Vista - Hyper-V Setup - Networking Question

06-16-2008

Hi,

I was wondering whether there are any best practice guidelines for the
initial setup of the current Hyper-V RC? My main question is regarding
network connectivity - can the Hyper-V parent partition be connected to the
internal network and be a domain member (for management and VM backup
purposes), even if the child partitions it hosts were connected to a
less-secure network such as a DMZ? I'm assuming this is not a recommended
configuration unless the VMs can be configured to have no access whatsoever
to the parent partition?

Thanks!

06-16-2008

Best practice is to have nothing at all running in the parent partition
of a server running Hyper-V. That is the recommended configuration.

"NJC1" <NJC1@xxxxxx> wrote in message
news:524230FC-A448-49CF-832E-2F3DDC476E6A@xxxxxx

Quote:

> Hi,
>
> I was wondering whether there are any best practice guidelines for the
> initial setup of the current Hyper-V RC? My main question is regarding
> network connectivity - can the Hyper-V parent partition be connected to
> the
> internal network and be a domain member (for management and VM backup
> purposes), even if the child partitions it hosts were connected to a
> less-secure network such as a DMZ? I'm assuming this is not a recommended
> configuration unless the VMs can be configured to have no access
> whatsoever
> to the parent partition?
>
> Thanks!

06-16-2008

Hi Bill,

Many thanks for the speedy response - I wasn't planning on running anything
apart from the Management Consoles for Hyper-V plus some agents for VM backup
and parent partition OS monitoring purposes (nothing too resource intensive).

"NJC1" wrote:

Quote:

> Hi,
>
> I was wondering whether there are any best practice guidelines for the
> initial setup of the current Hyper-V RC? My main question is regarding
> network connectivity - can the Hyper-V parent partition be connected to the
> internal network and be a domain member (for management and VM backup
> purposes), even if the child partitions it hosts were connected to a
> less-secure network such as a DMZ? I'm assuming this is not a recommended
> configuration unless the VMs can be configured to have no access whatsoever
> to the parent partition?
>
> Thanks!

06-17-2008

Questions about DMZ operations can get tricky. The real point is that a
vm can only access a physical network through a physical NIC on the host. If
you have a vm connected to a DMZ you must have a NIC in the host connected
to that DMZ somehow. If you also have another NIC in the host connected to
some other network there is always a possibility of a leak from one network
to the other, no matter how slight the risk may be.

"NJC1" <NJC1@xxxxxx> wrote in message
news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx

Quote:

> Hi Bill,
>
> Many thanks for the speedy response - I wasn't planning on running
> anything
> apart from the Management Consoles for Hyper-V plus some agents for VM
> backup
> and parent partition OS monitoring purposes (nothing too resource
> intensive).
>
> "NJC1" wrote:
>

Quote:

>> Hi,
>>
>> I was wondering whether there are any best practice guidelines for the
>> initial setup of the current Hyper-V RC? My main question is regarding
>> network connectivity - can the Hyper-V parent partition be connected to
>> the
>> internal network and be a domain member (for management and VM backup
>> purposes), even if the child partitions it hosts were connected to a
>> less-secure network such as a DMZ? I'm assuming this is not a recommended
>> configuration unless the VMs can be configured to have no access
>> whatsoever
>> to the parent partition?
>>
>> Thanks!

06-18-2008

NJC1,

If you have _any_ device with two NICs with one connected to each zone (such
as a firewall), then there is also a possibility of a leak from one network
to the other, no matter how slight the risk may be.

So in your case, if TCP/IP is not actually bound to the host adaptor, then
your risk is fairly small.

--
Dave Harry

"Bill Grant" <not.available@xxxxxx> wrote in message
news:%23qLLInG0IHA.4848@xxxxxx

Quote:

> Questions about DMZ operations can get tricky. The real point is that a
> vm can only access a physical network through a physical NIC on the host.
> If you have a vm connected to a DMZ you must have a NIC in the host
> connected to that DMZ somehow. If you also have another NIC in the host
> connected to some other network there is always a possibility of a leak
> from one network to the other, no matter how slight the risk may be.
>
> "NJC1" <NJC1@xxxxxx> wrote in message
> news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx

Quote:

>> Hi Bill,
>>
>> Many thanks for the speedy response - I wasn't planning on running
>> anything
>> apart from the Management Consoles for Hyper-V plus some agents for VM
>> backup
>> and parent partition OS monitoring purposes (nothing too resource
>> intensive).
>>
>> "NJC1" wrote:
>>

Quote:

>>> Hi,
>>>
>>> I was wondering whether there are any best practice guidelines for the
>>> initial setup of the current Hyper-V RC? My main question is regarding
>>> network connectivity - can the Hyper-V parent partition be connected to
>>> the
>>> internal network and be a domain member (for management and VM backup
>>> purposes), even if the child partitions it hosts were connected to a
>>> less-secure network such as a DMZ? I'm assuming this is not a
>>> recommended
>>> configuration unless the VMs can be configured to have no access
>>> whatsoever
>>> to the parent partition?
>>>
>>> Thanks!

