VMware vDefend

 View Only
  • 1.  Extended Switch accross multiple ESX hosts

    Posted Aug 14, 2023 09:43 PM

    Hello,

     

    I am new to VMWare and I would like to know if a vSwitch can be extended across multiple ESXs.

    My goal is to deploy a Virtual Firewall that has two interfaces and outside and inside interface.

    The outside interface is connected to a virtual switch with connections to uplinks to external connectivity.

    The inside interface is connected to an internal isolated protected vSwitch with no uplinks.

    I have the need to extend the internal switch risiding on ESX1 for example to another ESX2 server where I can deploy other servers to be protected over the same virtual firewall.

    Thanks



  • 2.  RE: Extended Switch accross multiple ESX hosts

    Posted Aug 14, 2023 10:36 PM

    Good afternoon, hope you are fine.

    What you will have is a DVS, this DVS (Distributed Virtual Switch) will be used by all the hosts that you define. My question is, is the DFW going to use for north - south traffic only, or is it going to be used for east - west traffic as well? If this is the scenario, you will need to use NSX.

    Best Regards.

    SG



  • 3.  RE: Extended Switch accross multiple ESX hosts

    Posted Aug 14, 2023 11:11 PM

    It is only for North/South traffic.

     

    So the DVS will behave as one single switch accross multiple ESX servers?



  • 4.  RE: Extended Switch accross multiple ESX hosts

    Posted Aug 15, 2023 07:16 AM

    Yes all hosts can be connected to a distributed switch for central management and administration. However you will require the Enterprise Plus licence for all hosts CPUs to use that distributed switch. (or if you have vSAN, the distributed switch feature is included)



  • 5.  RE: Extended Switch accross multiple ESX hosts

    Broadcom Employee
    Posted Aug 15, 2023 07:59 AM
    And just because you have the distributed switch working on all your hosts, that doesn't have an effect on traffic flow.

    In other words, if your virtual firewall is a VM and you build it on one host, connecting that VM to a port group on your distributed switch doesn't also "distribute" copies of the virtual firewall VM to all your other hosts.