion. It's always possible for a Man in the Middle attack to sniff raw memory frames during a vMotion but that same issue is present even when vMotion network is seperate/dedicated. It makes sense to seperate the vMotion network if you can physically seperate the vMotion network from the vm networks by a firewall. That way the vMotion (and hopefully service console) only allow specific access (i.e. vCenter to ESX, ESX to ESX) via carefully crafted ACLs. I also don't see the benefit from a bandwidth perspective. Say I have four NIC's in a server. At minimum I would have to dedicate two of the NICs for service console and vmkernel (vmotion) for redundancy. I would only be left with two NICs for all my vm traffic. Why not just combine all four nics on one vSwitch for service console, vmotion and vm network traffic--seems like one could see better throughput in this configuration over four NICs (trunked or untrunked). How many vMotions do you have in a 24 hour period anyway (maybe 2 per hour per ESX host)?

VCP 3, 4 www.vstable.com
Reply
0 Kudos
howie
Enthusiast
Enthusiast
Jump to solution

the primary reason we advocated dedicated nics for vmotion in the past is for performance and security isolation. but you are right that you may get the same isolation from using VLAN, you are also right that some people do not feel it is the right tradeoff to dedicate a vswitch for vmotion.

all i'm going to say here is that someone's best practice may not be the best in other's environment. today we do NOT require you to have a dedicated vswitch for vmotion anyways.

also, you indeed may put all pNICs in one vswitch, but you want to make sure all of them are on the same broadcast domain. after that, you can tweak your teaming policy so that you "dedicate" one of them for vMotion but then it is also available for other clients (VMs etc.) during failover etc.

-howie

AntonVZhbankov
Immortal
Immortal
Jump to solution

It is not required to dedicate vSwitch for VMotion, setting right NICs usage policy is enough.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

It is not required to dedicate vSwitch for VMotion, setting right NICs usage policy is enough.

Not sure I agree with this but that is because of Layer 2 issues more than anything else. This is correct if you TRUST VLANs. If you do not trust VLANs because of possible layer 2 attacks within your physical network then this is not acceptable.

There are two reasons to segregate VMotion traffic:

1) Performance. When you need VMotion you want it as quick as possible, you do not want it contending with Disk IO or any other network IO. In generally it has been acceptable to share VMotion and SC networks as SC is generally low utilization unless you are cold migrating VMs from node to node, etc.

2) Security. You absolutely want VMOtion to be segregated. Think what you are doing, you are transferring the VMs memory image across a wire in CLEAR TEXT. That is unless you flip the bit that says to use SSL to secure this. Even so, SSL MiTM may be possible (have not tested this yet). Memory images contain credential information. Hackers love that type of data.

So yes, Security is the primary reason.... Are VLANs enough? That depends on your levels of TRUST in VLANs as well as your Security Policy.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
howie
Enthusiast
Enthusiast
Jump to solution

Texiwill summed it pretty well. There is also a 10G consolidation of everything as well ...

Reply
0 Kudos
Sly
Contributor
Contributor
Jump to solution

Thank you to everyone for your input. This was very good feedback. I tried to split up the points as I felt appropriate.

I did have a follow up question about VLAN security and I will post it as a new thread.

Reply
0 Kudos
Sly
Contributor
Contributor
Jump to solution

As a follow up to this older post, I learned that another good reason to separate VMotion traffic on its own switch and not a VLAN and I wanted to pass on this learning experience for others to consider... and that is that some switches, such as the Cisco 3750 that we are using, do not support enabling Jumbo Frames on individual ports or VLANs and this protocol must be enabled for the entire switch. Since the majority of the traffic on this switch is LAN traffic, it would not be wise for us to turn on Jumbo Frames for the entire switch. As a result our VMotion performance is not as good as it could be.

Reply
0 Kudos