>

06-18-2008

Yes, I agree. There is no real reason to know or care whether the
machines and networks are virtual or physical. If a network design is
basically sound, it really doesn't matter. A network is a network!

"Dave Harry" <DaveHarry@xxxxxx> wrote in
message news:OevGuCQ0IHA.3464@xxxxxx

Quote:

> NJC1,
>
> If you have _any_ device with two NICs with one connected to each zone
> (such as a firewall), then there is also a possibility of a leak from one
> network to the other, no matter how slight the risk may be.
>
> So in your case, if TCP/IP is not actually bound to the host adaptor, then
> your risk is fairly small.
>
> --
> Dave Harry
>
> "Bill Grant" <not.available@xxxxxx> wrote in message
> news:%23qLLInG0IHA.4848@xxxxxx

Quote:

>> Questions about DMZ operations can get tricky. The real point is that
>> a vm can only access a physical network through a physical NIC on the
>> host. If you have a vm connected to a DMZ you must have a NIC in the host
>> connected to that DMZ somehow. If you also have another NIC in the host
>> connected to some other network there is always a possibility of a leak
>> from one network to the other, no matter how slight the risk may be.
>>
>> "NJC1" <NJC1@xxxxxx> wrote in message
>> news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx

Quote:

>>> Hi Bill,
>>>
>>> Many thanks for the speedy response - I wasn't planning on running
>>> anything
>>> apart from the Management Consoles for Hyper-V plus some agents for VM
>>> backup
>>> and parent partition OS monitoring purposes (nothing too resource
>>> intensive).
>>>
>>> "NJC1" wrote:
>>>
>>>> Hi,
>>>>
>>>> I was wondering whether there are any best practice guidelines for the
>>>> initial setup of the current Hyper-V RC? My main question is regarding
>>>> network connectivity - can the Hyper-V parent partition be connected to
>>>> the
>>>> internal network and be a domain member (for management and VM backup
>>>> purposes), even if the child partitions it hosts were connected to a
>>>> less-secure network such as a DMZ? I'm assuming this is not a
>>>> recommended
>>>> configuration unless the VMs can be configured to have no access
>>>> whatsoever
>>>> to the parent partition?
>>>>
>>>> Thanks!

>>

>

06-16-2008	#1 (permalink)
NJC1 n/a posts	Hyper-V Setup - Networking Question Hi, I was wondering whether there are any best practice guidelines for the initial setup of the current Hyper-V RC? My main question is regarding network connectivity - can the Hyper-V parent partition be connected to the internal network and be a domain member (for management and VM backup purposes), even if the child partitions it hosts were connected to a less-secure network such as a DMZ? I'm assuming this is not a recommended configuration unless the VMs can be configured to have no access whatsoever to the parent partition? Thanks!
My System Specs

06-16-2008	#2 (permalink)
Bill Grant n/a posts	Re: Hyper-V Setup - Networking Question Best practice is to have nothing at all running in the parent partition of a server running Hyper-V. That is the recommended configuration. "NJC1" <NJC1@xxxxxx> wrote in message news:524230FC-A448-49CF-832E-2F3DDC476E6A@xxxxxx Quote: > Hi, > > I was wondering whether there are any best practice guidelines for the > initial setup of the current Hyper-V RC? My main question is regarding > network connectivity - can the Hyper-V parent partition be connected to > the > internal network and be a domain member (for management and VM backup > purposes), even if the child partitions it hosts were connected to a > less-secure network such as a DMZ? I'm assuming this is not a recommended > configuration unless the VMs can be configured to have no access > whatsoever > to the parent partition? > > Thanks!
My System Specs

06-16-2008	#3 (permalink)
NJC1 n/a posts	RE: Hyper-V Setup - Networking Question Hi Bill, Many thanks for the speedy response - I wasn't planning on running anything apart from the Management Consoles for Hyper-V plus some agents for VM backup and parent partition OS monitoring purposes (nothing too resource intensive). "NJC1" wrote: Quote: > Hi, > > I was wondering whether there are any best practice guidelines for the > initial setup of the current Hyper-V RC? My main question is regarding > network connectivity - can the Hyper-V parent partition be connected to the > internal network and be a domain member (for management and VM backup > purposes), even if the child partitions it hosts were connected to a > less-secure network such as a DMZ? I'm assuming this is not a recommended > configuration unless the VMs can be configured to have no access whatsoever > to the parent partition? > > Thanks!
My System Specs

