khaliqamar
Enthusiast
Enthusiast

DMZ question

Jump to solution

hello,

I would like ask about DMZ VMs.

1- VMs in DMZ network can talk /ping to each other in current network settings of vswtich is there any way stop them to access/ping each other through vswitch.

2- If i use vDS and put them into the isolated vlan will these VMs not communicate with each other but will be able to talk to my other physical server outside DNS/monitoring and VMs in normal network.even those VMs are on vswitch.

Thanks in advance

1 Solution

Accepted Solutions
JPM300
Commander
Commander

Ahhhhh okay,

Well if the VM's have to stay in the same port group and you can't split them out your best bet is Private VLANS assuming your physical switches have the capabilities.

Here is a pic that better explains PVLANs again:

pvlans.gif

Here is another with what you probably want to do:
pvlans2.jpg

As you can see you would put a set of your VM's in a community that you want to be able to communicate with each other say VLAN 17 as in this picture, then put another the VM's that you don't want to talk to anything in the Isolated PVLAN 155 as in the picture.

Now once you have your VM's in the proper groups you can either put a software firewall on the Promicuous group or have it just route out to your physical switches assuming they can do PVLAN's and have them route the traffic accordingly.
If you want to test this out in your VMware environment prior to production you can test everything out with test VM's on a test VDS and everything will work as long as all the VM's you are testing stay on the same host / VDS

To quickly go over PVLANs again here is how it breaks down:

  • Promiscuous – A node attached to a port in a promiscuous secondary PVLAN may send and receive packets to any node in any others secondary VLAN associated to the same primary. Routers are typically attached to promiscuous ports.

  • Isolated – A node attached to a port in an isolated secondary PVLAN may only send to and receive packets from the promiscuous PVLAN.
  • Community – A node attached to a port in a community secondary PVLAN may send to and receive packets from other ports in the same secondary PVLAN, as well as send to and receive packets from the promiscuous PVLAN.

Here is some more information on the topic as well to help you along:

kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691

vSphere Private VLANs - Dev Environment Use Case

There is a free online lab / course for Distributed Switches in 5.5 but I don't remember if they do PVLANS or not:

VMware - NEE

Hope this helped clear things up,

View solution in original post

0 Kudos
9 Replies
JPM300
Commander
Commander

Hey VirtualRay,

Typically people accomplish DMZ's in a few ways.

1.)  They dedicate 2+ nics to all the port groups that you wish to be in the DMZ and then have those run to a switch/firewall to keep them isolated.  The firewall typically does most of the work here as you will setup access rules as to what ports are allowed in and out of the DMZ port groups.  All Vm's in these port groups will be able to talk to each other unless you want different DMZ silo's with different VLAN's / broadcast ranges.  IE.)  DMZ1 - 10.0.1.x /24 VLAN 100,  DMZ2 - 10.0.2.x /24 VLAN 200, then when stuff routes to the switch/routers you can control what can talk to what.

quick picture dmzsetup.PNG

2.)  They use Private VLAN's.  Private VLANs are really handly as they allow you to create a Primary Privat VLAN, then have secondary VLAN's inside of it.  The secondary VLAN's inside the primary are broken down into 2 different groups.  Community and Isolated.  Community can talk to the private VLAN and anythign else in its own community.  Isolated can only talk to anything inside the Isolated and the Private VLAN.  Your firewall will typically be sitting on the Private VLAN which will do the routing between the traffic. 
pvlan.PNG

So in this picture Community VLAN 123 can talk to anything inside VLAN 123 and the Primary VLAN 111, while Community VLAN 345 can talk to anything inside its community and Primary VLAN 111, however each community is unable to communicate with each other.  The isolated VLAN 222 can only talk to other systems in the Isolated vlan and of course the Primary VLAN 111 as thats its route out to the external world.

3.)  You can use a virtual router and or vShield to create a virtual Firewall on your DMZ port groups and control what can go in and out that way.

Most people opt for option 1 as option 2 requires some more advanced switch setup and your hardware switches need the abiltity to do PVLANS

I hope this has helped.

rh5592
Hot Shot
Hot Shot

Nice detailed post there JPM300!!

Regards. ================================================= "If found useful, kindly mark answers Correct or Helpful " http://rh5592.com =================================================
0 Kudos
JPM300
Commander
Commander

Thanks Rommel Humarang Smiley Happy

Looking back on the original question, 1.) VMs in DMZ network can talk /ping to each other in current network settings of vswtich is there any way stop them to access/ping each other through vswitch.

If you don't want to use PVLAN's you can create two port groups for two different VLAN's like I mentioned before, so for example: DMZ1 - 10.0.1.x /24 VLAN 100,  DMZ2 - 10.0.2.x /24 VLAN.  Now since these port groups are on different VLANs and different networks they will need to go to the gateway to route to each other, meaning inside the Standard vSwitch or VDS they will not be able to ping each other.  Also here is a quick blog on the vCloud Networking and Security Manager (formerly known as vShield Manager) if you want to know more about it: vCloud Networking and Security 5.1 App Firewall - Part 1 | VMware vSphere Blog - VMware Blogs

http://www.vmware.com/pdf/vshield_55_install.pdf

If you have any questions let us know,

Hope this has helped,

vfk
Expert
Expert

JPM300 is a legend, that is a top response.

