Blue Gears - DMZ w/6 Physical NICs with VMware ESX

Virtualization hosts with only 6 pNICs who want to include a DMZ as well as all the other networks present less of a challenge to the administrator than those with lesser pNICs. In these 6 pNICs the following different networks would exist DMZ, VMotion, Storage, and a regular VM Network. How to setup virtual networking in this situation is a challenge of trade-offs between performance, redundancy, and security. Specifically since there are 3 security zones (Management/Storage, VM Network, and DMZ), there is a need to use 1 pNIC for each zone. Yet for performance you want the Storage network to also be on its on pNIC. Thereby removing a certain amount of redundancy and limiting security as data is still comingled between non-DMZ networks. The best way to use 6 pNICs is as follows if you must have DMZ and regular VM networks on a single host.

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
pNIC1 -> vSwitch0 -> Portgroup1 (VMotion)
pNIC2 -> vSwitch0 -> Portgroup2 (Storage Network)
pNIC3 -> vSwitch0 -> Portgroup3 (VM Network)
pNIC4 -> vSwitch1 -> Portgroup4 (DMZ Network)
pNIC5 -> vSwitch1 -> Portgroup4 (DMZ Network)

Since the key is to segregate traffic, but maintain redundancy, this at least segregates out the DMZ traffic, but leaves the hostile VM traffic still co-mingled with the other necessary networks. While VM traffic is not as hostile as a DMZ, there is still some weaknesses in this configuration. However, if there was no Storage Network involved you could attain the desired security requirements by having the following configuration:

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
pNIC1 -> vSwitch0 -> Portgroup1 (VMotion)
pNIC2 -> vSwitch1 -> Portgroup2 (VM Network)
pNIC3 -> vSwitch1 -> Portgroup2 (VM Network)
pNIC4 -> vSwitch2 -> Portgroup3 (DMZ Network)
pNIC5 -> vSwitch2 -> Portgroup3 (DMZ Network)

The above is premised on the fact that you do not have a storage network or are using FC-HBAs, in this case you can achieve a much better level of security, redundancy, and performance.

If a Storage Network is however required a better solution would be to make a conscious choice to either use a DMZ on the virtualization host or a VM Network and not both. Giving you something like the following.

pNIC0 -> vSwitch0 -> Portgroup0 (service console)
pNIC1 -> vSwitch0 -> Portgroup1 (VMotion)
pNIC2 -> vSwitch1 -> Portgroup2 (Storage Network)
pNIC3 -> vSwitch1 -> Portgroup2
pNIC4 -> vSwitch2 -> Portgroup3 (VM or DMZ Network not both!)
pNIC5 -> vSwitch2 -> Portgroup3

In this fashion you can leave NIC teaming alone for Portgroup2 and Portgroup3 while making pNIC0 the backup for Portgroup1 and pNIC1 the backup for Portgroup0.

This setup described will give the best performance,redundancy, and security when only six pNICs are available. This setup does work better when VLANs are in use as the vSwitch has built in security against all currently known VLAN attacks. Security will suffer if you just use subnets instead of VLANs. When using VLANs, all VLANs in use must have a trunk through each pNIC in order for redundancy to come into play on a pNIC or path failure. This configuration is a secure implementation as you do not share networks between your hostile virtual machines or DMZ and your service console, VMotion, or storage networks is not secure.

The use of 6 pNICs is the first topology that will support a DMZ within the virtual network securely on a single host with the other required networks. 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.