Management Traffic Dedicated VLAN

tomtom1 · ‎07-29-2014

Hi,, could someone please tell me if you need to have dedicated VLAN for Management traiffc? I know for vMotion it makes sense but should we also have dedicated VLAN for Management traffic? If yes, then please point me to VMware documentation, networking guys won't take my word :smileyshocked:

Thanks

Texiwill · ‎07-29-2014

Hello,

This is more of a security issue btw, you need to segregate ALL management traffic from everything else, sources for this include:

* vSphere Hardening Guide

* VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers

* VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment'

* Every security guide ever written for VMware ESX, ESXi, vSphere from CIS through DISA

* Countless posts on the subject from myself, Mike Foley, and other security professionals

If your networking team really would like to know why this should be, I would be more than happy to talk with them. Segregating management traffic either on its own VLAN or physical network is the best practice. Some even use different subnets but also firewall off management traffic. This truly depends on your network and means to segregate traffic.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

schepp · ‎07-29-2014

Hi,

although I don't think the VLAN usage is explicit recommendet in the documentation, I would, like Edward, consider it a best practice to seperate your management traffic from the rest of your network.

This doesn't only apply for vSphere, but also the rest of your infrastructure.

Tim

tomtom1 · ‎07-29-2014

Texiwill, thanks a lot for your detailed response. Apart from Hardening Guide, (excel sheet). I don't see any other document from VMware. I cannot give them a link to the book. Do you know any official publication from VMware stating about dedicated VLAN for Mgt. VLAN

Thanks

Texiwill · ‎07-29-2014

Hello,

The Hardening Guide IS the official Security document for vSphere and should be more than sufficient.

If it is not, then I suggest your networking team spend sometime with the security team or researching why this is so very important to do.

Use of a VLAN is just one way to segregate your traffic, there are other ways, employ one of them. If they feel they have sufficient segregation without a VLAN, then that is fine as well. Just have them prove it in some fashion. For example, I use subnets and place a firewall (vCNS Edge) between my management network and my other workloads.

BTW, every book on vSphere says to segregate management. We all have written the same 90 or so pages on networking that say the same thing. So I would give them a link to any of the books and ask them to read the networking chapters. Mine just happen to be more security focused than others and go into why you want it this way. So I would use this as a method to educate your networking team about virtualization security and network segregation requirements. There are 7 or so networks within vSphere and 4 of them should be segregated from VMs not within those networks: Management, vMotion, Fault Tolerance, and Storage.

Also check out Security of the VMware Hypervisor - A Whitepaper | VMware vSphere Blog - VMware Blogs

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

mikefoley · ‎07-29-2014

Edward and Tim have done a great job of Why. As the Hardening Guide author, I recognize the lack of further "official" documentation on how/why to set up a separate management LAN and I'm working to change that. (No timeframe)

Until then, what Edward and Tim have posted around best practices and such are valid.

Not sure why you would NOT want to isolate your management LAN from other traffic, especially VM traffic. The management interfaces, after all, are the keys to the kingdom. To not take a defense in depth approach to securing these management interfaces is kind of odd.

mike

chriswahl · ‎08-10-2014

If your network team is playing the technicality game, then it's true - there are no specific technical requirement for VLANs for anything. You could run the entire network untagged on VLAN 1 and that would work to a certain point of scale.

If you already have a VLAN for secure management traffic, that may be a secondary option - or using a VLAN on each "pod" of hosts if you don't want to scale out layer 2 across the data center and route between them (this is supported). The rest of the reasons are security related and in the documentation provided by other replies.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

All

Management Traffic Dedicated VLAN