SOT - VMware hosts on different subnets.

Randy Grein randygrein at comcast.net
Sun Dec 7 19:01:59 GMT 2008 

Randy Grein, Master CNE, CCNA

On Dec 7, 2008, at 9:29 AM, joea at j4computers.com wrote:

>>>> On 12/7/2008 at 11:30 AM, jrd <jrd at netlab1.oucs.ox.ac.uk> wrote:
>> joea at j4computers.com wrote:
>>> I want to virtualize an additional server (OES1 Linux), on a  
>>> VMware server
>> (1.0.6) that currently hosts two guests (windows servers).
>>>
>>> The proposed guest is on a different subnet.  I believe the host  
>>> has only
>> one NIC.
>>>
>>> The subnets are separated by a router.  The existing guests and  
>>> host, are on
>> what is considered a DMZ.  The proposed guest is in a "safe" area.
>>>
>>> Suggestions as to how this can be accomplished and maintain some  
>>> reasonable
>> margin of security?
>>>
>>> joe a.
>>>
>> ---------
>>        On nomenclature, subnets are connected by routers, as a matter
>> of definition. That's the
>> purpose in life of routers: to connect networks together.
>>       The VMware Server can provide a bridged connection to the  
>> world.
>> That enables guests
>> to use whatever IP number they wish to the wire. Protection is then  
>> to
>> be done by each guest.
>> Guest IP traffic is diverted to guests without entering the host's
>> TCP/IP stack. Thus each guest has
>> its own TCP/IP stack and address(es) and deals with traffic as if it
>> were a separate box on the same
>> wire as the host and other bridged guests. Yes, it is legal to have
>> traffic for different IP networks
>> travel along the same wire (else the Internet would have long ago
>> consumed the remaining copper
>> in the world).
>>       I hope this helps resolve the question you have.
>>      Joe D.
>
> It helps.
>
> Since I would rather keep the subnets physically separate, I see a  
> second NIC in the VMware box and a cable to the appropriate switch  
> as the likely beginning of a solution.
>
> joe a.

While I can embrace this solution keep in mind that router separation  
is not a security solution. It does, as I have tried unsuccessfully to  
point out to my manager make security rules easier to implement and  
enforce correctly. It also makes troubleshooting easier.  
Virtualization is a fine thing in moderation - but immoderately used  
creates just as many problems as it solves.

More information about the Novell mailing list