View Only
  • 1.  DMZ question

    Posted Jul 04, 2014 03:02 PM


    I would like ask about DMZ VMs.

    1- VMs in DMZ network can talk /ping to each other in current network settings of vswtich is there any way stop them to access/ping each other through vswitch.

    2- If i use vDS and put them into the isolated vlan will these VMs not communicate with each other but will be able to talk to my other physical server outside DNS/monitoring and VMs in normal network.even those VMs are on vswitch.

    Thanks in advance

  • 2.  RE: DMZ question

    Posted Jul 04, 2014 03:12 PM

    Hey VirtualRay,

    Typically people accomplish DMZ's in a few ways.

    1.)  They dedicate 2+ nics to all the port groups that you wish to be in the DMZ and then have those run to a switch/firewall to keep them isolated.  The firewall typically does most of the work here as you will setup access rules as to what ports are allowed in and out of the DMZ port groups.  All Vm's in these port groups will be able to talk to each other unless you want different DMZ silo's with different VLAN's / broadcast ranges.  IE.)  DMZ1 - 10.0.1.x /24 VLAN 100,  DMZ2 - 10.0.2.x /24 VLAN 200, then when stuff routes to the switch/routers you can control what can talk to what.

    quick picture

    2.)  They use Private VLAN's.  Private VLANs are really handly as they allow you to create a Primary Privat VLAN, then have secondary VLAN's inside of it.  The secondary VLAN's inside the primary are broken down into 2 different groups.  Community and Isolated.  Community can talk to the private VLAN and anythign else in its own community.  Isolated can only talk to anything inside the Isolated and the Private VLAN.  Your firewall will typically be sitting on the Private VLAN which will do the routing between the traffic. 

    So in this picture Community VLAN 123 can talk to anything inside VLAN 123 and the Primary VLAN 111, while Community VLAN 345 can talk to anything inside its community and Primary VLAN 111, however each community is unable to communicate with each other.  The isolated VLAN 222 can only talk to other systems in the Isolated vlan and of course the Primary VLAN 111 as thats its route out to the external world.

    3.)  You can use a virtual router and or vShield to create a virtual Firewall on your DMZ port groups and control what can go in and out that way.

    Most people opt for option 1 as option 2 requires some more advanced switch setup and your hardware switches need the abiltity to do PVLANS

    I hope this has helped.

  • 3.  RE: DMZ question

    Posted Jul 05, 2014 03:06 AM

    Nice detailed post there JPM300!!

  • 4.  RE: DMZ question

    Posted Jul 05, 2014 04:10 AM

    Thanks Rommel Humarang :smileyhappy:

    Looking back on the original question, 1.) VMs in DMZ network can talk /ping to each other in current network settings of vswtich is there any way stop them to access/ping each other through vswitch.

    If you don't want to use PVLAN's you can create two port groups for two different VLAN's like I mentioned before, so for example: DMZ1 - 10.0.1.x /24 VLAN 100,  DMZ2 - 10.0.2.x /24 VLAN.  Now since these port groups are on different VLANs and different networks they will need to go to the gateway to route to each other, meaning inside the Standard vSwitch or VDS they will not be able to ping each other.  Also here is a quick blog on the vCloud Networking and Security Manager (formerly known as vShield Manager) if you want to know more about it: vCloud Networking and Security 5.1 App Firewall - Part 1 | VMware vSphere Blog - VMware Blogs

    If you have any questions let us know,

    Hope this has helped,

  • 5.  RE: DMZ question

    Posted Jul 05, 2014 10:49 AM

    JPM300 is a legend, that is a top response.

  • 6.  RE: DMZ question

    Posted Jul 05, 2014 09:07 PM

    Thanks a lot JPM300, You are always helping me. thanks again.

    Actually I have already DMZ portgroup , VLANS in placed, but VMs in one network can ping each other.

    for instance If i take your example my VMs in DMZ1 - 10.0.1.x /24 VLAN 100 can ping/access each other  with in a DMZ1 which is dangerous for my environment.

