Skip Links

Network World

Edward Haletky

Blue Gears - DMZ w/4 Physical NICs with VMware ESX

By Texiwill on Fri, 01/30/09 - 8:42am.

Virtualization hosts with only 4 pNICs who want to include a DMZ as well as all the other networks present a challenge to the administrator. In these 4 pNICs the following different networks would exist DMZ, VMotion, Storage, and a regular VM Network. This is NOT recommended with only 4 pNICs as redundancy suffers greatly as does security.

How to setup virtual networking in this situation is a challenge of trade-offs between performance, redundancy, and security. Specifically since there are 3 security zones (Management/Storage, VM Network, and DMZ), there is a need to use 1 pNIC for each zone. Yet for performance you want the Storage network to also be on its on pNIC. Thereby removing a certain amount of redundancy and limiting security as data is still comingled.

The best way to use 4 pNICs is as follows:

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
..................-> Portgroup1 (VMotion)
pNIC1 -> vSwitch0 -> Portgroup2 (Storage Network)
pNIC2 -> vSwitch0 -> Portgroup3 (VM Network)
pNIC3 -> vSwitch0 -> Portgroup4 (DMZ Network)

Since the key is to segregate traffic, but maintain redundancy, there is really no good way to implement redundancy as any method requires the DMZ to also be on the wire of another network during a failure event. Some would just implement load balancing in this mode by teaming all pNICs together, but I think it would better to do explicit failover, however no matter how you setup failover, you have possible security issues. There is no best practice for this.

A better solution would be to make a conscious choice to either use a DMZ on the virtualization host or a VM Network and not both. Giving you something like the following.


pNIC0 -> vSwitch0 -> Portgroup0 (service console)
..................-> Portgroup1 (VMotion)
pNIC1 -> vSwitch0 -> Portgroup2 (Storage Network)
pNIC2 -> vSwitch1 -> Portgroup3 (VM or DMZ Network not both!)
pNIC3 -> vSwitch1 -> Portgroup3

In this fashion you can leave NIC teaming alone for Portgroup3 and make pNIC0 the backup for pNIC1 and pNIC1 the backup for Portgroup 0 and Portgroup 1.

The setup described will give the best performance,redundancy, and security when only three pNICs are available. This setup does work better when VLANs are in use as the vSwitch has built in security against all currently known VLAN attacks. Security will suffer if you just use subnets instead of VLANs. When using VLANs, all VLANs in use must have a trunk through each pNIC in order for redundancy to come into play on a pNIC or path failure. This configuration is not a secure implementation. Sharing networks between your hostile virtual machines or DMZ and your service console, VMotion, or storage networks is not secure.

The use of 4 pNICs increases the choices an administrator must make. There are serious trade-offs when it comes to security. If you must add a DMZ, add more pNIC.

About Virtualization Expert: Edward Haletky

Virtualization expert Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers. He recently left HP, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a Guru and moderator for the VMware discussion forums, providing answers to security and configuration questions.

Edward's latest book was selected as the March, 2011, book giveaway for Cisco Subnet.

Read a chapter excerpt of VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers.

Buy the book now.

Enter this month's giveaways and contests.

 

Most Discussed Posts