9 Replies Latest reply on Jul 8, 2014 12:01 PM by VirtualRay

    DMZ question

    VirtualRay Hot Shot



      I would like ask about DMZ VMs.

      1- VMs in DMZ network can talk /ping to each other in current network settings of vswtich is there any way stop them to access/ping each other through vswitch.

      2- If i use vDS and put them into the isolated vlan will these VMs not communicate with each other but will be able to talk to my other physical server outside DNS/monitoring and VMs in normal network.even those VMs are on vswitch.


      Thanks in advance

        • 1. Re: DMZ question
          JPM300 Expert

          Hey VirtualRay,


          Typically people accomplish DMZ's in a few ways.


          1.)  They dedicate 2+ nics to all the port groups that you wish to be in the DMZ and then have those run to a switch/firewall to keep them isolated.  The firewall typically does most of the work here as you will setup access rules as to what ports are allowed in and out of the DMZ port groups.  All Vm's in these port groups will be able to talk to each other unless you want different DMZ silo's with different VLAN's / broadcast ranges.  IE.)  DMZ1 - 10.0.1.x /24 VLAN 100,  DMZ2 - 10.0.2.x /24 VLAN 200, then when stuff routes to the switch/routers you can control what can talk to what.

          quick picture dmzsetup.PNG



          2.)  They use Private VLAN's.  Private VLANs are really handly as they allow you to create a Primary Privat VLAN, then have secondary VLAN's inside of it.  The secondary VLAN's inside the primary are broken down into 2 different groups.  Community and Isolated.  Community can talk to the private VLAN and anythign else in its own community.  Isolated can only talk to anything inside the Isolated and the Private VLAN.  Your firewall will typically be sitting on the Private VLAN which will do the routing between the traffic. 

          So in this picture Community VLAN 123 can talk to anything inside VLAN 123 and the Primary VLAN 111, while Community VLAN 345 can talk to anything inside its community and Primary VLAN 111, however each community is unable to communicate with each other.  The isolated VLAN 222 can only talk to other systems in the Isolated vlan and of course the Primary VLAN 111 as thats its route out to the external world.


          3.)  You can use a virtual router and or vShield to create a virtual Firewall on your DMZ port groups and control what can go in and out that way.


          Most people opt for option 1 as option 2 requires some more advanced switch setup and your hardware switches need the abiltity to do PVLANS


          I hope this has helped.

          1 person found this helpful
          • 2. Re: DMZ question
            rh5592 Expert
            VMware Employees

            Nice detailed post there JPM300!!

            • 3. Re: DMZ question
              JPM300 Expert

              Thanks Rommel Humarang


              Looking back on the original question, 1.) VMs in DMZ network can talk /ping to each other in current network settings of vswtich is there any way stop them to access/ping each other through vswitch.


              If you don't want to use PVLAN's you can create two port groups for two different VLAN's like I mentioned before, so for example: DMZ1 - 10.0.1.x /24 VLAN 100,  DMZ2 - 10.0.2.x /24 VLAN.  Now since these port groups are on different VLANs and different networks they will need to go to the gateway to route to each other, meaning inside the Standard vSwitch or VDS they will not be able to ping each other.  Also here is a quick blog on the vCloud Networking and Security Manager (formerly known as vShield Manager) if you want to know more about it: vCloud Networking and Security 5.1 App Firewall - Part 1 | VMware vSphere Blog - VMware Blogs



              If you have any questions let us know,


              Hope this has helped,

              1 person found this helpful
              • 4. Re: DMZ question
                vfk Expert

                JPM300 is a legend, that is a top response.

                • 5. Re: DMZ question
                  VirtualRay Hot Shot

                  Thanks a lot JPM300, You are always helping me. thanks again.


                  Actually I have already DMZ portgroup , VLANS in placed, but VMs in one network can ping each other.


                  for instance If i take your example my VMs in DMZ1 - 10.0.1.x /24 VLAN 100 can ping/access each other  with in a DMZ1 which is dangerous for my environment.

