Answer the question
In order to leave comments, you need to log in
F
F
Fitrager2018-11-28 20:53:52
Fitrager, 2018-11-28 20:53:52
Output of esxi hosts to a separate VLAN, is it necessary?
Good afternoon. There was a dispute at work "is it necessary to display esxi hosts in a separate software vlan on switches"? VLAN is not physical and, accordingly, all VLANs are limited by the port speed of 1 Gb / s. Virtually no optics.
My colleague believes that it is necessary, since "esxi will send service packets and clog the network and service traffic can be" read ". Plus the software VLAN is safe." The quote is almost verbatim.
I believe that you can leave them on the public network, protecting them with the built-in esxi firewall. By adding a separate list of "white" ip addresses that can access esxi hosts directly. Plus 10-character unique passwords for each host with an attacker banned for an hour after two wrong attempts, if he still breaks through the firewall. Everything is managed by vCentr with rights separation, all traffic goes through https and, in my opinion, does not clog the channel.
The creation of VLANs goes through Mikrotik and it seems to me easier to break it than to hack all esxi hosts in a short period of time.
Thanks in advance for your replies.
PS Perhaps I do not understand something in network administration, but I just started to comprehend it.
3 answer(s)
@athacker
@Sanes
A
athacker, 2018-11-29 @athacker
Firstly, VLAN is not physical by definition :-) As you understand, the name "VIRTUAL LAN" seems to hint at this to us :-) The physical channel is still divided equally between clients, regardless of whether you have a division on vlans or not.
Secondly, your colleague is partly right. But only in part. Network segmentation really gives you more control, and yes, it's worth dividing the network into vlans. And not only move hypervisors to a separate VLAN, but generally separate networks. To manage vSphere - in one vlan, storage traffic - in another, traffic of virtual machines - in separate VLANs. Do you have virtual machines that do not deal with one task, but with different ones? Accordingly, they need to be grouped and seated in vlans. Web servers - one network, accounting servers with 1C - in another network, domain controllers - in the third. And control on the router, so that from web servers accessible via the Internet it was impossible to access the accounting server, as well as vice versa.
Clients are also divided into groups / departments, and each department is assigned to its own VLAN. With the distribution of access rights, to whom where you can, and where you can not.
Ideally, the network should be segmented as much as possible, and any access between hosts other than explicitly allowed should be denied. There is even such a term - microsegmentation. There hosts, even within the same vlan, can only communicate with each other using explicitly allowed protocols and ports, and all other communication between them is prohibited. But microsegmentation is not your story, it's all implemented by solutions like VMware NSX or Cisco ACI, that is, this is already for the big guys.
Yes, and the ESXi firewall can be configured, but it is better to use a more suitable means for this - firewalls on routers. That is, we divide the network into subnets using vlans and routing, and set up the rules for traffic between subnets with a firewall on the router.
S
Sanes, 2018-11-28 @Sanes
If you trust the administrators of the guest machines, you can keep them on the same network. They can shit on the network if the network is not isolated.
Similar questions
A
S
M
T
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question