• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

ESXi management lock

I've got remote server at data center, It has 1 physical NIC with 2 external IPs
1st IP is for host management ESXi 3.5
2nd IP is for virtual machines network

The trouble is ESXi has no iptables, just nothing to define required set of IPs. It even has no option to disable it's  "welcome page" at port 80.

There is no option of hardware firewall at this data center, so I've stuck. The only option I see to rent another 1U slot, and put some hardware firewall by myself. But it's expensive.

Is there any other option to solve the issue?
If no, then what kind of hardware will be less expensive?

Keep in mind I've got only 1 physical cable from provider.
0
kamoranesi
Asked:
kamoranesi
  • 4
  • 3
2 Solutions
 
kumarnirmalCommented:
When you take the security aspect into consideration, its not a good practice to use a single NIC for ESXi Management and VM Traffic.
VMware specifically disagrees with this option when it comes to Production Environments (using them in testing environments is ok)

Please update you Host Hardware Specifications.
0
 
kamoranesiAuthor Commented:
Actually I do know it's not recommended, but it's all about money, now we have only 1 cable from  provider, so we don't have options. As we want to try ESXi we don't want to go back to ESX, just to have these iptables. Maybe there is a hardware solution around, but need to figure out if it's expensive or not.
0
 
kamoranesiAuthor Commented:
it's hp proliant dl160
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
kumarnirmalCommented:
If I am not wrong, are you looking to allow specific TCP/UDP Port traffic using iptables/firewall to the ESXi Host ?
0
 
kumarnirmalCommented:
The best way I can suggest is to add a Intel VT Quad Port Adapter (NIC) - http://www.intel.com/support/network/adapter/1000vtquad/sb/CS-029502.htm

Procure a second cable from the provider to the ESXi Host and then create a separate vSwitch so that you can isolate VM and Service Console traffic.

In this way, you can install a Linux VM which can act as your Software Firewall thereby providing you with the solution you need,
0
 
kamoranesiAuthor Commented:
kumarnirmal, this is actually the same as having ESX installation instead of ESXi.
I am looking more for some hardware solutions...

0
 
kumarnirmalCommented:
I suggest you take a look at these options then

Juniper NetScreen Series -  http://www.juniper.net/us/en/products-services/security/netscreen/

Microsoft ISA Server 2006 should also be a viable alternative since its a relatively cost effective solution.

0
 
markzzCommented:
I'd suggest a Juniper or Cisco PIX firewall would be an option.
Of course doing this may not be any cheaper than using ESX3.5 so maybe just go the ESX route.
Maybe you could look at running a Vyatta instance on the Host and routing all data via it.
You could have to setup vSwitches with no physical NIC associated.
In theory this would work but if Vyatta failed your server would be isolated..
OH does the DL160 have ILO ??
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now