06-17-2008	#4 (permalink)
Bill Grant n/a posts	Re: Hyper-V Setup - Networking Question Questions about DMZ operations can get tricky. The real point is that a vm can only access a physical network through a physical NIC on the host. If you have a vm connected to a DMZ you must have a NIC in the host connected to that DMZ somehow. If you also have another NIC in the host connected to some other network there is always a possibility of a leak from one network to the other, no matter how slight the risk may be. "NJC1" <NJC1@xxxxxx> wrote in message news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx Quote: > Hi Bill, > > Many thanks for the speedy response - I wasn't planning on running > anything > apart from the Management Consoles for Hyper-V plus some agents for VM > backup > and parent partition OS monitoring purposes (nothing too resource > intensive). > > "NJC1" wrote: > Quote: >> Hi, >> >> I was wondering whether there are any best practice guidelines for the >> initial setup of the current Hyper-V RC? My main question is regarding >> network connectivity - can the Hyper-V parent partition be connected to >> the >> internal network and be a domain member (for management and VM backup >> purposes), even if the child partitions it hosts were connected to a >> less-secure network such as a DMZ? I'm assuming this is not a recommended >> configuration unless the VMs can be configured to have no access >> whatsoever >> to the parent partition? >> >> Thanks!
My System Specs

06-18-2008	#5 (permalink)
Dave Harry n/a posts	Re: Hyper-V Setup - Networking Question NJC1, If you have _any_ device with two NICs with one connected to each zone (such as a firewall), then there is also a possibility of a leak from one network to the other, no matter how slight the risk may be. So in your case, if TCP/IP is not actually bound to the host adaptor, then your risk is fairly small. -- Dave Harry "Bill Grant" <not.available@xxxxxx> wrote in message news:%23qLLInG0IHA.4848@xxxxxx Quote: > Questions about DMZ operations can get tricky. The real point is that a > vm can only access a physical network through a physical NIC on the host. > If you have a vm connected to a DMZ you must have a NIC in the host > connected to that DMZ somehow. If you also have another NIC in the host > connected to some other network there is always a possibility of a leak > from one network to the other, no matter how slight the risk may be. > > "NJC1" <NJC1@xxxxxx> wrote in message > news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx Quote: >> Hi Bill, >> >> Many thanks for the speedy response - I wasn't planning on running >> anything >> apart from the Management Consoles for Hyper-V plus some agents for VM >> backup >> and parent partition OS monitoring purposes (nothing too resource >> intensive). >> >> "NJC1" wrote: >> Quote: >>> Hi, >>> >>> I was wondering whether there are any best practice guidelines for the >>> initial setup of the current Hyper-V RC? My main question is regarding >>> network connectivity - can the Hyper-V parent partition be connected to >>> the >>> internal network and be a domain member (for management and VM backup >>> purposes), even if the child partitions it hosts were connected to a >>> less-secure network such as a DMZ? I'm assuming this is not a >>> recommended >>> configuration unless the VMs can be configured to have no access >>> whatsoever >>> to the parent partition? >>> >>> Thanks! >
My System Specs

06-18-2008	#6 (permalink)
Bill Grant n/a posts	Re: Hyper-V Setup - Networking Question Yes, I agree. There is no real reason to know or care whether the machines and networks are virtual or physical. If a network design is basically sound, it really doesn't matter. A network is a network! "Dave Harry" <DaveHarry@xxxxxx> wrote in message news:OevGuCQ0IHA.3464@xxxxxx Quote: > NJC1, > > If you have _any_ device with two NICs with one connected to each zone > (such as a firewall), then there is also a possibility of a leak from one > network to the other, no matter how slight the risk may be. > > So in your case, if TCP/IP is not actually bound to the host adaptor, then > your risk is fairly small. > > -- > Dave Harry > > "Bill Grant" <not.available@xxxxxx> wrote in message > news:%23qLLInG0IHA.4848@xxxxxx Quote: >> Questions about DMZ operations can get tricky. The real point is that >> a vm can only access a physical network through a physical NIC on the >> host. If you have a vm connected to a DMZ you must have a NIC in the host >> connected to that DMZ somehow. If you also have another NIC in the host >> connected to some other network there is always a possibility of a leak >> from one network to the other, no matter how slight the risk may be. >> >> "NJC1" <NJC1@xxxxxx> wrote in message >> news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx Quote: >>> Hi Bill, >>> >>> Many thanks for the speedy response - I wasn't planning on running >>> anything >>> apart from the Management Consoles for Hyper-V plus some agents for VM >>> backup >>> and parent partition OS monitoring purposes (nothing too resource >>> intensive). >>> >>> "NJC1" wrote: >>> >>>> Hi, >>>> >>>> I was wondering whether there are any best practice guidelines for the >>>> initial setup of the current Hyper-V RC? My main question is regarding >>>> network connectivity - can the Hyper-V parent partition be connected to >>>> the >>>> internal network and be a domain member (for management and VM backup >>>> purposes), even if the child partitions it hosts were connected to a >>>> less-secure network such as a DMZ? I'm assuming this is not a >>>> recommended >>>> configuration unless the VMs can be configured to have no access >>>> whatsoever >>>> to the parent partition? >>>> >>>> Thanks! >> >
My System Specs

Similar Threads
Thread	Forum
Hyper-V question	Virtual Server
Hyper-V networking	Virtual Server
Hyper-v and wireless networking	Virtual Server
Re: hyper-v networking	Virtual Server
Hyper-V question	Virtual Server