Hi all,
i'm in the process of migrating my bare metal systems (mostly Unix) to free ESXi.
Over the last weeks i've read lots of documentation regarding network setup and
there's one thing i'm still not 100% sure about...with respect to security and best
practice.
I need to enable Promiscuous mode for a few guests (application server which use the
CARP protocol for service failover). According to documents it should be the most
secure way if i use a separate portgroup (vlan) for every machine that uses carp.
So in the end...3 guest with CARP = 3 portgroups (vlans) and promiscuous mode only
for these 3 portgroups (disabled for global vSwitches)
Advantage:
- no overhead as there is no additional traffic reaching this machine (alone in this
portgroup or vlan)
- if the guest gets compromised you'll see no additional traffic as you're alone
in this portgroup (vlan).
I'm fairly new to ESXi so
- am i right with this assumption
- can you trust ESXi to handle it correct or are there serious drawbacks so that running
Promiscuous mode is never an option and -regardless what you do - increases the attack
surface
Tia