This could go in Software and Apps, but I think this is the place for a VCenter Q.

Post #399,822 by mmoffitt 3/9/15 10:10:26 AM Reply	This could go in Software and Apps, but I think this is the place for a VCenter Q. We run VCenter 5.1. All servers except a handful of production database servers are virtualized on the LAN. Our DMZ has non-virtualized hosts. I was looking to virtualize the stuff outside the firewall this year. Initially, I was going to build a separate VCenter stack to host those servers. I'm being encouraged not to do that because "almost no one does that anymore." The reason I wanted two stacks is alluded to in the following Hyper-V post (the last case scenario and yeah, I know it is dated and not about VMware, but I hold the issues exist without regard to vendor): http://www.aidanfinn.com/?p=11847 I'm fully aware that a lot of places don't go to the expense and trouble of having two separate stacks on two separate networks, but am I wrong that this is the most secure/least likely to have your LAN compromised configuration?
Post #399,832 by boxley 3/9/15 3:04:53 PM Reply	separate stacks can be on the same hardware just cabled differently Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
Post #399,854 by mmoffitt 3/10/15 8:28:49 AM Reply	So, you'd say ... Having the two networks hosting inside fw/outside fw vm's physically separated by a hw firewall is no longer necessary? It still seems to me that is the safest configuration.
Post #399,866 by boxley 3/10/15 1:31:18 PM Reply	what is a hardware firewall? a piece of software connecting 2 wires Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
Post #399,867 by mmoffitt 3/10/15 1:38:22 PM Reply	Understood. Do I understand you to say that physical isolation doesn't buy you much? If I've got edge/dmz vm's running on the same esx host as lan vm's and one of the edge/dmz vm's is compromised through a ddos attack or similar, are you saying that this scenario does not present a significantly worse problem than if the edge/dmz vm's were on a completely different host, wired into a different switch/san etc. than the lan vm's?
Post #399,873 by boxley 3/10/15 2:52:00 PM Reply	you can flood the edge vm's until the network stack is plugged depending on how your backplane is configured without causing any lan traffic to be impacted. Depends on whether the backplane can be isolated. On the unisphere gear (now jupiter I think) we could completely isolate the bandwidth on the backplane by allocating max thruput. That was in the late 1990's. Once that value was hit that's all it could use. If your gear can do that, it simplifies matters. Also note your edge gear on a shared box should be wired to different san and switches than your lan gear. Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
Post #399,877 by mmoffitt 3/10/15 4:07:55 PM Reply	Thanks.

Welcome to IWETHEY!