Solved: Re: Isolated vSwitch that spans multiple host

fajarpri · ‎01-31-2012

Hi all, pls pardon the handmade drawing

I have few ESXi 4.1 hosts with vCenter.

The case is in the current LAN, there is already a DHCP server. I don't want the VM in the hosts to be affected by the DHCP server.

So, I thought of putting the VM in isolated vSwitch (vSwitchB). And creating a VM (VM GW) as gateway for the VM to talk to LAN.

Is there any better approach? Can I create a distributed switch that acts like isolated vSwitch?

Thank you.

Walfordr · ‎02-01-2012

fajarpri wrote:
Thanks Robert.
VLAN sounds a good way too. But I'm not familiar with it. Should I do something on the physical switches to accommodate the VLAN?
Reason I ask is I don't have control over the master switches.

Yes, VLANs must be created on the pSwitches and then entered on vSwitches/PortGroup. The GW router must also be configured to route between the VLANs as needed.

Your idea will work, if the GW VM knows how to forward (route) the traffic.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.

View solution in original post

weinstein5 · ‎02-01-2012

You could do that - build a firewall in a VM but if the concern is the VM picking up an IP address from the DHCP server why not just hard code an IP address in the VM?

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

fajarpri · ‎02-01-2012

Hi Weinstein thanks for replying.

Yeah another option is to use static IP for each VM. But if the VM are in hundreds, it will become cumbersome.

a_p_ · ‎02-01-2012

But if the VM are in hundreds...

Is the DHCP server in the same network segment? If not, you could just make sure there's no DHCP helper for this network segment (VLAN) defined on the router.

André

Walfordr · ‎02-01-2012

I have few ESXi 4.1 hosts with vCenter.
The case is in the current LAN, there is already a DHCP server.
I don't want the VM in the hosts to be affected by the DHCP server.
So, I thought of putting the VM in isolated vSwitch (vSwitchB). And creating a VM (VM GW) as gateway for the VM to talk to LAN.
Is there any better approach? Can I create a distributed switch that acts like isolated vSwitch?
Thank you.

IMO - The better solution (if possible in your environment) is to put vSwitchB in a seperate vLAN. The DHCP broadcast request will not be able to get on the vLAN (broadcast domain) that the DHCP server is on. You could then configure your router/layer 3 switch to route between both vLANs as needed.

If things change later and you need these VMs to get DHCP address you could then add an ip helper to the router pointing to the DHCP server with a scope for that segment.

Regards

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.

fajarpri · ‎02-01-2012

Thanks Robert.

VLAN sounds a good way too. But I'm not familiar with it. Should I do something on the physical switches to accommodate the VLAN?

Reason I ask is I don't have control over the master switches.

Walfordr · ‎02-01-2012

fajarpri wrote:
Thanks Robert.
VLAN sounds a good way too. But I'm not familiar with it. Should I do something on the physical switches to accommodate the VLAN?
Reason I ask is I don't have control over the master switches.

Yes, VLANs must be created on the pSwitches and then entered on vSwitches/PortGroup. The GW router must also be configured to route between the VLANs as needed.

Your idea will work, if the GW VM knows how to forward (route) the traffic.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.

fajarpri · ‎02-01-2012

Ok,

That makes me nervous. The master switches are controlled by other department, and I don't trust the way they handle it. It may disrupt the whole network.

On another thought... I have my own switch in that particular rack. Would it be enough if I only set the VLAN on that pswitch in the rack?

I think that should work wouldn't it? All that particular hosts are in that rack.

P.S.

So the switches are cascaded.

Master switch (I don't control) <----> my own switches in server room.

fajarpri · ‎02-02-2012

Hi guys,

I want to give latest update.

An idea came

So, since the switches are cascade, all I have to do is to block tcp/udp 67,68,69 on the port that connect the rest of the LAN on that particular switch.

Bam! No DHCP traffic can get through to that particular rack

Simpler setup too.

jreininger · ‎02-02-2012

There are also you can configure your vendor type on DHCP I think. So DHCP will give from another pool (or none) if your hardware type setup a specific way. Its been a few weeks since my MS test but I think you can do that too. I'd assume this is standard outside of MS DHCP servers.

Let me go find a link..

http://technet.microsoft.com/en-us/library/cc775694(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc737299(WS.10).aspx

Looks like you have to set user class or vendor class options for DHCP. I wonder if big places put custom user classes on VM templates (seems that might be a good idea).. but DHCP vendor class should work easier.. No?

Or, how about scripting vCenter to dump out the vMACs and pusing the vMACs into the DHCP servers as a reservation, should be pretty easy to do if you got some scripting talent in house..

Jonathan

VMware VCP 3.5 VMware VCP 4.0 VMware VCP 5.0