Blue Gears - DMZ w/3 Physical NICs with VMware ESX

Virtualization hosts with only 3 pNICs present a challenge to the administrator. In these 3 pNICs some administrators wish to add a DMZ to the network mix of management, VMotion, Storage, and a regular VM Network. This is NOT recommended with only 3 pNICs as redundancy suffers greatly as does issues with performance. How to setup virtual networking in this situation is a challenge of trade-offs between performance, redundancy, and security. Specifically since there are 3 security zones (Management/Storage, VM Network, and DMZ), there is a need to use 1 pNIC for each zone. Thereby removing a certain amount of redundancy and possibly performance. The best way to use these pNICs is as follows:


pNIC0 -> vSwitch0 -> Portgroup0 (service console)
..................-> Portgroup1 (VMotion)
..................-> Portgroup2 (Storage Network)
pNIC1 -> vSwitch0 -> Portgroup3 (VM Network)
pNIC2 -> vSwitch0 -> Portgroup4 (DMZ Network)

Then assign pNIC1 and pNIC2 as the backup pNICs for Portgroup0, Portgroup1, and Portgroup2. Also, assign pNIC0 and pNIC2 as the backup pNICs for Portgroup3. Lastly, assign pNIC0 and pNIC1 as the backup pNICs for Portgroup4. This works best however when VLANs are enabled. You want to explicitly setup each portgroup to use strict failover mode and not to use any form of load balancing.

The split described will give the best performance,redundancy, and security when only three pNICs are available. This setup does work better when VLANs are in use as the vSwitch has built in security against all currently known VLAN attacks. Security will suffer if you just use subnets instead of VLANs. When using VLANs, all VLANs in use must have a trunk through each pNIC in order for redundancy to come into play on a pNIC or path failure. This configuration is not a secure implementation. Sharing networks between your hostile virtual machines or DMZ and your service console, VMotion, or storage networks is not secure.

The use of 3 pNICs increases the choices an administrator must make. There are serious trade-offs when it comes to security. If you must add a DMZ, add more pNIC.
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)