NSX and DMZ

Similar Questions

• Just curious... Prod and DMZ?

  How many of you have a UCS with production systems and DMZ on it (same blade as well)?

  The question came at work several times. I, being more concentrated, the security about had a cow. But I want to know what others are doing and how you are assured of one side cannot see each other before as I have fly of the handle ;)

  We do not currently have vASA or NSX.

  Thank you!

  Hi Chad

  Yes I have clients do. VLAN disjoint is the design they use.

  A (better) alternative would be to use a UCS domain dedicated to the DMZ. Mini UCS is a nice solution and with 3.1 a second chassis is supported, so a total blades ot 16.

  Walter.

• With the help of Vlan for LAN and DMZ

  Hello

  For the moment, I have assigned my LAN and DMZ networks to two separate network card (so therefore no Vlan tagging)

  for example vmnic0 = LAN, vmnic1 = DMZ.

  It works well but I like to make changes in the way I want to use two separate physical network adapter and use on the two s two LAN and DMZ nic but now using the VLAN.

  So think of this configuration:

  For each network, I create a Vswitch, in order to obtain a Vswitch named VsLAN, VsDMZ for the case.

  The Vswitch I attribute a two nic Nic will be the day before. as vmnic0, vmnic2 (at rest)

  This Vswitch I create a port group and assign the correct number of VLan as LAN 10 and 20 to the DMZ.

  Create the another Vswitch will have the same Nic but now vmnic0 will be the stanby one.

  Probalby all great so far I think or not?

  Issues related to the:

  -Well this concept where there is a relationship a Vswitch and port group or a switch with multiple exchanges?

  In case a Vswitch with multiple port groups I will assign to group level reserve and the active NIC Port.

  -If I create a group of ports and assiging several Vlan IP packets received by the virtual machine itself also be labelled or not identified?

  Other words. Do I need to configure the NETWORK adapter to the virtual machine also for the same local network ID virtual or not.

  Thanks for your comments.

  Hello

  Change of vlan is a pretty good idea to get the failover and the performance of the network LAN and DMZ. You have confused somewhat however concepts.

  A can only be used in a vSwitch vmnic. So what you want to do is the following:

  Create a vSwitch

  On the vSwitch create two ports: LAN (vlan10), DMZ (vlan20)

  If vmnic0 and vmnic1 have access to the vlan10 and 20, then simply add the two vmnic virtual switch. By default, they will both be active and that's fine. If you do not want to CHANGE the GRPE ports LAN and goto the "failover" tab and put vmnic0 as active and vmnic1 as before. Then do the reverse on the DMZ port group.

  Best regards

  Frank Brix Pedersen

  blog: http://www.vfrank.org

• HA and dmz

  Hi all

  I'm in charge of the implementation of a 3 Server virtualization environment to replace our current servers not virtualized. I decided to vSphere is the best approach for this. Our no current virtualized environment contains a normal network segment and a DMZ, which must be converted to a vSphere, some of them with HA environment. I think I understand most of the requirements of vSphere, but for me to have all information I need, I need to enlighten the two topics:

  -From what I've read, I'm able to force a specific physical NIC connecting to a specific virtual host. This way I'm able to use a managed and switch firewall to correctly isolate internal networks and DMZ. Some of these machines on DMZ will require HA. Is it possible to have a work environment HA with this scenario with vSphere Essentials Plus and a managed switch? If not, what version of vSphere do I need to do?

  -One of the reasons why I opted for vSphere was HA capacity. Some current physical servers contain a Windows OS, and since it is a cluster of 3 HA Server deployment, all machines physical Windows will require 3 licenses of operating system on the virtualized environment. However, some of these physical machines will not require HA. It is possible to select HA on a per-virtual machine basis?

  Thanks in advance for your help on this issue,

  Rui Santos

  Welcome to the forums-

  • What I've read, I'm able to force a specific connection to a virtual host specific physical NETWORK adapter. This way I'm able to use a managed and switch firewall to correctly isolate internal networks and DMZ. Some of these machines on DMZ will require HA. Is it possible to have a work environment HA with this scenario with vSphere Essentials Plus and a managed switch? If not, what version of vSphere do I need to do?

  Yes as long as the other nodes in the cluster have identical network setups - that when there is a failover of the virtual machine can connect to the correct network-

  • One of the reasons why I opted for vSphere was its HA capability. Some current physical servers contain a Windows OS, and since it is a cluster of 3 HA Server deployment, all machines physical Windows will require 3 licenses of operating system on the virtualized environment. However, some of these physical machines will not require HA. It is possible to select HA on a per-virtual machine basis?

