Nexus 1000V through a firewall

Smith1 · ‎08-09-2011

We have a small DR site that comprises an ESX host on the internal LAN hosting a number of guests and another ESX host hosting several DMZ hosts on the far side of a firewall.

We want to deploy a Nexus 1000v on the DMZ ESX host in order to gain the security benefits around our DMZs, however there is some confusion on the placement of the VSM.

Should the VSM be installed with the VCentre, which is located on the internal ESX host and communicate with the VEM on the DMZ ESX host across the firewall, or should we deploy the VSM on the DMZ ESX host, which will require communication to teh VCentre to transit the firewall?

Thanks

Robert Burns · ‎08-09-2011

This depends on your vSphere design and security recuirements.

Do your DMZ ESX hosts belong to the same vCenter as your internal ESX hosts?

For the VSM to manage all your hosts, they need to belong to the same VC. To some organizations this presents a security concern, as they want their ESX hosts in the DMZ completely segemented from their internal LAN.

If your DMZ hosts are standalone (not connected to vCenter) you would need to deploy a new VC specifically for your DMZ hosts and then run your VSM in the DMZ VC & Hosts.

If you are comfortable with managing all your hosts from your internal VC, then you can pipe the necessary ports between your Internal & DMZ zones through the firewall to allow operation. Likely your DMZ and internal LANs are based on different IP subnets, in which case you would need to utilize Layer3 mode for VSM operation (versus the default layer 2 - which requires your hosts on the same subnet/vlan as the VSM).

Here's a couple highly recommended whitepapers and the config guide for Layer 3 AIPC.

DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch

Securing the Virtualized DMZ

Configuring Layer 3 Control

Regards,

Robert

Smith1 · ‎08-11-2011

Many thanks for the quick response