VMware Cloud Community
tbone111
Contributor
Contributor
Jump to solution

Network design

As a general best practice, I've read that my VMotion, Fault Tolerance and ISCSI networks should all be "isolated" from each other and separate from the Virtual Machine network.  My question is, what degree of isolation is necessary to fall within best practices?  Just separate subnets?  Separate vswitches and uplink ports? Completely separate backend switches?

Thanks in advance!

Reply
0 Kudos
1 Solution

Accepted Solutions
jjkrueger
VMware Employee
VMware Employee
Jump to solution

In an ideal world, those will each be separate, physical gear. But how many of us live in an ideal world where we have several distinct sets of network gear for our different networks? For those particular traffic types, I would recommend separate uplinks. Perhaps not separate vSwitches (as we can control Active/Standby uplinks on a port group by port group basis). If you go with fewer vSwitches, VLANs would also be a really good idea. But then you need to make sure your switch backplane would be able to carry whatever level of traffic you're pushing for the 3 different types of traffic.

If we look at the traffic needs for the different types of traffic, we have slightly different requirements. vMotion is bursty, generating traffic only during a VM migration, but without controls, this can consume a significant amount of bandwidth. Fault Tolerance will likely be steady, but will rise and fall with the use of the protected VM. iSCSI will likely be consistent and potentially requiring high-bandwidth, depending on the I/O profiles of the VMs hosted on the storage.

If you have Enterprise Plus licensing, you can look to Distributed Switches and Network I/O Control to help keep things calm and controlled.

View solution in original post

Reply
0 Kudos
3 Replies
weinstein5
Immortal
Immortal
Jump to solution

At a minimum Seprate subnets/vlans -  in short most designs I have done I try to seperate by different vswitches/uplinks VM traffic from management/vmotion from iSCSI/NAS

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
jjkrueger
VMware Employee
VMware Employee
Jump to solution

In an ideal world, those will each be separate, physical gear. But how many of us live in an ideal world where we have several distinct sets of network gear for our different networks? For those particular traffic types, I would recommend separate uplinks. Perhaps not separate vSwitches (as we can control Active/Standby uplinks on a port group by port group basis). If you go with fewer vSwitches, VLANs would also be a really good idea. But then you need to make sure your switch backplane would be able to carry whatever level of traffic you're pushing for the 3 different types of traffic.

If we look at the traffic needs for the different types of traffic, we have slightly different requirements. vMotion is bursty, generating traffic only during a VM migration, but without controls, this can consume a significant amount of bandwidth. Fault Tolerance will likely be steady, but will rise and fall with the use of the protected VM. iSCSI will likely be consistent and potentially requiring high-bandwidth, depending on the I/O profiles of the VMs hosted on the storage.

If you have Enterprise Plus licensing, you can look to Distributed Switches and Network I/O Control to help keep things calm and controlled.

Reply
0 Kudos
TomHowarth
Leadership
Leadership
Jump to solution

Well the answer to that question is "it depends",  it depends on your particular security level.  remember the Management stack can see everything. there for at the very least you need to have VLAN seperation, however I tend to t the very least seperated physically the storage traffic if I am using iSCSI or NFS

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos