VMware vSphere

 View Only

  • 1.  DMZ Configuration

    Posted Mar 22, 2012 08:20 PM

    Hi,

    I have been using VMware for quite some time now and have never needed to configure a DMZ.  I read the VMware whitepaper on the DMZ already, sort of useful but sort of not for me. 

    Basically I have a series of webservers that I need to stick in a DMZ.  These webservers will be spread across all of our hosts. 

    I just bought an extra dual port NIC to pop into all of my ESX hosts with the plan of having 2 pnics for the DMZ on each host.  Is this the most recommended approach or do people add a DMZ port group to their normal virtual machine vswitch?

    So once I get the DMZ Vswitch I know i need to configure my physical switch for the DMZ, and then setup the DMZ on my firewall.  Any gotcha's?  How are people protecting which servers go in the Virtual Machine vSwitch and the DMZ vSwitch?  Please be specific if possible. 



  • 2.  RE: DMZ Configuration

    Posted Mar 22, 2012 08:43 PM

    If you are using VLANs and a shared physical network then you just need to add DMZ portgroups to your existing VM Networking vSS.

    If you plan on going with a separate physical switch for your DMZ network, then adding two extra NICs per host and attaching them to the DMZ switch makes sense. Add the two new NICs to a separate vSS and create a DMZ VM Network portgroup. I would still use VLANs for your DMZ as well as this will add an extra layer of security without to much effort.

    Regards,

    Paul



  • 3.  RE: DMZ Configuration

    Posted Mar 22, 2012 08:48 PM

    Alright any security or traffic shaping settings I should be setting on that port group.  I am using VLANs which i have set.  For some reason I thought I would need to get new physical nics to segregate :smileysad: wishing I didnt buy those cards oh well more NICS are always good I guess.

    On the physical switches do I need to configure each port to be part of the DMZ?  Or just setup VLAN on tagging so the physical switch can read the tag.  I guess I am confused on how the physical port on the physical switch can have the Virtual Machine group and DMZ?  You can tell I am not a networking guy.  The switches I am using are Juniper.  Any guidance on how to configure it in this scenario would be helpful. 



  • 4.  RE: DMZ Configuration
    Best Answer

    Posted Mar 22, 2012 09:03 PM

    The method for having several VM Networking portgroups on the same vSwitch is called Port Trunking. This is where a physical switch is configured to allow several VLANs to use the same port for communications. Then on the vSS portgroup you define the VLAN so you can now build several individual portgroups and each has it's own VLAN assigned, for example on vSwitch1 you could have all of the following;

    Portgroup Name: VM Network Prod 1

    VLAN assigned: 113

    Portgroup Name: VM Network Prod 2

    VLAN assigned: 114

    Portgroup Name: VM Network Test 1

    VLAN assigned: 213

    Portgroup Name: VM Network Dev 1

    VLAN assigned: 214

    Portgroup Name: VM Network DMZ 1

    VLAN assigned: 888

    Portgroup Name: VM Network DMZ 2

    VLAN assigned: 999

    Check out my blog for ESXi host network designs. If you need more input let me know.

    http://vrif.blogspot.co.nz/2011/10/vmware-vsphere-5-host-network-designs.html

    I would personally have no issues putting DMZ servers on the same hosts and same physical network as Production systems. But I am confident that VMware technology can be used to secure the environment in an acceptable way. Not everyone has that confidence, especially government organizations.

    Regards,

    Paul



  • 5.  RE: DMZ Configuration

    Posted Mar 22, 2012 09:08 PM

    Thank you very much this has been extremely helpful.