Isolating DMZ guests on ESXi

[idea]

Let's say I have a DMZ vSwitch with 3 hosts: WWW, FTP, and Mail. I want each of the three hosts to be isolated from one another even though they live on the same broadcast network and even the same subnet. How would I accomplish this in my ESXi home lab?

 

[D-EJ915]

You don't ?

 

[/usr/home]

Vlan them out to a router if you NIC supports vlans.

Give them each a nic and deal with it externally.

 

[TCM]

You need vCenter and the distributed switch which supports private VLANs.

 

[idea]

You need vCenter and the distributed switch which supports private VLANs.

That seems like the correct answer. Thanks very much. Unfortunately my request is too advanced for ESXi to deal with.

I'm thinking of creating one vSwitch per DMZ guest. This will result in many NICs on my virtual router but that's not the worst thing in the world. EDIT**** This would result in a different subnet for each host so it can't work

 

[NetJunkie]

You need vCenter and the distributed switch which supports private VLANs.

Yep. Private VLANs is what you want.

 

[NetJunkie]

You could also do this with vShield Zones or vShield App and just put firewalls between the VMs.

 

[/usr/home]

Use the os builtin firewall on each server?

 

[idea]

Use the os builtin firewall on each server?

That's actually a great idea

 

[NetJunkie]

Use the os builtin firewall on each server?

If this is a "real" DMZ that's not a great idea. Exploit that guest and you can then change the firewall rules which may or may not be used as leverage for the next one.

 

[/usr/home]

If this is a "real" DMZ that's not a great idea. Exploit that guest and you can then change the firewall rules which may or may not be used as leverage for the next one.

If you have matching blocking rules on each guest, there should be no issue, but yes, I agree with you. If this were production, it'd be a different story and different setup.