2 Replies Latest reply on Dec 16, 2019 2:14 AM by Amin Masoudifard

    DMZ Setup - Separate vSwitch or Port Group Better?

    jondehen Lurker

      Please see attached images.  Example A is a single port group, and example B is using two separate vSwitches. Are there any advantages to creating a separate vSwitch just for DMZ traffic over just placing DMZ traffic in a separate port group and using overrides to assign specific pNICs to each port group?

       

      We can assume that proper redundancy will be present everywhere, and that the same ESXi host will serve both production and DMZ traffic.  Also assume that the DMZ traffic will be plugged into a physical firewall.  Each port group is a separate VLAN.  Again, if a single vSwitch would be used, we would dedicate specific pNICs to each port group appropriately via overrides so that the DMZ port group could not share the pNICs of the others.

       

      I suppose I don't see any real difference in having a separate vSwitch vs doing port group overrides.  I don't believe one is any more secure than the other, but happy to learn otherwise!  Perhaps this is just preference and whatever is easier to manage?  I can imagine if I had 10 different DMZ VLANs that extra configuration would be required if the same vSwitch is used over just sticking those port groups on the switch and not worrying about where each pNIC was connected.  Any articles specific to security would be appreciated!

       

      Thanks!

        • 1. Re: DMZ Setup - Separate vSwitch or Port Group Better?
          a.p. Guru
          Community WarriorsUser ModeratorsvExpert

          You can indeed configure this in both ways.

          However, since - from what I understand - the DMZ vmnics are plugged into the physical firewall, i.e. not into the same physical switches as the other vmnics, I'd create a separate vSwitch.


          André

          • 2. Re: DMZ Setup - Separate vSwitch or Port Group Better?
            Amin Masoudifard Expert

            I configured both models in vSphere 5.1, but I had a bad experience with the situation of using the same vSwitch: we configured the failover order for LAN & DMZ port groups (as you attached) and everything was fine and work correctly until the host reboot! when the host brings back online the firewall VM lost connectivity to the DMZ network. This problem happened unexpectedly without any interval time, So I decided to separate their vSwitch and then the problem has been gone forever.

            Please mark my comment as the Correct Answer if this solution resolved your problem