  Yes - one of the options when you set the by restarting the virtual computer is disabled priority, which will disable the HA function for this virtual machine-

  If you find this or any other answer useful please consider awarding points marking the answer correct or useful

• VPN and DMZ

  Dear Sir

  I want to go to the DMZ to remote locations via VPN Tunnel in ASA. Please see the diagram and give me your comment.

  Thanks in advance.

  If the R1 tunnels to other routers work so I think these are the things you need to do:

  -Make sure that each of the remote routers has a route to the subnet of the demilitarized zone that points through the tunnel.

  n ' forget not that the R1 has a route to the subnet of the demilitarized zone.

  -Configure ASA security policy that allows the circulation of all routers networks to access the demilitarized zone.

  -set up on the roads of the SAA for all networks to routers.

  HTH

  Rick

• Customer Pix unit inside and dmz networks

  Are there problems that prohibit a client to the unit to start connections to hosts on pix dmz networks and pix inside at the same time?

  You can provide a link that describes the side PIX of the two networks not only inside network access configuration?

  Oops, yes sorry, brain fade from me, do not take into account my first email. Your configuration would look like this:

  IP address inside 10.1.1.1 255.255.255.0

  IP dmz 172.16.1.1 255.255.255.0

  IP local pool vpnpool 192.168.1.1 - 192.168.1.254

  NAT (inside) 0-list of access nonatinside

  NAT (dmz) 0-list of access nonatdmz

  permit the 10.1.1.0 ip access list nonatinside 255.255.255.0 192.168.1.0 255.255.255.0

  permit ip 172.16.1.0 access list nonatdmz 255.255.255.0 192.168.1.0 255.255.255.0

  Hope that helps.

• Access to resources on the inside and DMZ problem

  Hi Techies,

  I have a pix515 do remoteaccess VPN. People are able successfully to VPN in the box but are not able to access resources on the DMZ or the Interior. DMZ is directly connected to the PIX and inside is behind a CSS.

  Could you people point me in the right direction please.

  Thank you

  Abdul, is solved your problem, have you tried suggested missing statements in your config... Let us know if any questions.

  Concerning

• Connection interface ASA inside and DMZ

  Hello

  I'm moving my current Internet/VPN link to a double link on different ASA and ISP providers.

  I want to create an INTERIOR on my ASA 5545 x interface that will connect directly to my Nexus 7 k Distribution or tanks

  The interface inside the ASA5520 is currently a virtual local network that was created on the Nexus 7 k.

  It seems simple enough to follow this same design, but using the different VLANs and the intellectual property regime.

  I also need to create an interface DMZ on the SAA on my distribution of Nexus 7 K device.

  Currently the ASA5520 DMZ interface comes from a VLAN that was created on the SAA and then to shared resources

  It seems simple enough to follow this same design, but using the different VLANs and the intellectual property regime.

  Is there a best practice approach document or advise that someone would pass along

  Models reference Cisco Secure Data center not dier DMZ. However, it is a very common configuration for the ASAs.

  Real wrinkles come in on the side of switch. You have the option to use physically separate switches (which you have already decided not to do), and a core of Nexus 7 k, the next option is to know how to separate the DMZ and the inside of the safe areas. The most secure, with a standard kernel k 7 would be to create a second VDC for the DMZ with no layer 3 services and have interface DMZ of the SAA to be the default gateway for hosts. A second option on the 7 k would be to stick with a VDC but put the DMZ VLAN charge either in their own VRF or simply once again make L2 only on the SAA with the ASA being the L3 bridge.

  There are several other approaches that you could take, but those that I have just described is the most commonly used.

• VPN and DMZ problem

  I have an ASA 5510 with active VPN for remote access service. Users can log in and access inside resources without problem. the question is the servers in the DMZ, as the web server, they cannot access. Is there an easy way to allow access for users of VPN and?

  Thank you

  That will allow you to reach your dmz servers. For example if the demilitarized zone is 192.168.1.0, you can press their DMZ address 192.168.1.x etc. servers.

  Your other option is to use split tunneling, which would allow you to access the servers through their public ip addresses that are translated in the SAA.

• NSX and "Activity Monitor".

  Hey all,.

  I'm currently busy to test the feature "Activity Monitoring" NSX.

  I activated "vShield Endpoints / investigating comments ' on a specific cluster.

  I also enabled "Data collection" on each different guest VMS and VMware Tools are installed.

  All my machines in the cluster are running on Linux (Ubuntu).

  Now when I do all this and try to see a release in the (NSX) Activity Monitoring section is completely none given y.

  What I'm doing wrong here?

  Only the Windows VMs can use Introspection of comments for the moment. Does not work / not supported for Linux (yet).

• NSX and physical switches

  I'll put up the NSX in a laboratory test with the old switches.  Other than the implementation of 1600 MTU on the same physical network, what else do I need to do it on the same physical network to ensure that it is compatible with the NSX?  Is a switch cisco 2900 a the VTEP and other abilities, that I need and what are the features?

