Hello,
I recently configured a second VMKernel NIC to be used for iSCSI traffic, which is on a separate VLAN and subnet from the Management Network (vmk0) of the ESXi host. The host can connect successfully to the iSCSI target, however I discovered that I am able to access the vSphere web client and ssh to the host using the IP of the new VMKernel NIC (vmk1). The management service is disabled on the NIC however it can still be used to manage the host.
Both vmk0 and vmk1 connect to different vSwitches, each of which has a single physical uplink.
I may have missed something obvious but is there a way to disable management of the host (vSphere web, SSH etc.) from this new NIC (10.0.4.46)? I only want to be able to connect to the host on 10.0.3.100.
Any help would be greatly appreciated!
Normally storage traffic is not (and should not be) routed. In your case, it seems like it is.
You can create a new, custom TCP/IP stack so that vmkernel port does not share the routing table and buffers with the default TCP/IP stack. From a ESXi shell or SSH session on your host, run esxcli network ip netstack add -N=<my_name> and refresh your host client to see the new custom stack show up. You will need to delete and recreate the vmkernel port for IP storage. Upon recreation, assign it to this new stack. After a vmkernel interface has been assigned at least once to a stack, you can then edit the stack. Either leave the default gateway of 0.0.0.0 (ensuring return traffic is dropped) or select a custom one.
