Re: P2V Impossible given my network setup?

David_Adams · ‎10-30-2008

I'm pretty sure I know the answer to this question, but I must exhaust all resources before petitioning the Telecom Gods for a waiver, so here goes!

Basic VI3 installation:

1) ESXi hosts reside on private network (for management and vmotion)

2) VC Server has 2 NICs - one attached to public network, one attached to same private network as ESXi hosts

3) VI Client resides on VC Server

So to manage my VI, I start a remote desktop connection to the VC server, and then run the client on the VC Server. Nice and secure, and everyone is happy.

Now I'm asked to start prepping for 250+ P2V conversions. All the candidates for P2V are on public network, with no connection possible to private network.

I've tried cold clone from boot CD, converter plugin within VI Client, stand alone enterprise converter, you name it. The problem is that the P2V candidate can't talk directly to the target ESXi Host, or more importantly, the target ESXi host's storage... This is made more confusing by the fact that during the setup of the P2V process, you're able to specify a connection to the VC Server.... which would make one think that you can funnel data through the VC server.... But after 3 days of testing and beating my head, I've come to the conclusion that the connection to the VC server only serves to provide you a list of available hosts, should you not know what hosts you have on your network.

I'm a little surprised to find that this setup (hosts on private network for management) is rather rare. I'm happily accepting all suggestions!

Thanks,

acsulli · ‎10-30-2008

The server that is the p2v target has to be able to contact the ESX host it is destined for. We worked around this by assigning one of our ESX servers as a provisioning server. The provisioning server is where we deploy VMs from templates as well. The only time an SA can access the console MKS for the VM is when it's on the provisioning server, so when they are setting up the network and things of that nature, they have to have access.

I'm not sure how isolated you have the traffic of your servers, but ours have a minimum of four networks connected: management (COS), Storage (iSCSI/NFS), VMotion, and "public" which consists of all the production VLANs. This keeps all of the different traffic types separate, and also adds security to the unencrypted NFS, iSCSI and VMotion traffic.

The provisioning server is connected to the private management and storage networks (it is connected to a single "provisioning" datastore, and does not access the production stores at all), however since it is standalone we don't connect it to the VMotion network. The provisioning server is also connected to a public network. This allows the target physical server to contact an ESX host and be p2v'd. After a server is p2v'd it get's cleaned up and we make sure everything is working, then we move it to the production environment. This is done one of two ways...manually copy the VM's file from the provisioning datastore to a production datastore, or attach the provisioning datastore to a production machine (temporarily) and SVMotion the files.

IamTHEvilONE · ‎10-31-2008

David,

Welcome to the VMware Community Forums.

P2V Impossible given my network setup?

Given your setup, every P2V will fail. This is because you will need to have at least 2 ports open between public and private networks (443 & 902).

Despite running converter from the VCenter, it doesn't act as a tunnel point for data to go through. It's more like a traffic cop telling people where to go, but the traffic needs to find it's own way.

You can use the aforementioned solution, or this is also an option. Convert a system to a stand-alone virtual machine on the VC system temporarily, then use converter again to send it directly into your ESX environment.

There are a number of people that have attempted what you doing for a setup, it's not that its "uncommon". It's very common after all your conversions are done.

I have seen people run firewall rules to block any <-> any, and then add a superseding rule to allow access to the private lan 1 IP at a time. Or Specifically allow 443 & 902 between networks.

Hope this helps,

EvilOne

1 - Check the documents

2 - Search the forums

3 - Post Question

And remember to award points to those who assist you.