Virtual Network for Management Traffic – Cisco Deployment of Secure Firewall Virtual
Virtual Network for Management Traffic
A management center virtual appliance requires only one interface for management communication, whereas a threat defense virtual appliance requires at least four interfaces—one interface for management communication and three interfaces for traffic inspection. The virtual network interfaces are predefined in the ESXi and VI templates. However, before you attempt to deploy an OVF template, you need to configure a virtual network in your VMware ESXi server using virtual switches and virtual ports. Later, you associate them with the predefined virtual network interfaces. The virtual switches are actually mapped with the hardware network interface cards that are physically connected to your ESXi server.
Figure 2-6 shows the default virtual switch vSwitch0 that is created by an ESXi host. A physical adapter vmnic0 is connected to the default virtual port group’s Management Network and VM Network. The Management Network is automatically mapped with VMkernel—the management interface of an ESXi host. The VM Network is created automatically for guest virtual machines. You can utilize it as the management network for your management center virtual appliance and threat defense virtual appliance.
Figure 2-6 Mapping of Default Virtual Switch with ESXi Management Network
Virtual Network for Data Traffic
When you deploy Secure Firewall on a virtual platform, there are some special considerations for data interface configurations. For instance, when deploying a threat defense virtual appliance, you must enable promiscuous mode on all the connected virtual ports of a virtual switch. It allows a virtual switch to see any frames that traverse through the threat defense virtual appliance.
Figure 2-7 shows how to enable promiscuous mode during the addition of a virtual switch for the inside network. Select Accept for the Promiscuous Mode and other security options in this configuration window.
Figure 2-7 Configuration Window to Add a Standard Virtual Switch
A threat defense virtual appliance can support up to 10 interfaces in total. Although the default template of a threat defense virtual appliance comes with 10 interfaces, you may not need all of them. To power on a threat defense virtual appliance during its first bootup, at least four interfaces need to be enabled.
Table 2-5 shows a typical mapping of the virtual ports with physical network adapters.
Table 2-5 Mapping of Virtual Ports with Physical Adapters
Virtual Port | Physical Adapter | Purpose |
VM Network | vmnic0 | For management traffic |
Inside Network | vmnic1 | For internal network |
Outside Network | vmnic2 | Toward the outside world |
DMZ Network | vmnic3 | For server farm |
Figure 2-8 shows some port groups and their associations with individual virtual switches in VMware ESXi.
Figure 2-8 Mapping of Virtual Port Groups with Separate Virtual Switches