Skip Links

Network World

Edward Haletky

Blue Gears - DMZ w/2 Physical NICs with VMware ESX

By Texiwill on Fri, 01/16/09 - 3:55pm.
Newsletter Signup

Virtualization hosts running on commodity boxes presents a challenge for the administrator. Namely in the number of available physical NICs available for use. Often there are only two NICs available.

In these 2 pNICs some administrators wish to add a DMZ to the network mix of management, VMotion, Storage, and a regular VM Network. This is NOT recommended with only 2 pNICs.

How to setup virtual networking in this situation is a challenge of trade-offs between performance, redundancy, and security.

The best way to use these pNICs is as follows:

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
..................-> Portgroup1 (VMotion)
..................-> Portgroup2 (Storage Network)
pNIC1 -> vSwitch0 -> Portgroup3 (VM Network OR DMZ not both)

Then assign pNIC1 as the backup pNIC for Portgroup0, Portgroup1, and Portgroup2. Lastly, assign pNIC0 as the backup pNIC for Portgroup3. This works best however when VLANs are enabled. You want to explicitly setup each portgroup to use strict failover mode and not to use any form of load balancing.

When adding a DMZ, to a 2 pNIC configuration you either want to have a DMZ or a VM Network on this system, you do NOT want to have both. The reason for this is that there are 3 security zones when you add a DMZ, not two. Since there are only 2 pNICs, you can only handle 2 security zones safely. So you need to pick if you want DMZ or VM Network.

The split described will give the best performance,redundancy, and security when only two pNICs are available. This setup does work better when VLANs are in use as the vSwitch has built in security against all currently known VLAN attacks. Security will suffer if you just use subnets instead of VLANs. When using VLANs, all VLANs in use must have a trunk through each pNIC in order for redundancy to come into play on a pNIC or path failure. This configuration is not a secure implementation. Sharing networks between your hostile virtual machines or DMZ and your service console, VMotion, or storage networks is not secure.

The use of 2 pNICs limits further increases the choices an administrator must make. There are serious trade-offs when it comes to security. If you must add a DMZ, add more pNIC.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Virtualization Expert: Edward Haletky

Virtualization expert Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers. He recently left HP, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a Guru and moderator for the VMware discussion forums, providing answers to security and configuration questions.

We have 15 copies of Haletky's book up for grabs. Go here for entry details (competition will open Nov. 1) and go here for a sneak peek of the book.