Physical connections to vSphere cluster for VM-200

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Physical connections to vSphere cluster for VM-200

L0 Member

Hey folks,

 

Can someone point me to a "best practice" design guide or white paper for making the physical connections to a vSphere cluster that will run a VM-200 virtual appliance? I'm only seeing configuration guides on deploying and setting up the VM on a vSphere host but nothing on how best to  make the physical connections to the hosts-especially a VM farm cluster. We have a 50Mb Internet connection at a remote location that we are replacing a low end SOHO type firewall with a VM-200. We are setting it up in a 2 node vSphere cluster that will only house externally facing VMs (VMs also are available for internal users so). So one vmnic will connect to the ISP's connection, another will be the DMZ and the third will be the LAN side.  The question is how best to physically connect everything so in the event one of the ESXi hosts goes down, vSphere HA can power the VM-200 up on the other host and all the connections be there. 

 

My initial "design" is use three physical switches and to bring the ISP's connection to a switch and make two vSphere vmnic connections to that switch, place security on the ports so that only those ports can communicate with each other. Then make a second vmnic connection from both hosts to a DMZ switch which will have DMZ VMs on it (web servers and so on) and then finally a third switch which will be on the LAN side. Is this a good way to do it? Overkill?

 

Or I suppose by using VLANs and port ACLs, I could use a single switch but is that a "best practice"? 

 

IIUC, traffic inbound would then flow from ISP >> WAN switch >> host1 or host2 >> PA-200 >> DMZ switch >> DMZ target and then for internal access to DMZ resources it will flow from LAN >> host1 or host2 >> PA-200 >> DMZ switch >> DMZ target. In all cases, traffic does not get to DMZ without going through the PA-200 and traffic leaving the DMZ returning to WAN or LAN also goes through the PA-200.

 

PA-200 will have the following vNICs:

vNIC1 = WAN

vNIC2 = DMZ

vNIC3 = LAN 

vNIC4 = Management

 

Each vSphere host will have the following physical NICs:

vmnic0 = Host management network

vmnic1 = WAN

vmnic2 = DMZ

vmnic3 = Internal  LAN

 

Each vSphere host will have the following vSwitches:

vSwitch0 = Management

vSwitch1 = WAN

vSwitch2 = DMZ

vSwitch3 = LAN

 

I'm new to Palo Alto and may not be understanding a lot so any pointers to documentation or diagrams on connectivity as described above would be helpful. I also realize that this is heavy on the vSphere side but I'd hate to make a bone headed mistake and expose our network to risk by not asking the question. I also hope I have complicated a simple deal!

 

Thanks in advance!

1 REPLY 1

L2 Linker

I'm curious, did you ever get this sorted out.  I have a similar requirement and can't seem to get it working.

  • 1564 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!