Before we start on this topic, a disclaimer here: This is not the only configuration that can be used for vDS switches that is used to connect to a DMZ, iSCSI and Public networks. This is merely a configuration that can be considered to be used. It has it merits and thus I am mentioning it here.The scenario that we are looking it is when a client are using iSCSI for storage (Software initiator), have a DMZ environment and also need to have a private network, all on the same ESXi and cluster infrastructure and can be used across multiple clusters. Also refer to this blog on vDS and vSwitch security.
Configuration of ESXi Hardware and vCenter :
For this configuration we will use 3 vDS's.
6 pNIC's will be used (2 per vDS)
Permissions will be given to vDS level and to port group level
DMZ vDS configuration and settings
Permissions for creating and deleting vDS can only be applied at Datacenter Level. Ensure the correct people have the correct rights to create/delete/modify vDS settings.The following roles can be created and assigned to administrators of Network configuration of the DMZ vDS :
Port Group Admin : dvPort group / Create, Delete, Modify, Policy operation, Scope operation
Move, NIOC, Policy operation, Port configuration, Port settings operation,
VSPAN operation
> Assign at Datacenter Level
Care should be taken to not allow users to change their VM network settings. Thus once a VM have been provisioned into a DMZ network, users should not have permissions to change vNIC port groups of the VM. Consider removing the following permissions :
For the DMZ vDS port group Security Policies ensure that Promiscuous mode, Mac Address Changes and Forged Transmits is all set to "Reject".Teaming and failover can be set to use LBT and set all pNIC's to active. Also considerto enable NIOC.
iSCSI vDS configuration and settings
One of the main reasons to have a separate vDS switch for the iSCSI network is to be able to set Jumbo Frames to 9000. This is done at vDS level and not at port group.The following roles can be created and assigned to administrators of iSCSI configuration of the iSCSI vDS :
Port Group Admin : dvPort group / Create, Delete, Modify, Policy operation, Scope operation
> Assign at Port Group level of the iSCSI vDS
It is recommended to use a Separate Layer 2 Switch for the iSCSI traffic. Ensure that no Layer 3 routing takes place with any of the iSCSI vlans.Depending on the iSCSI hardware and configuration, you would have to create multiple vmkernel to allow for having multiple paths to the storage unit. These VMKernel's traffic can be load balanced across the pNIC's using LBT. Thus consider to enable LBT on the iSCSI port groups.
Public vDS configuration and settings
Since the vMotion and VMKernel (for MGMT traffic) port groups will be located on this vDS, consider to set "no access" permission for users that do not need to access this port groups. This will prevent accidental or intention placement of VM's into these MGMT port groups.
To enhance security,set vDS port group Security Policies. Ensure that Promiscuous mode, Mac Address Changes and Forged Transmits is all set to "Reject".There is only 2 pNIC's attached to this vDS switch, thus for optimal pNIC load balancing with traffic prioritization, enable Network IO Control on this vDS and enable LBT on each port group.
Conclusion
The above is general guidelines that can be used to setup a vDS environment that is connected to a DMZ, iSCSI and Public networks. In addition host profiles can be use to create a consistent ESXi network configuration across all ESXi hosts in a cluster and to do compliance checking.
