Solved: ESX Virtual Networking

fvogel · ‎03-24-2008

Hello All,

We have our system for software QA and not providing enterprise services like many here probably would. We want to isolate our test labs from the corporate network for a lot of reasons. What I have learned is that I can have some vSwitches connected to physical nics providing full corporate network services and I can make other vSwitches that provide isolation.

So far my solution to bridge these is to take a windows 2k3 server and make it a gateway between the two vswitches giving it a vnic on both vSwitches. This is effective; but i will have around 12 isolated labs running at a time and i would like a better approach than a huge win2k3 gateway VM per instance. This approach also carries an OS licensing burden I don't want as well.

I am assuming that this need for creating gateways or bridging isn't horribly uncommon in the ESX/VI3 world and would like to know if there are better solutions to this or at least solutions that are far more lightweight and have a lower licensing need. Also, i'm not married to this type of solution, if someone out there knows a better way I will be happy to learn.

Thanks

Fred

ctfoster · ‎03-24-2008

I think a IPCop is a popular choice as a router/firewall appliance. The cost is also very attactive !! Very small and includes web management.

View solution in original post

ctfoster · ‎03-24-2008

I think a IPCop is a popular choice as a router/firewall appliance. The cost is also very attactive !! Very small and includes web management.

DCasota · ‎03-24-2008

Hi,

Can you tell us a bit more about your lab:

- Do the Lab network need access to other networks (like internet access)?

- What do you mean with "isolated"?

- Do you have "only" VI3 or VMware LabManager, too?

- Do you already have VLANs?

Texiwill · ‎03-25-2008

Hello,

Just about any Linux distro can act as a gateway between your physical network and your 12 independent networks. I would think you would need no more than 2 Linux gateways/firewalls/dhcp servers to do this. If you know Linux, this is a good inexpensive way to go.

IPcop is a Linux distro, and has a web frontend to manage all the above.

Smoothwall is a Linux distro and has a web frontend to manage all the above.

The other option is to have 12 distinct vNetworks with no connection to the outside world (i.e. nothing to bridge them) and access everything through the Remote Console via the web.

Do they need access to the outside world? Your corp network? each other? If so then you really want to use one of the Linux distros to get you going.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

Ken_Cline · ‎03-25-2008

It's going to take at least four gateway VMs to provide the functionality you're looking for -- not because it's going to be "too much" for a smaller number of VMs, but rather because you can have a maximum of four vNICs per VM (see Configuration Maximums for VMware Infrastructure 3, page 2)[/url]...so, since you need to have one vNIC connected to the "outside" world, that leaves only three to connect to backside networks...

Ken Cline

Technical Director, Virtualization

Wells Landers

VMware Communities User Moderator

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/

Texiwill · ‎03-25-2008

Hello,

Ken thank you for the correction. Not sure what I was thinking about but it is was not the max # of vNic per VM and it was not the max # of PCI devices either. I think I am just tired today...... Long night, but that is another story.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

fvogel · ‎03-25-2008

Hey guys,

I have read all your comments as they have come in and have even started playing with ipcop a bit. All comments have been informative and helpful. I've been super swamped but am still here and not ignorning your responses.

Thank you for everything, I will be awarding points, and will let you know how things are going as soon as I get a little unburied.

Thanks,

Fred

dpomeroy · ‎03-25-2008

This sounds like a good use for Lab Manager.

Don Pomeroy

VMware Communities User Moderator

fvogel · ‎03-27-2008

Thank you all for your help.

I downloaded IPCop and used it as a gateway. It is very small and I'm happy with it. I am making all of my labs 192.x.x.x networks; which require one gateway per switch. I'm trying to figure out how to configure the IPCop two be 2 gateways at a time. I'm working with my IT department to see if it is even possible. It is lightweight enough that I don't mind running 1:1 so much though. If I can make 2 gateway instances on the VM then i can have 2 networks to 1 IPCop because I need one virtual nic for each network and then 2 for the net i'm bridging to.

As far as questions concerning lab manager, it isn't in the cards for us. My managment is considering it; but if they decide to go that route it won't be until the 3rd/4th quarter until i get it. We have invested a lot in our infrastructure in terms of HW and SW. Throwing more money at a solution is not going to be something I can do for a while.

Anyway, great suggestions, got my lab working. Thank you all.

Fred