VMware Cloud Community
CSIEnvironments
Enthusiast
Enthusiast
‎04-06-2012 01:32 AM

vApp Fencing VLANID issues...

I have 2 hosts.

Each host has 4 nics.

Nic0 and Nic1 are trunked to our management network, Nic2 and Nic3 are trunked to our only valn, VLAN400.

Now I've created a Distributed Virtual Switch and added Nic2 and Nic3 from both hosts (for redundency).

Then I created a portgroup on the dVS called dvPortGroup400 and set the tagging type to vlan and gave it a value of 400. (This is used as my external network in vCD)

http://i40.tinypic.com/30vf0p0.png

Now in vCloud Director I can create the external network and its all good.

http://i39.tinypic.com/3a1hi.png

But now when I create the Network-Isolation Backed Netpool and I tag that with a vlan id of 400 I get an error stating that the id 400 is already in use on the same dVS.

http://i39.tinypic.com/5lcgmt.png

Now my question is why does it matter that vlan400 is already in use? The only thing using the id 400 is the External Network in vCD and that's a different port group! Correct me if I've wrong but all the VLAN ID in the Netpool does is tag the dvPortGroup it creates when powering on the vApp? (eg: dvs.VCDVSvApp_Network-b83c0f23-a4d3-4d8a-9582-14fb4a840ca0)

It works if I don't give the NetPool an ID, until I vmotion vms to a host other than the one the VSE device is on. If I do this I lose connectivity.

Thanks!

0 Kudos
7 Replies
_morpheus_
Expert
Expert
‎04-06-2012 10:43 AM

VCD doesn't let you have two things using same VLAN (two external nets, two network pools, or a network pool and external net).

I don't advise it, but if you want to override the restriction, there's a setting in the database config.IsSecure which you can set to 0 and then restart VCD.

* This is not a good idea *

0 Kudos
CSIEnvironments
Enthusiast
Enthusiast
‎04-06-2012 10:53 AM

Thanks _morpheus_.

Any particular reason why VMware deems this to be insecure? How else would you recommend I do the setup with only 1 VLAN?

0 Kudos
_morpheus_
Expert
Expert
‎04-06-2012 11:21 AM

The database row name is misleading. It's not really insecure. This is the only way to do an environment with 1 VLAN. If you try to clone a vApp and deploy the original and the clone (fenced) at the same time, and the VMs all happen to be on the same host, then in a single-VLAN environment with issecure=0, it won't work.

Environments wrote:

Thanks _morpheus_.

Any particular reason why VMware deems this to be insecure? How else would you recommend I do the setup with only 1 VLAN?

CSIEnvironments
Enthusiast
Enthusiast
‎04-06-2012 11:49 AM

Can you help me to understand what breaks? Won't it deploy al all and does it throw an error? Is it the edge device that errors? Each time you deploy a vCIApp it creates a port group for that configuration and a new VSE machine so I don't know where the cloning breaks it?

Thanks!

0 Kudos
_morpheus_
Expert
Expert
‎04-06-2012 03:38 PM

The VCDNI module on esx will not function correctly when two identical VMs (same MAC) are on the same host and on portgroups with the same VLAN tag

CSIEnvironments
Enthusiast
Enthusiast
‎04-07-2012 12:53 AM

Thanks. I'm trying to reproduce the issue posted above. I created a vCIApp with 1 vm, cloned it and powered both on at the same time.

The VM's are both on the same host, have the same mac address, are on the same dVS, but they on their own port group.

http://i39.tinypic.com/2mo3zb6.png

This how how I'm doing my fencing/natting:

http://i42.tinypic.com/213f5ud.png

Unless the situation you explaining is if you use that checkbox "Fence vApp".

Thanks!

0 Kudos
CSIEnvironments
Enthusiast
Enthusiast
‎04-16-2012 07:06 AM

Any update _morpheus_?

Thanks!

0 Kudos