VMware Cloud Community
AngryRobot
Contributor
Contributor
‎01-17-2018 04:38 AM

Block vMotion between datacenters in the same vCenter

I have configured a VMware vSphere 6.5 environment which consists of 2 x sites - production and DR. Each site contains 2 x datacenters which each contain a cluster. One of the clusters is for production data and the other cluster is for a DMZ environment. If I choose the migrate option, it will only permit me to move a VM to another ESX host in the same cluster. If however I choose the 'Move To' option, it will allow me to move the VM to another cluster including the clusters at the DR site.

How do I restrict or block this so I can only move a VM to another ESXi host in the same cluster ?

4 Replies
daphnissov
Immortal
Immortal
‎01-17-2018 04:51 AM

You can configure the networking of your vMotion vmkernel interfaces so they can't connect to the other site, effectively blocking those types of migrations.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
AngryRobot
Contributor
Contributor
‎01-22-2018 04:17 AM

Hi daphnissov,

Thanks for the reply. Can you advise where I would actually apply these settings ?

I am using DV switches on all clusters and have had a look at the settings on the vMotion vmkernel interfaces and under 'Traffic filtering and marking' I have the option to 'drop' the traffic with the type of direction. However if I choose 'system traffic qualifies', it allows me to select the type of traffic, but does not allow me to define the source and destination IP address range.

The 'new IP qualifier' option allows me to apply filtering to protocol, source and destination port and source and destination IP address. Is this the section where I would need to apply the rules ? At the moment the production and DMZ clusters are using the same subnet for vMotion. Would these need to be separated to different subnets so that the rule can be applied to the entire subnets ?

0 Kudos
Finikiez
Champion
Champion
‎01-22-2018 04:50 AM

As daphnissov​ wrote, it's much easier to make two independent unroutable vMotion networks.

For example you have Cluster 1. Each host will have vmkernel interface for vmotion, for example vmk1. It will have IP from subnet 192.168.0.0/24 without gateway.

Cluster 2 will have hosts with vmk1 interfaces and IPs from subnet 192.168.1.0/24 without gateway.

In this configuration ESXi hosts won't have network connectivity via vmotion network.

0 Kudos
daphnissov
Immortal
Immortal
‎01-22-2018 04:51 AM

What I'm referring to is the TCP/IP stack and dedicating one to vMotion.

pastedImage_0.png

When you do so, you can configure a separate default gateway and routing table for that vmkernel port that's bound there. I have 0 in my example above, but I could have easily put my vMotion on the vMotion stack. You cannot move a vmkernel interface to a different TCP/IP stack so you must recreate it if it already exists. By setting a default gateway of 0.0.0.0, you effectively block vMotion traffic from leaving the L2 while permitting vMotions to occur to your DMZ cluster.

Another option, if you're using vSphere 6.5, is to just override the gateway directly using a new feature.

pastedImage_1.png

Check the box and put in the similar default gateway. Either will have the same effect.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net