Skip Links

Network World

Edward Haletky

Blue Gears - DMZ w/3 Physical NICs with VMware ESX

By Texiwill on Tue, 01/20/09 - 2:07pm.
Newsletter Signup

Virtualization hosts with only 3 pNICs present a challenge to the administrator. In these 3 pNICs some administrators wish to add a DMZ to the network mix of management, VMotion, Storage, and a regular VM Network. This is NOT recommended with only 3 pNICs as redundancy suffers greatly as does issues with performance.

How to setup virtual networking in this situation is a challenge of trade-offs between performance, redundancy, and security. Specifically since there are 3 security zones (Management/Storage, VM Network, and DMZ), there is a need to use 1 pNIC for each zone. Thereby removing a certain amount of redundancy and possibly performance.

The best way to use these pNICs is as follows:

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
..................-> Portgroup1 (VMotion)
..................-> Portgroup2 (Storage Network)
pNIC1 -> vSwitch0 -> Portgroup3 (VM Network)
pNIC2 -> vSwitch0 -> Portgroup4 (DMZ Network)

Then assign pNIC1 and pNIC2 as the backup pNICs for Portgroup0, Portgroup1, and Portgroup2. Also, assign pNIC0 and pNIC2 as the backup pNICs for Portgroup3. Lastly, assign pNIC0 and pNIC1 as the backup pNICs for Portgroup4. This works best however when VLANs are enabled. You want to explicitly setup each portgroup to use strict failover mode and not to use any form of load balancing.

The split described will give the best performance,redundancy, and security when only three pNICs are available. This setup does work better when VLANs are in use as the vSwitch has built in security against all currently known VLAN attacks. Security will suffer if you just use subnets instead of VLANs. When using VLANs, all VLANs in use must have a trunk through each pNIC in order for redundancy to come into play on a pNIC or path failure. This configuration is not a secure implementation. Sharing networks between your hostile virtual machines or DMZ and your service console, VMotion, or storage networks is not secure.

The use of 3 pNICs increases the choices an administrator must make. There are serious trade-offs when it comes to security. If you must add a DMZ, add more pNIC.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Virtualization Expert: Edward Haletky

Virtualization expert Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers. He recently left HP, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a Guru and moderator for the VMware discussion forums, providing answers to security and configuration questions.

We have 15 copies of Haletky's book up for grabs. Go here for entry details (competition will open Nov. 1) and go here for a sneak peek of the book.