Re: Advice for network design with only 4 pNIC for...

NicolaB · ‎01-14-2009

Hi all,

I'm preparing a VI3 environment with 2 IBM x3650 both with 4 pNIC (2 onboard + 2 with expansion card).

I'll have 6 VM (actually) and one of them is a mail server which has to be on DMZ.

What configuration do you suggest? I've read a lot of docz and posts here and there and I'm ended with this possibility (due to the low pNIC availability in this setup):

VSWITCH0 (2 pNIC - vmnic0 & vmnic2):

Port Group1: Service Console (vmnic0 Active - vmnic2 Standby)

Port Group2: VMotion Network (vmnic2 Active - vmnic0 Standby)

VSWITCH1 (2 pNIC - vmnic1 & vmnic3):

Port Group1: VM Production Network (tagged with a specific VLAN ID)

Port Group2: VM DMZ Network (tagged with a specific VLAN ID)

I will then be able to offer Service Console redundancy through a standby pNIC used actually by the VMotion Network and vice-versa.

Having only 2 spare pNICs and needing some fault-tolerance (and trunking) for VM Networks I'll have to put Production and DMZ VMs on the same VSWITCH separating them on 2 different Port Groups and using different subnets or VLANs (which is better?).

Is this safe? I know that a single pNIC only for DMZ would be a better solution but this will gave me no pNIC redundancy for both VM Networks.

Please give me any advice or suggestions on better design.

dmn0211 · ‎01-14-2009

You could put a firewall up on the host side of the vswitch with in internal only vswitch for all the vms on the host. This will be benifical in the DMZ case and the failover pnic situation. The best situation would be to add an nic card and seprate them phyiscally.

NicolaB · ‎01-14-2009

hi, assuming I could not put the fw and could not add additional pNICs (actually), would my proposed solution work? or is there any different configurations to apply?

NicolaB · ‎01-14-2009

any other hints?

TomHowarth · ‎01-15-2009

You proposed design is the best you can get with 4 nics, I am a little concerned by the lack of resiliance on the production network and would strongly suggest if you can to get an additional 2 NIC ports on the server.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

vvghost · ‎01-15-2009

I've seen and heard many different opinions on this kind of thing. While I don't do this in my environment, I would if I'd have created it after hearing other people's recommendations and going to some VMware classes. I would use all four NICs in one VSwitch. That gives you the best redundancy and performance. Since you're using VLANs, the separation of the mail server into a DMZ is simple with trunk ports.

Joe

Texiwill · ‎01-15-2009

Hello,

COmbining your DMZ onto the same vSwitch of your other networks is not a very good way to go. This will cause issues and perhaps data leakage if your pSwitch has issues (this often happens). You may be able to get away with things using:

1 pNIC for SC backup for VMotion

1 pNIC for VMotion backup for SC

1 pNIC for VMNetwork

1 pNIC for DMZ

Your DMZ pNIC should go to an entirely different pSwitch, and be 100% segregated from the rest of your networks.

You loose redundancy but gain security.

I would add at least 2 more pNIC to make this redundant. Your DMZ should be separate to alleviate VLAN issues.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

TomHowarth · ‎01-15-2009

Acutally having reread your post, I missed the bit about DMZ (doh)

I would say if you cannot get any additional NICs the have a three vSwitch configuration and forget about the portgroups on vSwitch 2. and make sure that your pNICs are patched into seperate switches. there is no known vunerability for the vSwitch regarding VLANs but plenty for phyiscal Switches.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

NicolaB · ‎01-16-2009

ok but I will then loose redundancy...how if the pNIC for Production VM network or DMZ VM network breaks?

I will have either the mail server or all VM servers without connectivity...I can't accept this situation...

boni635csi · ‎01-16-2009

Hi,

I guess it all depends on your performance/security/reliability requirements. You could do something like this:

pNic1 + pNic2: VM Network, VMotion, SC

pNic3 + pNic4: DMZ

With only 2 hosts and <10 VMs your environment is not that big, so you probably won't be VMotioning VMs back and forth all day. And if you trust your internal network/users, having a SC together with VM Network is not such a big deal (someone correct me if I'm wrong). Then again, a dual Intel NIC is what, 150$?. If you want redundancy, performance and "best practices", you just have to buy them.

Jacek Bonicki

paulmack · ‎01-16-2009

I'd go with Jacek on this one. combining DMZ and internal VLAN's on a vSwitch is a massive no no. Like Jacek says your virtual environment described here is quite small and while it's not good to mix VM traffic with SC and vmotion traffic on the same vswitch it's much for preferable to mixing DMZ and internal traffic on the same vSwitch.

Cheers

Paul

Texiwill · ‎01-16-2009

Hello,

I'd go with Jacek on this one. combining DMZ and internal VLAN's on a vSwitch is a massive no no. Like Jacek says your virtual environment described here is quite small and while it's not good to mix VM traffic with SC and vmotion traffic on the same vswitch it's much for preferable to mixing DMZ and internal traffic on the same vSwitch.

You have three security zones to be concerned with....

1) SC/VMotion

2) VMNetwork

3) DMZ

Neither of these should collide, comingle, or coincide. Each should have redundancy, so you really need to either use 6 pNIC, or have ESX hosts that are just for DMZ or just for VMNetwork. Not both.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

boni635csi · ‎01-19-2009

Hi,

one more thing came to my mind. If you split SC/VMotion an VM netowrk, wouldn't that require a separate management network? Because as far as security goes, I don't see any difference if you connect one or two vSwitches to the same physical switch. And honestly, I haven't seen many small businesses (say up to 30-50 PC) that could (and want to) afford separate management network.

Best regards

Jacek Bonicki

All

Advice for network design with only 4 pNIC for SC, VMotion, Prod VMs and DMZ VM Networks