Hello,

VI3/ESX has 4 basic networks attached to it.

Service Console or Administrative Network... This is in effect your only means to administer the VI3/ESX server. It is used by VirtualCenter, Virtual Infrastructure Client, many backup tools, and HA

vMotion Network ... Private between all VI3/ESX servers. Nothing else on this

VM Network ... THe network used by the VMs.

Storage Network ... Private to ESX servers and Storage devices, iSCSI however is an exception, it requires participation by the Service Console.

Given that the Service COnsole is the Administrative network, you achieve your Private VLAN by not placing ANY VMs on the portgroup/vSwitch assigned for this purpose.

Generally you are looking at a minimum of 3 pNICS (if you have no iSCSI/NFS Storage), 4 With iSCSI/NFS Storage, or 6 - 8 pNICS for full redundancy, performance, and security. VLANs can be used to reduce this amount but either redundancy, security, or performance suffers.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

I think what the OP is asking about is Cisco's Private VLAN Feature. I'm not aware of any way to implement this in VI-3 other than by policy. There is no equivalent feature once you enter the virtual world.

Ken Cline

Technical Director, Virtualization

Wells Landers

VMware Communities User Moderator

Hello,

I agree with Ken. It all boils down to your Security Policy, Trust, and Auditing capabilities and of course Enforcement. With no Cisco Private VLAN functionality your auditing capability will be the best resource to determine if anything bad has happened on the Administrative network.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

I'm curious if Cisco 3rd party virtual switch for ESX 3.x would implemented all the security features we're talking about.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems LLC.

VMware, Citrix, Microsoft Consultant

Yes... I manage a Vi3 farm with more than 30 ESX host each one with 16 cpu. We have really... a lot of VMs.

Since we are going to deploy VMotion (and HA/DRS), we have problems with the backup network.

I try to explain better: today VMotion is not deployed, so each ESX host has a static configuration, that it means VMs on a specific ESX host are well know and their distribution if manually optimized. Since VMs are a very large number and we manage almost 50+ different customers each one with 10+ different Vlans... since we need a easy way to backup every VM, we defined 3 4 years ago two BACKUP_VLAN (Vlan ID 698 and 699) on the Cisco Catalyst. Each port on the Cisco belonging to these Vlans are defined as PRIVATE and connected to ESX NIC.

So... if on a ESX host we have 4 security zone (according to the number of customer and their vlan), we use 4 Eth cables and 4 VSwitch for the BACKUP_VLAN.

Such configuration allow us to use just 2 vlan to backup a very large number of VMs and guarentes to us that each VM can not communicate with another VM in a different security zone.

You know now better than me that this config can not be used if we deoploy Vmotion, since every ESX box MUST have the very same config.

So... any idea? Is it possible to use IP filtering on the ESX box? (please, no firewall on VMs...)

Hello,

The only network that has ip filtering by default is the Service Console. It is not even within the vSwitch so no, ip filtering will not solve your problem unless you place it within every VM.

Since vMotion was not considered from the beginning you have quite a bit of work to do to solve the problem. One thing you could do is create smaller 'clusters' of systems so that 2 systems are identical at the moment. Remembering that HA has a limitation of based on the physical limit and the remote storage you are using. I am assuming it is a high end SAN of some sort which implies it is the physical limit of HA. Then slowly migrate other systems into the cluster fixing up their networks. I would start a new network design for the clusters as I do not see a way to fix this problem without first changing all your networking labels to allow vMotion to work.

Depending on how you do backups, I would either merge those VLANs into the SC (full VMDK backups using vRanger, esXpress, or VCB) or the VM network (any other type of backup agent). Implementing Virtual Switch Tagging as appropriate. Either that or start from scratch and redesign the networking.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

my 2 cents/pence!

For previous customers who used cisco.

- Customer 1 tagged native vlans at the cisco switches dependant on the service ie VMotion vLAN 10 and so on so no tagging was required for each ESX Host (fat servers) (just had to make sure the correct cable goes to the correct port !)

-Customer 2 the vlans were truncked to the back of a IBM Blade chassis, the internal switches then truncked, the ESX Host vSwitches where then tagged via Virtual Center.

Jobs a good one.

Does this help you....VMware should fit your infrastructure, currently.

Hello,

I meant 'redesign your VIrtual Network'. I do not see the Physical network needing to change at all. Basically you may need to relabel portgroups/vSwitches within ESX as well as implement VST.

As for adding in vMotion, use a private VLAN with External Switch tagging and another pair of pNICs per host.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello! Does know anybody, that VMware is planning a implementation of any equivalent to Cisco's Private VLAN Feature? (What about announced "Virtual Catalyst?:-)

Hello,

VMware does not state its plans to people before they are ready. So no, we do not have an idea of when or even if Cisco's Private VLAN Feature will ever be supported.

You should open a Feature Request with your VMware Sales or Support representative. That is the best way to get this feature possibly implemented. They look at all the requests and judge what is needed by the volume of the requests for each feature.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Ken is correct, currently there is not support for Cisco PLan on the virtual swicth, this may or may not change when the VMware/Cisco virtual switch colaboration see the light of day

Tom Howarth

VMware Communities User Moderator