    So in this scenario where i am running 4.1 which solution is good for me vDS private VLANS or vShield (vshield for 4.1 may be available )?

  • 7.  RE: DMZ question

    Posted Jul 05, 2014 09:27 PM

    If you have VM's in DMZ 10.0.1.X /24 VLAN 100 and other VM's in DMZ1 10.0.2.x /24 VLAN 200 and they can ping each other my guess is they are leaving out your vSwitch going to your layer 3 switch/router/firewall and routing back into the other network.  On the vSwitch weather it is a VSS or a VDS if they are on different VLAN's / networks they can't talk as the vswitches don't have any routing.

    Try this:

    Create a new VSS
    Create two new port groups DMZ2(VLAN 400) DMZ3(VLAN 500) put no external uplinks into this vswitch then put 1 vm in each DMZ if they cannot talk to each other it is your pshyical switching that is routing the networks for you and you will need to look into that.  If they can talk together do a route print on the VM's as that shouldn't be possible :smileysilly:

    If you have a VDS already just create a 2nd one with no UPLINK ports and create 2 port groups in the same manor and test in the same fashion.

    I have a very good feeling your VM's are sending traffic out of the vSwitch up to your physical switches and coming back.

    When it comes down to PVLANS and vShield I like to keep things on my psyhical network if I have already put the investment in for the hardware as I see it as using that investment.  I typically use vShield Manager when this solutions means I don't have to spend extra capital to get the solution working.  That or if I need some kind of automation with Orchestrator.  Either way is fine, I find the physical stuff easier to use as vShield manager has a lot of stuff in it which means a lot of extra material to learn / test prior to production deployment :smileysilly:

    Np anytime :smileyhappy:

  • 8.  RE: DMZ question

    Posted Jul 06, 2014 10:58 AM

    sorry , English is not my first language and i used wrong words .. so was not able to put here clearly .. let me try one more time.

    in my DMZ  environment VMs of one port group  are able to ping each other with in a same port group they are not able to ping to other port group.

    so i want to stop this access with in a same port group.

    For example : VMs in my DMZ 10.0.1.X /24 VLAN 100  network and port group  are capable to access each other within a same VLAN100. how i can stop it.

    what you suggest on it ...

  • 9.  RE: DMZ question
    Best Answer

    Posted Jul 06, 2014 03:18 PM

    Ahhhhh okay,

    Well if the VM's have to stay in the same port group and you can't split them out your best bet is Private VLANS assuming your physical switches have the capabilities.

    Here is a pic that better explains PVLANs again:

    Here is another with what you probably want to do:

    As you can see you would put a set of your VM's in a community that you want to be able to communicate with each other say VLAN 17 as in this picture, then put another the VM's that you don't want to talk to anything in the Isolated PVLAN 155 as in the picture.

    Now once you have your VM's in the proper groups you can either put a software firewall on the Promicuous group or have it just route out to your physical switches assuming they can do PVLAN's and have them route the traffic accordingly.
    If you want to test this out in your VMware environment prior to production you can test everything out with test VM's on a test VDS and everything will work as long as all the VM's you are testing stay on the same host / VDS

    To quickly go over PVLANs again here is how it breaks down:

    • Promiscuous – A node attached to a port in a promiscuous secondary PVLAN may send and receive packets to any node in any others secondary VLAN associated to the same primary. Routers are typically attached to promiscuous ports.

    • Isolated – A node attached to a port in an isolated secondary PVLAN may only send to and receive packets from the promiscuous PVLAN.
    • Community – A node attached to a port in a community secondary PVLAN may send to and receive packets from other ports in the same secondary PVLAN, as well as send to and receive packets from the promiscuous PVLAN.

    Here is some more information on the topic as well to help you along:

    vSphere Private VLANs - Dev Environment Use Case

    There is a free online lab / course for Distributed Switches in 5.5 but I don't remember if they do PVLANS or not:

    VMware - NEE

    Hope this helped clear things up,

  • 10.  RE: DMZ question

    Posted Jul 08, 2014 07:02 PM

    Thanks JPM300.