VMware vSphere

 View Only

  • 1.  Is it possible to have more than one management network?

    Posted Jun 28, 2015 04:42 PM

    I noticed on the vSphere client under Host -> Configuration -> Network, I'm able to add a new Management Network.  So is it possible for me to add another Management Network if need to?

    The background is I'm trying to add a VM based firewall and have it sit between everything (ie both VMs and ESXi Management) and the Internet.

    At the moment it looks like this:
    Internet -> Firewall -> vmnic0 -> Management Network
    Internet -> Firewall -> vmnic1 -> VMs

    And I want to do this:
    Internet -> vmnic0 -> VM Based Firewall -> Management Network and VMs

    To be safe, can I do this so I can still reach the Management Network via vmnic0 in case I screw up the VM Based Firewall during the initial configuration?
    Internet -> Firewall -> vmnic0 -> Management Network
    Internet -> vmnic1 -> VM Based Firewall -> Management Network



  • 2.  RE: Is it possible to have more than one management network?

    Posted Jun 28, 2015 04:45 PM

    So is it possible for me to add another Management Network if need to?

    Yes, it's possible to mark multiple VMKernel Ports for management.

    To be safe, can I do this so I can still reach the Management Network via vmnic0 in case I screw up the VM Based Firewall during the initial configuration?

    Internet -> Firewall -> vmnic0 -> Management Network

    Internet -> vmnic1 -> VM Based Firewall -> Management Network

    now if you look at your current ESXi host networking configuration, you will find that vSwitch0 has a VMKernel Port called vmk0(holding management IP) with network label Management Network, this is using your vmnic0 as uplink adapter.

    As you are planning to have another VMkernel Port with management capabilities, let's say you are creating this on vSwitch1, configured with vmnic1 as uplink and having Management Network1 on this with vmk1(different management IP).

    And I want to do this:

    Internet -> vmnic0 -> VM Based Firewall -> Management Network and VMs

    why do you want VM Based firewall between internet and VMkernel, it has it's own firewall.

    if you are planning to configure firewall between Internet and your VMs, for that you don't really need VMKernel Port for management, you can simply live with Virtual Machines Portgroups and connect your VM with Firewall vNICs with those port groups.

    Please remember, VMKernel Port is not going to let you connect VM's vNIC with it.



  • 3.  RE: Is it possible to have more than one management network?

    Posted Jul 04, 2015 02:00 PM

    Hi, thanks for the reply.  What I'm trying to do is to test the feasibility of using a software firewall.  I understand the ESXi has its built in firewall but I prefer to use a proper firewall with its associated set of management features and other features such as one time password.  So in the end it'd look like the following:

    Internet -> vmnic0 -> vSwitch0 -> Firewall VM -> vSwitch Private -> VMkernal Port vmk0

    I'm trying to do this in a two phase approach:

    Phase 1 - Setup an additional VMkerel Port via vmnic1

    This is done so in case I mis-configure the firewall I'd still somehow be able to control ESXi from vSphere via the vmnic1 connection.  I just tried configuring the second connection for vmk1 and it looks like this.  Port vmk0 is still connected directly to the Internet via vmnic0 at the moment.  Note I haven't setup the Firewall VM here yet as you can see vmk0 is still connected directly to vmnic0 via vSwitch0.

    However I'm not able to ping the second IP for vmk1.  Not sure if it's a routing issue or ESXi just don't support having two management port both accessible via 2 NICs.  Any ideas?

    Phase 2 - Assign vmk0 to vmnic1 via DCUI

    This is the end goal with vmk0 be the only management port (ie vmk1 will be removed by this time) with the following connection, which is what I stated above.

    Internet -> vmnic0 -> vSwitch0 -> Firewall VM -> vSwitch Private -> VMkernal Port vmk0

    Then if the Firewall VM screws up due to firmware upgrade or configuration issues I and VPN in to manage the host via IPMI and use console redirect to access DCUI.  From within the DCUI, I'll then assign the management port vmk0 to vmnic1 resulting in this, bypassing the firewall.

    Internet -> vmnic1 -> vSwitch1 -> VMkernal Port vmk0

    I have yet to test this but do you see any issues with this?



  • 4.  RE: Is it possible to have more than one management network?

    Posted Jul 05, 2015 08:29 AM

    Hi I have downloaded ESXi6 and installed it onto my Workstation 10 to do the tests and I can confirm the following.

    Multiple management network can be setup and used simultaneously

    Following screen shots show this actually does work.

    DCUI can indeed be used to assign Management Network to specific NIC

    So with the three Management Networks setup as shown above, this is what I did to test that this does work.

    1) Remove vmnic0 from vSwitch0.  This caused vmk0 and vmk1 to be not accessible.

    2) Logon to DCUI, press F2, enter root's credentials, press F2 again.

    3) Press down arrow key to select Configure Management Network, press Enter.

    4) Select Network Adapters, press Enter.  Note no vmnic is shown on the right at the moment.

    5) DCUI will provide the list of available NICs to choose from.  Note none is selected at the moment.  Select either one (I'm selecting vmnic0) with the space bar, press Enter.

    6) DCUI now displays Management Network is assigned to vmnic0.  Press Esc to Exit.

    7) DCUI will ask you to confirm to save changes and restart.  Press Y.

    8) Now if you try to connect to ESXi again via the IP shown from Step 3 above.  It'd connect!