cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
346
Views
0
Helpful
3
Replies

Nexus 1000v and DMZ

stheriault99
Level 1
Level 1

Hi,

We currently have Nexus 1000v and some ESX hosts deployed on our internal private network.

We currently have a single ESX host deployed in our DMZ.  Is it possible to manage the ESX Host in the DMZ with the Nexus implementation in our internal private network?

I can’t seem to find any good documentation on how this can be accomplished.  Can someone guide me in the right direction, or refer any good documentation on the subject?

 

Thanks

3 Replies 3

Joe LeBlanc
Cisco Employee
Cisco Employee

Hi,

I don't think you can achieve this config. 

The ESXi host can have a Host Mgmt VMkernel in the DMZ which would allow for Host to vCenter communication. This is how you would be accessing the host.

The ESXi host can have a Nexus 1000v L3 Control VMkernel in the Internal Private Network. This would allow the host to talk to VSM that resides on the internal network.

However, VSM requires a connection to vCenter to push port-profiles and other information. That information is then pushed from the vCenter to the host.

Because the VSM is in the private network, it can't talk to the vCenter in the DMZ network. Hence, it won't work without routing between DMZ network and Private network in place. 

Additionally, a host can only be managed by one vCenter. So you can't spin up a new vCenter in the private network and have it connected to both.

I drew up a quick diagram, maybe it helps.

HTH,

Joe

Joe,

 

Thanks for your reply.  To elaborate on the the setup I want to accomplish....Presently I have vCenter and VSM in my private network.  I have a single ESX host in my DMZ.  I want to manage this single ESX host from my VSM/vCenter which are in my private network.  And I'm currently using L2 for my VSM to VEM communication.  

So do you think I could manage my ESX host from my DMZ, with my current vCenter/VSM setup in my private network without to much risk?

Hi,

If the host IP is on the DMZ network but the vCenter IP is on the private network, the two won't be able to communicate, given that the private network and DMZ network can't talk to each other.

HTH,

Joe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco