VMware Cloud Community
trink408
Enthusiast
Enthusiast
Jump to solution

Management network on same vswitch as vm traffic?

Looking over how our Vsphere environment was configured, and I noticed that they have the management network on the same vswitch as virtual machine traffic. That vswitch currently has 2 NICs connected.

I know that configuration isn't recommended, I'm wondering if I should change it, and what the best route is to change it?

Move the management traffic to a new vswitch, or move the vm traffic to a new vswitch? I do have 2 more physical nic's, so I can add another vswitch with redundancy.

Thanks for any suggestions.

Kevin

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
kjb007
Immortal
Immortal
Jump to solution

It would be better to switch the vm traffic, simply because when changing your management traffic, you're literally creating a new vmkernel interface, and assigning it gateways and that can lead to a connection drop.  It is simpler to create a new vSwitch for vm traffic, create a new portgroup, and re-assign the vm.

That being said, it is "better" to keep the two separated, but not a hard requirement.  If you have the NICs, then it's definitely a "nice to have"

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

View solution in original post

Reply
0 Kudos
7 Replies
kjb007
Immortal
Immortal
Jump to solution

It would be better to switch the vm traffic, simply because when changing your management traffic, you're literally creating a new vmkernel interface, and assigning it gateways and that can lead to a connection drop.  It is simpler to create a new vSwitch for vm traffic, create a new portgroup, and re-assign the vm.

That being said, it is "better" to keep the two separated, but not a hard requirement.  If you have the NICs, then it's definitely a "nice to have"

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
keiooz
Enthusiast
Enthusiast
Jump to solution

Now I get it. It is a way for you to have both seperated so it won't load on the same system or whatever we could call it.

Reply
0 Kudos
alwaysnodowntim
Enthusiast
Enthusiast
Jump to solution

Yes, basically what Kanuj stated.  You will want to create and standard virtual switch.  You'll want to create your port groups on that standard virtual switch.  Make sure that you assign the network setting appropriately.   I mean this because if you are running vlans in your port groups you will have to make sure that the vlan number and network configurations are exactly the same as the port group you are replacing.  After the port group is created on the new standard virtual switch, you will need to reassign the network settings within edit settings for the virtual machines to their appropriate new port group. As long as you have enough physical nics, this should'nt be a problem creating addition vswitches for vm traffic. After the creation you can delete the port groups that you replaced on the original virtual switch.  At that point you will have a dedicated management network with redundancy.  Hopefully you have the option to configure your new standard vswitch with 2 physical nics as well.  Going further, a great practice is to use another nic or two, to create a 2nd management network with different manufactured nics connect them to different switches.  I hope that clarifies that for you.

trink408
Enthusiast
Enthusiast
Jump to solution

Thanks for the help guys.

Is the intention of running it on seperate vswitches to help with performance or for security?

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

It is rooted in security.  A vSwitch is a memory object, and portgroups live on the vSwitch.  Having separate vSwitch'es isolates portgroups from each other, so they're not sharing anything, even at a very high level.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
alwaysnodowntim
Enthusiast
Enthusiast
Jump to solution

Both.  You don't want your virtual machine traffic on the same as what is your managment traffic.  It's better to segment them off.  If you think about it, what happens when the nics become saturated or breach of security happens and those two nics are affected?  Welp, I would guarantee you that would lose connection to the Esx/i server.  Going further with what I said, my standard config is using Intel and Broacom nics, on each vswitch or vds, I would stagger the nics having one Intel nic and one Broadcom nic, even on the management network.  Both nics will be connected to a different physical switch.   Why?  What happens if Intel or Broadcom put out a bad driver and all your nics are Broadcom in all your vswitches.  You'll have some problems I'll bet.  Now with this config, you'll be able to survive the bad Broadcom driver update because you're redundant with Intel's.  Not only that even if a Cisco switch goes down, you'll be connected to 2 anyway so you're redundant there. ;0)

Reply
0 Kudos
JelleHissink
Contributor
Contributor
Jump to solution

With that reasoning, one bad intel driver could also kill the two switches simultaneously :smileymischief:

Reply
0 Kudos