Virtual Network for Management Traffic – Cisco Deployment of Secure Firewall Virtual

Virtual Network for Management Traffic

A management center virtual appliance requires only one interface for management communication, whereas a threat defense virtual appliance requires at least four interfaces—one interface for management communication and three interfaces for traffic inspection. The virtual network interfaces are predefined in the ESXi and VI templates. However, before you attempt to deploy an OVF template, you need to configure a virtual network in your VMware ESXi server using virtual switches and virtual ports. Later, you associate them with the predefined virtual network interfaces. The virtual switches are actually mapped with the hardware network interface cards that are physically connected to your ESXi server.

Figure 2-6 shows the default virtual switch vSwitch0 that is created by an ESXi host. A physical adapter vmnic0 is connected to the default virtual port group’s Management Network and VM Network. The Management Network is automatically mapped with VMkernel—the management interface of an ESXi host. The VM Network is created automatically for guest virtual machines. You can utilize it as the management network for your management center virtual appliance and threat defense virtual appliance.

  

Figure 2-6 Mapping of Default Virtual Switch with ESXi Management Network

Virtual Network for Data Traffic

When you deploy Secure Firewall on a virtual platform, there are some special considerations for data interface configurations. For instance, when deploying a threat defense virtual appliance, you must enable promiscuous mode on all the connected virtual ports of a virtual switch. It allows a virtual switch to see any frames that traverse through the threat defense virtual appliance.

Figure 2-7 shows how to enable promiscuous mode during the addition of a virtual switch for the inside network. Select Accept for the Promiscuous Mode and other security options in this configuration window.

  

Figure 2-7 Configuration Window to Add a Standard Virtual Switch

A threat defense virtual appliance can support up to 10 interfaces in total. Although the default template of a threat defense virtual appliance comes with 10 interfaces, you may not need all of them. To power on a threat defense virtual appliance during its first bootup, at least four interfaces need to be enabled.

Table 2-5 shows a typical mapping of the virtual ports with physical network adapters.

  

Table 2-5 Mapping of Virtual Ports with Physical Adapters

Virtual Port

Physical Adapter

Purpose

VM Network

vmnic0

For management traffic

Inside Network

vmnic1

For internal network

Outside Network

vmnic2

Toward the outside world

DMZ Network

vmnic3

For server farm

Figure 2-8 shows some port groups and their associations with individual virtual switches in VMware ESXi.

  

Figure 2-8 Mapping of Virtual Port Groups with Separate Virtual Switches

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *