Blue Gears - DMZ w/2 Physical NICs with VMware ESX

Virtualization hosts running on commodity boxes presents a challenge for the administrator. Namely in the number of available physical NICs available for use. Often there are only two NICs available. In these 2 pNICs some administrators wish to add a DMZ to the network mix of management, VMotion, Storage, and a regular VM Network. This is NOT recommended with only 2 pNICs. How to setup virtual networking in this situation is a challenge of trade-offs between performance, redundancy, and security. The best way to use these pNICs is as follows:

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
..................-> Portgroup1 (VMotion)
..................-> Portgroup2 (Storage Network)
pNIC1 -> vSwitch0 -> Portgroup3 (VM Network OR DMZ not both)

Then assign pNIC1 as the backup pNIC for Portgroup0, Portgroup1, and Portgroup2. Lastly, assign pNIC0 as the backup pNIC for Portgroup3. This works best however when VLANs are enabled. You want to explicitly setup each portgroup to use strict failover mode and not to use any form of load balancing. When adding a DMZ, to a 2 pNIC configuration you either want to have a DMZ or a VM Network on this system, you do NOT want to have both. The reason for this is that there are 3 security zones when you add a DMZ, not two. Since there are only 2 pNICs, you can only handle 2 security zones safely. So you need to pick if you want DMZ or VM Network. The split described will give the best performance,redundancy, and security when only two pNICs are available. This setup does work better when VLANs are in use as the vSwitch has built in security against all currently known VLAN attacks. Security will suffer if you just use subnets instead of VLANs. When using VLANs, all VLANs in use must have a trunk through each pNIC in order for redundancy to come into play on a pNIC or path failure. This configuration is not a secure implementation. Sharing networks between your hostile virtual machines or DMZ and your service console, VMotion, or storage networks is not secure. The use of 2 pNICs limits further increases the choices an administrator must make. There are serious trade-offs when it comes to security. If you must add a DMZ, add more pNIC.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)