Physical connections to vSphere cluster for VM-200

markdean — Thu, 14 Apr 2016 04:21:22 GMT

Hey folks,

Can someone point me to a "best practice" design guide or white paper for making the physical connections to a vSphere cluster that will run a VM-200 virtual appliance? I'm only seeing configuration guides on deploying and setting up the VM on a vSphere host but nothing on how best to make the physical connections to the hosts-especially a VM farm cluster. We have a 50Mb Internet connection at a remote location that we are replacing a low end SOHO type firewall with a VM-200. We are setting it up in a 2 node vSphere cluster that will only house externally facing VMs (VMs also are available for internal users so). So one vmnic will connect to the ISP's connection, another will be the DMZ and the third will be the LAN side. The question is how best to physically connect everything so in the event one of the ESXi hosts goes down, vSphere HA can power the VM-200 up on the other host and all the connections be there.

My initial "design" is use three physical switches and to bring the ISP's connection to a switch and make two vSphere vmnic connections to that switch, place security on the ports so that only those ports can communicate with each other. Then make a second vmnic connection from both hosts to a DMZ switch which will have DMZ VMs on it (web servers and so on) and then finally a third switch which will be on the LAN side. Is this a good way to do it? Overkill?

Or I suppose by using VLANs and port ACLs, I could use a single switch but is that a "best practice"?

IIUC, traffic inbound would then flow from ISP >> WAN switch >> host1 or host2 >> PA-200 >> DMZ switch >> DMZ target and then for internal access to DMZ resources it will flow from LAN >> host1 or host2 >> PA-200 >> DMZ switch >> DMZ target. In all cases, traffic does not get to DMZ without going through the PA-200 and traffic leaving the DMZ returning to WAN or LAN also goes through the PA-200.

PA-200 will have the following vNICs:

vNIC1 = WAN

vNIC2 = DMZ

vNIC3 = LAN

vNIC4 = Management

Each vSphere host will have the following physical NICs:

vmnic0 = Host management network

vmnic1 = WAN

vmnic2 = DMZ

vmnic3 = Internal LAN

Each vSphere host will have the following vSwitches:

vSwitch0 = Management

vSwitch1 = WAN

vSwitch2 = DMZ

vSwitch3 = LAN

I'm new to Palo Alto and may not be understanding a lot so any pointers to documentation or diagrams on connectivity as described above would be helpful. I also realize that this is heavy on the vSphere side but I'd hate to make a bone headed mistake and expose our network to risk by not asking the question. I also hope I have complicated a simple deal!

Thanks in advance!

Re: Physical connections to vSphere cluster for VM-200

geewiss — Fri, 26 Nov 2021 21:52:13 GMT

I'm curious, did you ever get this sorted out. I have a similar requirement and can't seem to get it working.

topic Physical connections to vSphere cluster for VM-200 in General Topics

Physical connections to vSphere cluster for VM-200

Re: Physical connections to vSphere cluster for VM-200