1

We've a Windows Server 2008 host on VMware ESXi 4 and want to isolate it from the rest of the network. That is, I want no traffic from the Windows Server 2008 to be allowed on the normal network. I was thinking a VLAN would do this if set up properly.

Involved in this is granting access over a VPN from an Endian (Linux) firewall to this host.

Also, between the firewall and the VMware host are two Cisco (LinkSys rebranded!) SG 200-26 switches. The VMware host is using dual network cards in a failover configuration.

As I see it, there's several problems that crop up:

  • How is the VLAN recognized by VMware? How do I set up VMware?
  • How does the Windows Server host recognize the VLAN?
  • What switch configuration is necessary?
  • How is the VLAN isolated properly? (I was thinking that the proper firewall rules would do this.)
  • How do I set up the firewall without affecting other traffic?
  • How do I set up the Windows Server without affecting other guest traffic?

My initial investigation suggests that Endian supports VLANs and VLAN interfaces, though I've not yet tried it out. The Cisco switch supports VLANs but I don't know how it would work with multiple VLANs on the same port. VMware ESXi appears to support VLANs but only at the host level; I don't see where a single guest can be put on a separate VLAN.

UPDATE: From my reading, it sounds like I need to have tagged VLAN frames from the Endian firewall to the connected switch, then to the other switch, and on both NICs used by VMware. I'm not sure all of these will support tagged VLAN frames. If I've tagged VLAN frames, then they should be able to travel over the same wires between the VMware ESXi host and the Endian firewall. The trick, then, is getting the Windows Server 2008 guest onto one VLAN only.

I found another question with an answer that explains VLANs beautifully, as well as another answer that explains when to use VLANs.

I also found some discussion that suggests its not possible for Endian to support tagged and untagged VLAN frames on the same port at the same time. This configuration just sounds like it is asking for trouble.

I suspect that all of my traffic is currently untagged, but I don't know for sure.

Community
  • 1
Mei
  • 4,560
  • 8
  • 44
  • 53

1 Answers1

4

There's a lot of ways to do this, it depends on how paranoid you want to be about it.

If you're already trunking VLANs up to one or more Port Groups on a VM vSwitch and are happy to live with the security of VLAN separation then you can use the simplest method. This is just to create a new Port Group, assign it the appropriate VLAN ID and add the W2K8 VM's vNIC to that Port Group - that's all, told you it was easy.

If you already have a 'VLAN-gnostic' vSwitch/Port Group that everything else uses then simply enter the appropriate 'default' VLAN ID in that Port Group's VLAN setting, this shouldn't impact the existing VMs. Then just create a new Port Group for the W2K8 VM, assign it the right VLAN ID and point the W2K8 VM's vNIC at that new Port Group.

If you want physical cable separate just link a spare ESXi host NIC to the switch, set the switch to trunk the W2K8 VM's new VLAN, then create a new vSwitch linked to that NIC, then create a new Port Group with the new VLAN ID set as that Port Group's VLAN and point the W2K8 VM's vNIC at that new Port Group and its underlying new vSwitch.

If you want a something else you'll need to let us know more.

Oh and the W2K8 VM is a 'guest' not a 'host, ESXi is the host.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • When I try adding a network (using vSphere Clients _Add Network Wizard_) I get the possibility to select a VLAN ID - but only _None (0)_ and _All (4095)_. How do I set a specific VLAN ID? – Mei Apr 27 '12 at 17:22
  • 2
    Once the Port Group exists just go select the ESXi server, then Configuration tab, Network option, then edit the vSwitch, a config box appears, select the Port Group and Edit, look for 'VLAN'. Though to be honest is slightly worries me that you're able to create this stuff but haven't been on any training, it's quite easy to kill the box if you do this wrong. – Chopper3 Apr 27 '12 at 17:33
  • I already tried that (without changing things). Only None and All are available. – Mei Apr 27 '12 at 17:38
  • 1
    @Chopper3 It's entirely possible to kill the box if you've had the training/know what you're doing and just don't pay attention. Not that anything like that has ever happened to me. No. no. never. *well maybe that one time* – voretaq7 Apr 27 '12 at 17:38
  • David - have a look at this screenshot I found it might help; http://cmdcloud.com/wp-content/uploads/2011/10/vSwitch-Creation-and-Configuration-using-the-vSphere-Client-17.png – Chopper3 Apr 27 '12 at 18:06