                  So in this scenario where i am running 4.1 which solution is good for me vDS private VLANS or vShield (vshield for 4.1 may be available )?

                  • 6. Re: DMZ question
                    JPM300 Expert

                    If you have VM's in DMZ 10.0.1.X /24 VLAN 100 and other VM's in DMZ1 10.0.2.x /24 VLAN 200 and they can ping each other my guess is they are leaving out your vSwitch going to your layer 3 switch/router/firewall and routing back into the other network.  On the vSwitch weather it is a VSS or a VDS if they are on different VLAN's / networks they can't talk as the vswitches don't have any routing.


                    Try this:

                    Create a new VSS
                    Create two new port groups DMZ2(VLAN 400) DMZ3(VLAN 500) put no external uplinks into this vswitch then put 1 vm in each DMZ if they cannot talk to each other it is your pshyical switching that is routing the networks for you and you will need to look into that.  If they can talk together do a route print on the VM's as that shouldn't be possible


                    If you have a VDS already just create a 2nd one with no UPLINK ports and create 2 port groups in the same manor and test in the same fashion.


                    I have a very good feeling your VM's are sending traffic out of the vSwitch up to your physical switches and coming back.


                    When it comes down to PVLANS and vShield I like to keep things on my psyhical network if I have already put the investment in for the hardware as I see it as using that investment.  I typically use vShield Manager when this solutions means I don't have to spend extra capital to get the solution working.  That or if I need some kind of automation with Orchestrator.  Either way is fine, I find the physical stuff easier to use as vShield manager has a lot of stuff in it which means a lot of extra material to learn / test prior to production deployment


                    Np anytime

                    • 7. Re: DMZ question
                      VirtualRay Hot Shot

                      sorry , English is not my first language and i used wrong words .. so was not able to put here clearly .. let me try one more time.


                      in my DMZ  environment VMs of one port group  are able to ping each other with in a same port group they are not able to ping to other port group.

                      so i want to stop this access with in a same port group.

                      For example : VMs in my DMZ 10.0.1.X /24 VLAN 100  network and port group  are capable to access each other within a same VLAN100. how i can stop it.

                      what you suggest on it ...


                      • 8. Re: DMZ question
                        JPM300 Expert

                        Ahhhhh okay,


                        Well if the VM's have to stay in the same port group and you can't split them out your best bet is Private VLANS assuming your physical switches have the capabilities.


                        Here is a pic that better explains PVLANs again:



                        Here is another with what you probably want to do:

                        As you can see you would put a set of your VM's in a community that you want to be able to communicate with each other say VLAN 17 as in this picture, then put another the VM's that you don't want to talk to anything in the Isolated PVLAN 155 as in the picture.


                        Now once you have your VM's in the proper groups you can either put a software firewall on the Promicuous group or have it just route out to your physical switches assuming they can do PVLAN's and have them route the traffic accordingly.
                        If you want to test this out in your VMware environment prior to production you can test everything out with test VM's on a test VDS and everything will work as long as all the VM's you are testing stay on the same host / VDS


                        To quickly go over PVLANs again here is how it breaks down:


                        • Promiscuous – A node attached to a port in a promiscuous secondary PVLAN may send and receive packets to any node in any others secondary VLAN associated to the same primary. Routers are typically attached to promiscuous ports.

                        • Isolated – A node attached to a port in an isolated secondary PVLAN may only send to and receive packets from the promiscuous PVLAN.
                        • Community – A node attached to a port in a community secondary PVLAN may send to and receive packets from other ports in the same secondary PVLAN, as well as send to and receive packets from the promiscuous PVLAN.



                        Here is some more information on the topic as well to help you along:


                        vSphere Private VLANs - Dev Environment Use Case


                        There is a free online lab / course for Distributed Switches in 5.5 but I don't remember if they do PVLANS or not:

                        VMware - NEE


                        Hope this helped clear things up,

                        • 9. Re: DMZ question
                          VirtualRay Hot Shot

                          Thanks JPM300.