VMware Cloud Community
one3cap
Contributor
Contributor
‎12-22-2008 06:27 PM

DMZ Question

I have a virtual switch with 2 nics. I have 4 vm's hanging off this vswitch. I am about to put a 4th VM on the switch but this vm needs to vnics 1 nic going to LAN and the other NIC going to DMZ. Any articles or best practices?

This vnic that is in the DMZ is going to be on its own seperate network. Does this need its own pnic?

0 Kudos
6 Replies
mcowger
Immortal
Immortal
‎12-22-2008 06:48 PM

Yes, unless you are using VLAN and VST, you will need a new vswitch+pNIC and a second vNIC in the VM.






--Matt

--Matt VCDX #52 blog.cowger.us
0 Kudos
one3cap
Contributor
Contributor
‎12-22-2008 07:30 PM

I can create a vlan for this dmz'd network. What is VST?

If I do use the same vswitch how can I make the pnic in a seperate vlan?

So If I do not use the vlan I would have to "waste" 2 pnics for redundancy on a 1 vm running in a dmz?

0 Kudos
dkfbp
Expert
Expert
‎12-22-2008 10:41 PM

Hi,

You have two options:

1. Create a new vswitch and move a pnic to that vswitch and connect it to your physical switch

2. Make your DMZ as a vlan and create portgroups on your vswitch. One for the DMZ and one for the "Internal" network. This way you can keep redundancy on the pNics.

Best regards

Frank Brix Pedersen

Best regards Frank Brix Pedersen blog: http://www.vfrank.org
0 Kudos
gdragats
Contributor
Contributor
‎12-22-2008 10:55 PM

Hi,

1-Either have the VM on a seperate vSwitch and uplinked to a pNIC (or two). These interfaces will then need to be connected to a physical switch that is used for DMZ connectivity

OR

2-Use Virtual Switch Tagging (VST) on the vSwitch and set up port groups (assuming you knwo the VLAN id's if each network). You will also need to configure trunk ports on the physical switch (801.1q) and trunk your VLANS.

Hope that helps

gd

0 Kudos
TomHowarth
Leadership
Leadership
‎12-23-2008 02:37 AM

I would not consider 2 nics for your Virtual DMZ a waste, it would increase the security of the environment.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
Texiwill
Leadership
Leadership
‎12-24-2008 08:36 AM

Hello,

Moved to Security and Compliance forum.

Please read through http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf as well as http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf to understand how vSwitches fit into your security.

You should assign minimally 2 pNICs to your DMZ that are not part of any other security zone. Note, VLANs do NOT offer security, so use of them as a security tool is not recommended, many people do use this but what happens when you leave the virtual network. Those same attacks the vSwitch prevents can still possibly happen within the physical layer. But that is another subject.

DMZ vSwitch should be segregated from all other vSwitch and portgroup traffic. So segregated DMZ only pNIC and pSwitches are the recommended way. This is an ongoing discussion within the Security and Complaince forum. You may also wish to peruse some of the threads on this subject.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill