VMware Cloud Community
valteresjunior1
Contributor
Contributor
‎09-28-2021 06:03 PM

Mgmt VMKernel Interface

Hi All. 

In a lab environment, I have a ESXi host with VMkernel interfaces in the same subnet, but only one with management service enabled. So...with both address, I can manage this server (access to VMware Host Client, add host to vCenter, SSH session). Is this a expectde behavior? Which kind of traffic is exclusive to management service? I thought that only a VMkernel interface enabled with management service could be used to manage ESXi. 

Regards. 

Valter Junior

0 Kudos
4 Replies
alantz
Enthusiast
Enthusiast
‎09-28-2021 06:49 PM

I'm a newbie, but I believe that checkbox refers to host to vcenter communications, not workstation to vcenter for your access to manage your environment via the browser.

--Alan--

 

0 Kudos
IRIX201110141
Champion
Champion
‎09-28-2021 10:25 PM

This "management" is misleading because the only purpose is to tell the ESXi where to place the default HA Network and in the old days this where the one and only Gateway was located.

The standard services are bind to all interfaces and are reachable from outside on all of them.

Regards,
Joerg

0 Kudos
valteresjunior1
Contributor
Contributor
‎09-29-2021 06:16 AM

Hi Joerg. Thank you for your answer. I have 2 questions:

1. In my case, why this behavior happens since my ESXi host is not in a vSphere HA Cluster, so FDM agent is not installed yet?

2. ESXi host be reached by all interfaces is not considered a security vulnerability? 

Regards. 

Valter Junior

0 Kudos
IRIX201110141
Champion
Champion
‎09-29-2021 06:47 AM

1. Maybe there are some more bits and pieces you tell the ESXi when ticking the "management" check box but for sure its not how YOU and i would say all other also interpret this setting. It will not tell the ESXi where to listen for connection to HostClient, SSH and so on.

2. Well.. reason for more VMKs are normaly the special function for FT, vMotion, iSCSI and so on. In the old days all of these are non-routable and when placing in a separated Subnet and different VLAN you cant reach them from the outside.

If you like you can add IP Addresses or Subnets from which the ESXi Firewall let you connect to SSH, Hostclient for every service you want to add  protection.

Btw.... best practices is to leave SSH, ESXi Shell disabled until you have a need for.

Regards,
Joerg

0 Kudos