Contributor
Contributor

ESXi 4.1 network setup questions

Hi there,

I'm new to virtualisation and ESXi.

We have an Dell PowerEdge R610 with ESXi 4.1 Embedded Update 1 on it.

The machine has 4 NIC's and I have no access to other machines to place in front of this setup nor do I have access to a dedicated Firewall appliance.

Within ESXi we want to run about 4 VM's:

1) Firewall

2) PDC

3) Sharepoint server

4) Exchange server

The PowerEdge server with ESXi running on it will reside in a datacenter and directly connected to the Internet.

My questions are

1) ESXi uses port 443 to allow management through the vSphere Client. But inside the virtual machines there is a server (Exchange in this case) that uses port 443 as well (ActiveSync, OWA, etc). Doesn't this conflict with each other?

2) On the first virtual machine we want to have a firewall that all the other servers use as a 'gateway' so that this is a layer to 'talk through'. Is this possible? And is it possible for the firewall VM to manage access to ESXi as well?

Somehow thinking about this setup generates conflicts in my head 🙂 Especialy the port 443 part, I can't see how this is going to work, managing ESXi through port 443 with vSphere Client and simultaniously allowing the Exchange server to use port 443 as well.

If somebody could enlighten me and show me how to make this happen than that would be really nice and appreciated.

Cheers,
Steven

0 Kudos
11 Replies
Immortal
Immortal

Welcome to the Community -

1) No problems - port 443 is a standard port used by many applications in addition to Exchange and VMware - it is used for HTTPS - and to keep in mind VM traffic is independent of the management traffic

2)  Most definitely you can use a VM to host the firewall and have it protect the other VMs on the ESXi host - You will want to create a an 'Internal Only' virtual switch that all the VMs will connect to and communicate to - the Firewall VM will be configured with 2 virtual NICs - one connected to the internal only switch and one to a virtual switch that is configured with physical NICs -

Hope this helps -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Contributor
Contributor

1) ESXi uses port 443 to allow management through the vSphere Client.  But inside the virtual machines there is a server (Exchange in this  case) that uses port 443 as well (ActiveSync, OWA, etc). Doesn't this  conflict with each other?

No you place management on a different vlan on a different ip (this will be your internal management for initial setup and incase your firewall breaks)

2)  On the first virtual machine we want to have a firewall that all the  other servers use as a 'gateway' so that this is a layer to 'talk  through'. Is this possible? And is it possible for the firewall VM to  manage access to ESXi as well?

Yes create another vmkernel interface in another vlan for management as well. Use Vyatta as your virtual firewall Smiley Happy

Somehow  thinking about this setup generates conflicts in my head 🙂 Especialy  the port 443 part, I can't see how this is going to work, managing ESXi  through port 443 with vSphere Client and simultaniously allowing the  Exchange server to use port 443 as well.

Contributor
Contributor

Hi weinstein5,

Thanks for the welcome!

1) I didn't know that ESXi management traffic is seperated from the normal tcp traffic.

2) I see, so I should create 2 switches in ESXi, one for the WAN and one for the LAN, correct?

So assuming that the ESXi layer is the first one receiving a TCP packet, how is the flow from there on. I can immagine that ESXi analyses the packet and if not for management purposes it gives the packet to the default VM switch (having defined none so far in ESXi)? What if I define 5 virtual switches, each with it's own network (I'm guessing that's what they represent), how does ESXi know wwhich virtual switch should receive the packet?

And I read somewhere that in a virtual switch you can define port groups. Would that allow to define the same port on different switches?

Can I check my setup with you, just to make sure I understood you correctly?

1) Hosting Company Switch (this will be the device giving us the static IP address and direct Internet access)

2) ESXi is connected to Host Switch so NIC #1 on the Dell gets that IP address

3) ESXi is capable of determening if a TCP packet on port 443 is for itself or pushes it further up in the hierachy

4) vSwitch #1 that has access to the physical NIC's

4) Firewall with 2 NIC's, one pointing towards vSwitch #1 and another pointing towards vSwitch #2

5) vSwitch #2

6) All other virtual machines will use virtual switch #2 and therefore will use the Firewall (incoming and outgoing)

Is this setup correct?

Cheers,

Steven

0 Kudos
Contributor
Contributor

Hi Roggy,

Thanks for the reply.

This vlan you mention, is that a virtual switch in ESXi? And if I read you correctly I should have 2 IP static addresses?

I'm affraid I'm lost, how does one create a vmkernel and is this something easily done? Not looking for a no brainer sollution but creating a 'kernel' sounds difficult.

Vyatta look quite ok. Is this a new VM that I would deploy on ESXi? Is it reasonably managable (i.e. a GUI that I can use Smiley Happy)

Cheers,

Steven

0 Kudos
Immortal
Immortal

Here are some links that should belp you set up your environment -

http://download3.vmware.com/vmworld/2006/tac9689-b.pdf and http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos
Contributor
Contributor

Hi weinstein5,

Thanks for that wonderfull documentation!

I have some reading to do Smiley Happy

Cheers,

Steven

0 Kudos
Contributor
Contributor

You should configure to allow different vlans in your switch in case you would want to set differents segments.

You can take 2 Nics for management and vmotion if you have this features, and 2 for the virtual switch for your firewall. then create a new virtual switch for internal only.

Each server need to be configured with a network card directed to Internal only at Network label settings. Then your firewall would have one more NIC directed to the virtual switch with internet connection.

Remember you should configure nic teaming in virtual siwtch setting to stay up in case of network card failover.

I hope you find this information helpful to solve your question.

good luck!

0 Kudos
Immortal
Immortal

No problem - having taught for VMware in the past and knowing the networking takes about a day and a half to deliver I figured it would be easier to give you some reading material so you have a beeter understanding on how networking is done in vSphere - 

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos
Enthusiast
Enthusiast

I strongly agree with weinstein5: You really should read before anything else.  Read the installation and configuration guide.

1) The 'port' is binded with an ip address.  Each server having it's own IP, it don't matter if it's going through one NIC.

furthermore, you need to read the installation guide to understand how to configure the networking on the server: One or more nic is to be assigned to the management console, the others nics to your vm's networks.

2) You can create virtual switches that are not binded to a physical nic and assign them to your vm's this way, only the server you want will access the 'public' network.

I insist, RTFM, you just can't put the cd in the server and think you can install-as-you-go.  You really have to understand what you're doing.

0 Kudos
Contributor
Contributor

Hi Francois,

And I agree with David as well. I have some reading to, as I stated. And asking for help led me to this conclusion so all is well I think. And in no way do I expect this to be a 'pop in the dvd and we're good to go...' situation here, hence my request for help.

Thanks for the response and tips!

Off to RTM, sans the F if you don't mind Smiley Happy

Cheers,

Steven

0 Kudos
Enthusiast
Enthusiast

Smiley Happy I was meaning: Read the Friendly Manual...

:smileysilly:

0 Kudos