VMware vSphere

I currently have a test ESX4i server. A nice HP DL380G5. It has 6 nics. I'd like to provision a VM for a consultant to use and segment it from the rest of our VM's.

Interface 0 has the existing managment network setup on it. It is behind a firewall and NAT'd

Interface0

10.0.4.10 / 255.255.255.0

Gateway 10.0.4.254

What I would like to do is take Interface 5 and attach physically to another firewall that is on a different public IP.

Interface5

192.168.1.1 /255.255.255.0

Gateway 192.168.1.254

I'd like the management network to be able to be associated with this IP (vsphere client access). I've added the management network inside of ESX to interface 5 but when it gets to the default gateway I can't modify it from the existing vaule of 10.0.4.254. Could this be done via CLI?

The vmkernel can only have one default gateway. If the user only needs to access the VM (and not manage the ESXi host) then you don't have to worry about putting a vmkernel port on the new vSwitch. You would just create the new vSwitch with the NIC port, add a virtual machine port group and then add the VM's NIC to that port group.

Dave

VMware Communities User Moderator

New book in town - vSphere Quick Start Guide -http://www.yellow-bricks.com/2009/08/12/new-book-in-town-vsphere-quick-start-guide/.

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL - http://www.vm-help.com/forum/viewforum.php?f=21.

The user would like access to manage the Esxi host. Especially for console access via Vsphere client. (Power on, Power Off's etc)

I've set security so he can't change the VM's properties or see or change any other VM's just his one. I'd just like to keep him out of our 10.0.4.x network.

You could try a static route on the 2nd vmkernel port if you know the consultants source IP, but I would avoid putting a vmkernel port on the Internet. Instead, you could create a vswitch with no physical NIC port, then add a NIC from the VM to it as well as a vmkernel IP so that the host can be managed on that isolated network only from the VM. I would also review the permissions granted to the consultant for the VM. I'm not saying they would be malicious, but if they can edit the vNIC settings for the VM then they could place the 2nd vNIC onto your LAN.

Dave

VMware Communities User Moderator

New book in town - vSphere Quick Start Guide -http://www.yellow-bricks.com/2009/08/12/new-book-in-town-vsphere-quick-start-guide/.

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL - http://www.vm-help.com/forum/viewforum.php?f=21.

+You could try a static

route on the 2nd vmkernel port if you know the consultants source IP,

but I would avoid putting a vmkernel port on the Internet+

192.168.1.x Network is behind a firewall with a Point to Point VPN tunnel to the consultants office. So would I just add the routers internal IP of 192.168.1.254? I'm a newbie on CLI any help on how to add it?

+Instead, you could

create a vswitch with no physical NIC port, then add a NIC from the VM

to it as well as a vmkernel IP so that the host can be managed on that

isolated network only from the VM.+

If the VM isn't ON and functioning then he couldn't manage it. Or am I mssing something? Case in point, he needs to load server 2008. I'd like him to do that. I've already mounted the ISO for 2008 in his VM config.

+I would also review the

permissions granted to the consultant for the VM. I'm not saying they

would be malicious, but if they can edit the vNIC settings for the VM

then they could place the 2nd vNIC onto your LAN.+

I've logged in as him, verified that he cannot edit his own VM, nor can he see any others. He also can't modify any host settings. I'd have to assume other people are having similair situations with shared hosted VM's. The security is very granular under ESX I was very supprised to see the level of control you can grant.