Hi Bilal,

Thanks for your reply.

I have attached image of test environment and current connection using single network.

The cisco switch is a layer 2 switch with vlan 255 configured on ports.

The firewall connection are already using the 192.168.255.0/24 network.  

The internal firewall is a checkpoint and has been configured with aggregated link to stacked Cisco  switches on DMZ.

The connection to the external firewall is just an active/backup link.

By default all traffic goes to 192.168.255.101 to internet.   Anything for LAN is statically routed.

The VM hosts have static persistent routes defining default gateway and access to 10 network on  LAN.

How can I change this so the Host 1 and Host 2 can access the internet and LAN but cannot communicate or ping each other using saprate networks but keeping the existing ip addressing 192.168.255.0/24 for uplinks to firewalls ?

Regards,

Jay

Hi Jay, Ok i think i understand the requirement here. Seems like you need a "transparent Firewall" in the ESXi environment. (If possible, active active transparent firewall - or two different transparent firewall with same or similar policy which is overhead)

Essentially the transparent mode will bridge the different segments together - possibly different vlans - most occasions it is same vlan (all keeping the same IP addressing). All that is different, is defining Zones per interface.

from here you can define Zones. Since they are all part of the same bridge domain it doesnt matter about addressing, they can all be same network - think of it as still one vlan one network.

Separating these out will allow you to create policies per entry point and per exit point, you have more granularity this way.

You can either split these out to different vswitches, or keep it on the same vswitch with different vlan assignments. But as i said, this ideally needs to be at the join points (e.g. in place of your cisco switches, transparent FW would be perfect for this scenario)

Hope i understood requirement

Bilal - CCIE 45032

Hi Bilal,

What transparent firewall do you recommend ?

What about using vShield with PVLANs ?  Have you used this and does vShield act as firewall ?

Alternatively checkpoint VE firewall for VMware again not sure if that is enough to help segment vswitch and how it will work.

Jay

Hi Jay, to be really frank, I know about vshield but I don't know enough about it to tell you if it will meet the requirement. From my personal experience, I would use Juniper, vSRX aka Firefly. I would deploy in transparent mode, and you can be as granular as you like.

I would have from host 1, 2 vswitches, physical from outside coming in to the vSRX and then another vswitch where your VMs connect to. Both these vswitches will be connected to the vSRX, you can put the appropriate policies and ingress and egress. Same with host 2.

If you want something at hypervisor level, maybe take a look at the N1Kv, I've heard you can achieve what you need with that, I'm not 100% sure.

Can I get way with just using PVlans on the Cisco physical switch without having to do this PVLANs on VMware and just use checkpoint VE firewall ?

Also to do distributed switching with PVLANs I need to have vsphere on DMZ.   Is it better to have vsphere instance on DMZ or is it better to access via LAN and opening up ports ?

Hi Jay, actually private Vlans will do the trick, so long as your firewall is OK with two interfaces in same subnet. Or calve your subnet in two.

You don't really need a security VM appliance. As long as your VMs are in separate vlans 

The way we have vsphere deployed is completely separate from internal network.

Hi Bilal,

The private vlans have been configured , I have two community vlans , isolated vlan and promiscuous vlan.

All vlans are working as expected but I can't ping default gateway 192.168.255.101 which is firewall to allow Internet. 

The guest host ping fine when not in private vlan configuration.

Any ideas what is missing ?

Also I need to route hosts to production LAN   , which is gateway 192.168.255.100 firewall to internal.  I have a static route to LAN on hosts but can't ping that either.

Hello Jay, could you kindly shed more info about traffic flows e.g.

VLAN 1 needs access to VLAN 10

VLAN 2 needs access to VLAN 10

this way we can tell which vlan type we require for each vlan.

We have the following configured on VMware :-

Each Distribute Vswitch has two Nics associated going to the layer 2 physical Cisco switch  which are trunked.

Management    Vswitch   - Vmnic 4, Vmnic12       (Trunked to allow Vlan 255 only)

Vlan 10 – DSwitch  - Community 1   - Vmnic 5, Vmnic13  (Trunked to allow Vlan 10,255 only)

Vlan 20 – Dwsitch - Community 2 - Vmnic 6, Vmnic14  (Trunked to allow Vlan 20,255 only)

Vlan 30 – DSwitch -  Issolated  - Vmnic 7, Vmnic15  (Trunked to allow Vlan 30,255 only)

Vlan 255 – Primary (Promiscuous)  Access to internet.

We created a separate port group called Router and associated a secondary NIC on Guest Hosts to Router on Vlan 255.

The Firewalls are connected to the Cisco switch with layer 2 vlan 255.

The diagram hopefully shows layout.

Not sure if anything is missed.

Sorry forgot got to ask do I need private vlans configured on the physical Cisco switch as well to match ESXi or just normal layer 2 vlans ?

Hi Jay, sorry for late reply. You may have accomplished by now. I would only do private vlan config on the physical cisco switch. The dvswitch should not be switching frames between vlans in side the host, only providing L2 connectivity to your VMs.

The access vlans for your VM's make them isolated mode, make the vlan (ports) between your firewalls promiscuous. I think 2 promiscuous ports will be able to talk to each other. But i haven't tested this.

Hi Bilal,

Yes looks like we may just need to configure on physical switch only as its not working with both ESXi and Cisco configure with pvlans.  Have been struggling to find answer.

Just wondering if its a compatibity issue with Cisco 3750 Switches and VMware ESXi.    I guess I will never find that person who has sucessfully configured.