Thanks for the great feedback. So, for a point of clarity, let me attempt to summarize what would occur, and you can tell me if I'm interpreting things correctly or not.

If my primary LAN is on 192.168.0.0 /24, and I create a vlan for the service console of say, 172.16.32.0 /24, could my vmotion network be perhaps on another vlan under the 172.16.33.0 /24 network? Then both of these VLANs be routable to the LAN (192.168.0.0 /24) so they can use DNS, NTP, etc. These VLANs would consume ports on the same stack of switches that the primary LAN resides on.

Does that sound right?

If that is basically correct, then that is good to hear. I'm having a bugger of a time getting a static route of these vlans up to my primary lan, but that is outside of the scope of the forum, so that is why I asked if the sc and vmotion vlans could be put on switches that come into a different leg on my firewall; where it could contact DNS and NTP, etc. in that fasion.

- Pete

Hello,

As long as the vLANs are Trunked with eachother and all the VLAN ID's set properly, then in case of failure, still you can access the S.C through 172.16.32.0 /24 and still you will be vMotioning via 172.16.33.0 /24. But make sure the trunking part and you will be done. I'm doing the same with 6 pNIC's and everything works perfectly. Beside the Default Gateways of each vLAN. In my case, I have two pSwitches cascaded as one logical unit. Each vLAN in both pSwitches i:e "vmnic0 goes to -> pSwitch0 port 8" && "vmnic1 goes to -> pSwitch1 port8". In pSwitch0 port 8 is vLAN 2 and in pSwitch1 port 8 is vLAN 3. vLAN 2 is 172.16. IP Schema and vLAN 3 is 10.1. IP Schema. For my S.C Default Gateway, I'm using the vFirewall internal network IP Address and for my vMotion I'm using the vLAN 3 gateway, so, my entire ESX Hosts are behind a Firewall as well as the vMotion network.

In additional to the DNS and NTP Service. For best securityt and better managability, it will be better to keep the vCenter beside the ESX "Service Console" Network, and configure the vCenter to act as a DNS Server for your ESX Farm.

Configure a virtual firewall, to jumb for your Internal network over your ESX Network for your administration. Then, in your Internal Network, configure an NTP Server to pull the correct time from the internet, and configure the ESX Server to pull the time from the physical host setting in the Internal Network. You will require only port TCP 123 to be opened between your Internal Network and the ESX Network.

Best Regards,

Hussain Al Sayed

If you find this information useful, please award points for "correct" or "helpful".

Hello,

If my primary LAN is on 192.168.0.0 /24, and I create a vlan for the service console of say, 172.16.32.0 /24, could my vmotion network be perhaps on another vlan under the 172.16.33.0 /24 network? Then both of these VLANs be routable to the LAN (192.168.0.0 /24) so they can use DNS, NTP, etc. These VLANs would consume ports on the same stack of switches that the primary LAN resides on.

Not really. Only 172.16.32.0/24 will be routable to 192.168.0.0/24. VMotion would never be routable to ANY other network. You just need to make sure that you trunk both VLANs through the appropriate switch ports.

As a matter of fact, for better security you would place a firewall between 172.16.32.0/24 and 192.169.0.0/24 so that your routing is through a firewall and not direct attached between the networks. This will protect your service consoles and vCenter which should also be on the 172.16.32.0 side of the firewall.

172.16.33.0/24 should not be routed to anywhere and should remain private to only ESX hosts.

Does that sound right?

If that is basically correct, then that is good to hear. I'm having a bugger of a time getting a static route of these vlans up to my primary lan, but that is outside of the scope of the forum, so that is why I asked if the sc and vmotion vlans could be put on switches that come into a different leg on my firewall; where it could contact DNS and NTP, etc. in that fasion.

Always use a firewall.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Thanks fellas for the great feedback. I think that cleared up some of the confusion I had on the matter. Nice to know I don't have to working about routing on the vmotion network.

After hearing your feedback, and thinking aloud, it sounds as if I had these two networks (the service console and vmotion) where their wires were feeding into their own dedicated redundant switches, then have these switches sitting on their own dedicated inferface off of my ISA firewall, then I can make sure only my service console traffic (172.16.32.0 /24) traffic is routable. I would free up those ports on my LAN switches, make the configuration a bit cleaner, tighten up the security, and avoid some of the problems I've had with vlanning on my internal LAN switches. Hmm.... Interesting.

Thanks,

Pete