New VMware VI network port diagram request for comments

December 12th, 2008 by jason Leave a reply »

Quick update I’ve been meaning to post for a few weeks now – sorry for the delay.  I received a new network diagram that reader Shlomo Rivkin has been working on and he would like some community input on it.  Here’s the new version being submitted for discussion:

12-12-2008 5-04-56 PM

The high res version of the above diagram is here.

Feel free to compare and contrast it to the version below which is posted on my blog as well as the VMware VMTN communities:

vmware_network_ports

The high res version of the above diagram is here.

Sorry for the shortness of this post – heading to a parade with my family.

Update 6/28/13: VMware has added VMware KB 2054806 Network port diagram for vSphere 5.x which provides an updated port diagram and detailed port information pertaining to vSphere 5.x.

Snagit Capture

Advertisement

23 comments

  1. Angela says:

    What do the different colored arrows mean?

    That looks pretty nice.

  2. This is beautiful. Can we include this in the CIS VI Benchmark soon to be released?

    http://groups.google.com/group/vmsec

    Let me know… thanks!

    I b e n

  3. matt says:

    This is very nice! Any chance to get a higher res diagram or the original Visio file?

  4. jason says:

    I want to clarify the new diagram is the work of Shlomo Rivkin, not me. Shlomo sent me only the .PDF version of the diagram and at the time, he had asked that the accuracy be checked before this document was made gospel because he had some doubts. Any changes that need to be made to the original will need to be made by Shlomo. I’ve pointed Shlomo to this post so hopefully he can jump in here and we can continue the discussion. For the record, I’m not opposed to the version I have posted on the blog and VMTN. Shlomo’s contains information on additional components such as Syslog, AD, etc. which is nice. It’s a step in the direction I’d like to go. Eventually I want to see all the VDC-OS components on a single sheet including SRM, Lab Manager, Lifecycle Manager, Stage Manager, Converter, etc. The usefulness of this document is knowing what ports in the firewall need to be open as well as how all of the VDC-OS components communicate with each other.

    @Angela, I believe the lines are multicolor to differentiate and follow them better since there are several lines going many directions.

  5. Cody Bunch says:

    NICE.

    In RE all the ports, a bit of elbow grease and it could be done.

    -Cody

  6. Vasilli says:

    Hi All!

    @Angela,
    different colored arrows mean kind of traffic:
    green – between ESX servers,
    red – incoming,
    blue – outgoing,
    black – non-ESX traffic.

    @Iben Rodriguez,
    Feel free to share this document, but this is an initial draft only. Now, I’m working on final release that will include all the VDC-OS components (SRM, Stage Manager, etc), some management agents (HP Insight Manager, CA Access Control, etc), ports need for COS management (SSH, FastSCP) and legend (specially for Angela :-] ).

    @matt,
    Drop me e-mail (shlomo.rivkin at google mail) for visio file.

    Original pdf file can be downloaded from here:
    http://shlomo.rivkin.googlepages.com/VMwareNetwork.pdf

    Shlomo Rivkin

  7. matt says:

    You guys rock! I’ll drop yo you line. And the linked PDF looks great as well. thank you!

  8. Roger Lund says:

    Looks nice, but I would love to see it with a full network diagram with full Network Production / iSCSI / NFS / FC network configuration.

    Roger L

    http://rogerlunditblog.blogspot.com/

  9. Joaquin Avellan says:

    I believe a VI Client/Web connecting through vCenter only needs tcp 903 to the ESX 3.5 server for console, if a VI Client connects directly to an ESX 3.5 server it would need tcp 443+903. Can anyone show me which documentation tcp 902 to the ESX 3.5 servers for Remote Console access is being pulled from? Thanks!
    -Joaquin

  10. Adil Laari says:

    This is a great post. very very useful, and helps quite a lot in troubleshooting.

    Thanks Shlomo

  11. Brandon says:

    This is awesome!
    Since the service console and vmkernel port groups have different requirements, how about separating them on the ESX server then moving the lines to the appropriate port groups. It would also be nice to see ssh, dns, and snmp on the diagram.

  12. Joaquin Avellan says:

    I take my comment back, after a quick wireshark in my environments I’ve confirmed you do need tcp 902,903 to the ESX server regardless if you’re using the vCenter. However you can place an additional setting on the ESX host to proxy the Remote Console data session to 902 instead of using 903.
    http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=749640&sliceId=2&docTypeID=DT_KB_1_1&dialogID=18254837&stateId=0%200%2018256101

  13. Chris Chapman says:

    Point of order – I dont’ think VC uses port 443 to talk to esx.

  14. Ravinder says:

    Thias diagram is very good but is looks preety old as compare to VMware Vsphere 5.0.

    Can you print the Vmware vsphere 5.0/4.1 diagram.

    thanks

Leave a Reply