--- If you found this or any other answer helpful, please consider the use of the Helpful or Correct buttons to award points. vfk Systems Manager / Technical Architect VCP5-DCV, VCAP5-DCA, vExpert, ITILv3, CCNA, MCP
0 Kudos
khaliqamar
Enthusiast
Enthusiast

Thanks a lot JPM300, You are always helping me. thanks again.

Actually I have already DMZ portgroup , VLANS in placed, but VMs in one network can ping each other.

for instance If i take your example my VMs in DMZ1 - 10.0.1.x /24 VLAN 100 can ping/access each other  with in a DMZ1 which is dangerous for my environment.

So in this scenario where i am running 4.1 which solution is good for me vDS private VLANS or vShield (vshield for 4.1 may be available )?

0 Kudos
JPM300
Commander
Commander

If you have VM's in DMZ 10.0.1.X /24 VLAN 100 and other VM's in DMZ1 10.0.2.x /24 VLAN 200 and they can ping each other my guess is they are leaving out your vSwitch going to your layer 3 switch/router/firewall and routing back into the other network.  On the vSwitch weather it is a VSS or a VDS if they are on different VLAN's / networks they can't talk as the vswitches don't have any routing.

Try this:

Create a new VSS
Create two new port groups DMZ2(VLAN 400) DMZ3(VLAN 500) put no external uplinks into this vswitch then put 1 vm in each DMZ if they cannot talk to each other it is your pshyical switching that is routing the networks for you and you will need to look into that.  If they can talk together do a route print on the VM's as that shouldn't be possible :smileysilly:

If you have a VDS already just create a 2nd one with no UPLINK ports and create 2 port groups in the same manor and test in the same fashion.

I have a very good feeling your VM's are sending traffic out of the vSwitch up to your physical switches and coming back.

When it comes down to PVLANS and vShield I like to keep things on my psyhical network if I have already put the investment in for the hardware as I see it as using that investment.  I typically use vShield Manager when this solutions means I don't have to spend extra capital to get the solution working.  That or if I need some kind of automation with Orchestrator.  Either way is fine, I find the physical stuff easier to use as vShield manager has a lot of stuff in it which means a lot of extra material to learn / test prior to production deployment :smileysilly:

Np anytime Smiley Happy

0 Kudos
khaliqamar
Enthusiast
Enthusiast

sorry , English is not my first language and i used wrong words .. so was not able to put here clearly .. let me try one more time.

in my DMZ  environment VMs of one port group  are able to ping each other with in a same port group they are not able to ping to other port group.

so i want to stop this access with in a same port group.

For example : VMs in my DMZ 10.0.1.X /24 VLAN 100  network and port group  are capable to access each other within a same VLAN100. how i can stop it.

what you suggest on it ...

0 Kudos
JPM300
Commander
Commander

Ahhhhh okay,

Well if the VM's have to stay in the same port group and you can't split them out your best bet is Private VLANS assuming your physical switches have the capabilities.

Here is a pic that better explains PVLANs again:

pvlans.gif

Here is another with what you probably want to do:
pvlans2.jpg

As you can see you would put a set of your VM's in a community that you want to be able to communicate with each other say VLAN 17 as in this picture, then put another the VM's that you don't want to talk to anything in the Isolated PVLAN 155 as in the picture.

Now once you have your VM's in the proper groups you can either put a software firewall on the Promicuous group or have it just route out to your physical switches assuming they can do PVLAN's and have them route the traffic accordingly.
If you want to test this out in your VMware environment prior to production you can test everything out with test VM's on a test VDS and everything will work as long as all the VM's you are testing stay on the same host / VDS

To quickly go over PVLANs again here is how it breaks down:

  • Promiscuous – A node attached to a port in a promiscuous secondary PVLAN may send and receive packets to any node in any others secondary VLAN associated to the same primary. Routers are typically attached to promiscuous ports.

  • Isolated – A node attached to a port in an isolated secondary PVLAN may only send to and receive packets from the promiscuous PVLAN.
  • Community – A node attached to a port in a community secondary PVLAN may send to and receive packets from other ports in the same secondary PVLAN, as well as send to and receive packets from the promiscuous PVLAN.

Here is some more information on the topic as well to help you along:

kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691

vSphere Private VLANs - Dev Environment Use Case

There is a free online lab / course for Distributed Switches in 5.5 but I don't remember if they do PVLANS or not:

VMware - NEE

Hope this helped clear things up,

View solution in original post

0 Kudos
khaliqamar
Enthusiast
Enthusiast

Thanks JPM300.

0 Kudos