  Basically, you would need only 1600 support MTU with the physical switch VLAN.

  The switches don't need to have the support of vxlan.

  For the physical switches point of view it's just a frame of layer 2.

  If you want to build a complex topology things can change.

  See you soon,.

• NSX and subnets

  If I'm a NSX, subnets deployment should be placed on the physical layer, and which should be in the virtualization of network layer?

  For example, I am building a new environment with the following networks:

  • ESXi vmkernel network of traffic management
  • Network traffic, NFS
  • Network traffic of virtual machine
  • VMotion network

  Other networks?  I'm trying to draw everything I might need to define the Network Physics vs what would be preferable to define in the NSX.

  Thank you!

  If I understand the question then I don't think that one of these networks should be covered by the NSX potentially preventing the network from the VM. NSX managed networks would usually just for the virtual machine workloads / demand so, if you had a model n-tier vCenter where the components of management (vCenter/NSX Manager) were kept in a different pod then you could potentially end the dvPortgroup VM networks and just use logic under a vCenter switches secondary resources. Otherwise, you should normally backed physical networks to a VLAN for your components of management in a single model of vCenter. In summary, the NSX networks would serve just for hosting virtual machines, either in combination with or replacement of VLAN-backed VM networks.

  It would be if you want the bridge to physical workloads route using the DLR or ESG or VXLANs. In this case, you would need the VLANs created at the level of the physical layer too.

• ESXi hypervisor and DMZ

  I troubleshoot my church with a new configuration of ESXi Hypervisor.    They would like to implement a DMZ so that their web server will be limited there.  However, given that the budget is limited, they cannot have the hypervisor edition for now. It will be converted to a full version of ESXi4 next year.    Next year, they will be budget to get Essentials more and get another host for a second Setup ESXi.

  For now, it's a single ESXi hypervisor but they need to protect their network and place their web server in a DMZ.   The server they use has 2 NETWORK cards physical, 4 GB of RAM and a 1 TB hard drive.

  I'm looking for some advice on the best way to configure their DMZ.

  I guess that would mean that the switch of the DMZ would have one and the other network adapter would be shared with management and the port VM group?   I know that sounds not very sure... I probably need a 3rd nic to separate the management side offshore on its own vSwitch but I don't have that luxury right now.

  You're right but the size of the environment, I don't think that should be a problem-

  I view this arrangement, 2 physical switches do not need to connect to the rising of the host.  We don't have one right now... that is the problem with non-profit organizations.

  Yes except if the switches support tags vLAN - and then separate you the traffic via the tagging vlan-

• ASA, Anyconnect and DMZ

  Hello

  I had a little problem with my config to the asa.

  The asa is set up to allow anyconnect with local users.

  but after I added the NAT statement following ACL on the outside, I can not connect with Anyconnect.

  NAT (DMZ, OUTSIDE) interface static source HOST_DMZ-NAS-FTP

  OUTSIDE_access_in list extended access permitted tcp HOST_DMZ-NAS-FTP eq ftp objects

  How to make it work again?

  Hello

  You have a dominant NAT configuration.

  We should see a Phase of Nations United-NAT in the beginning before any other Phase of the ACCESS-LIST.

  You probably have a dynamic configuration PAT for the demilitarized zone in Section 1 Manual NAT which is at the origin of the problems

  Because you cannot share the configuration that I can not really anything else that try to give an alternative configuration, which should make it work but it is not the ideal configuration for your dynamic rule PAT shouldn't be to such priority anyway. That's if I'm wrong in my guess on the problem above.

  Remove NAT Auto / network object NAT I suggested

  network of the HOST_DMZ-NAS-FTP object

  no nat (DMZ, OUTSIDE) interface static 21 21 tcp service

  Note that we leave the 'host' under the 'object' statement yet. Only remove us the "nat" command.

  Then, you must add these

  Service FTP object

  tcp source eq 21 service

  service interface NAT (DMZ, outside) 1 static source HOST_DMZ-NAS-FTP FTP FTP

  Then try again.

  -Jouni

• Logical switches NSX and the VGT Mode

  Hello

  I think that the answer is "", but just to play it safe, I can assume that VGT is not supported for virtualwire Port groups?

  Configurations allows good defune vlan trunking, but my thought is that we need a one-to-one relationship between vlan id and vxlan vnid - (if at all a vlan-id is used for example for purposes of L2GW)

  Issues occurred in the test of a nested environment...

  see you soon

  / Rik

  We do not support the DLR passage with tagging VLAN comments. There must be L2 only... VM VM (in a VXLAN) or VM-to-VM(Software L2 bridging).