VMware Cloud Community
RaniBaki
Contributor
Contributor

Layer 2 or not

We have 2 active data centers with ESX servers in both. They are connected to a NetApp cluster that replicates synchronously. I am covered from a storage and ESX host standpoint but my only dilemma is the network. If I have a site failure, I cannot recover VMs unless I change IP addresses on each one. I know there are scripts that can do it and I also heard that Site Recovery Manager can do it. I'm not sure how each would actually work since they would have to run locally and activated somehow, but if I don't have connectivity to the VMs, how would such a script be invoked. Let alone the fact that dns records would have to be updated. It just seems to be a cumbersome and a solution prone to failure. So the idea of extending a Layer 2 network between the data centers and only the ESX servers with their VMs came up. This way a recovery is seamless. I know there is a spanning tree risk and with hundreds of VMs, that could be a high price to pay in case of storm. But, is that a risk worth taking compared to the advantages?

Let me know expert opinions.

Thanks,

Rani Baki

Reply
0 Kudos
6 Replies
Texiwill
Leadership
Leadership

Hello,

You would have to device some way of having the same IP addresses at two different locations, perhaps by using switching to do this. This device would need to be high enough up your switching network to handle both sites. Or you would need your provider to provide this forwarding type service.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
kjb007
Immortal
Immortal

With SRM, the :scripts" are actually "activated" at the recovery site. Meaning, you have configuration in both locations, but in the active site, you define what is being configured for DR, and in your DR site, you set the rules and what you want to have done in case of failure. That way, you're not trying to activate DR failover from the proverbial hole in the ground.

That being said, If you have DNS servers in both locations, then you can have the hostnames already populated. This would require separate zones in each data center that don't replicate that datacenter's zone to the other location.

Personally, I think extending Layer 2 would not be necessary across the sites, since you're talking hostnames and IP, you want L3, and that can be done more easily. You will need a pretty good pipe between the two datacenters, but if you're doing synchronous replication, then I assume your bandwidth is pretty good and your data centers are not too far apart.

You could always create a new segment that spans both sites and contains the mission critical vm's that you don't want to re-ip in that segment. And then, use SRM for both those vm's, as well as the vm's where you can afford to have re-ip'd to a separate locally spanned segment.

Good luck.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
RaniBaki
Contributor
Contributor

kjb007, do you use SRM? If so, how well does it work? What are the disadvantages?

I'm not sure if setting up a different dns zone would work with all of the apps? What if an app uses a fully qualified name?

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

If the app uses an FQDN, then things are easier as all you need to have configured is a DNS server that contains the FQDN and the IP you want to point it to. You would need to maintain a DNS server at each location. Getting the VMs across the wire are pretty straight forward as your nightly backups could do this or you could use vReplicator, Veeam Backup, VMware SRM, or hardware level backups. However you get the data to the remote site, you are really concerned about getting IP or FQDNs setup properly.

How you do that is no different than how you would do that outside the virtual world. Virtualization may make it easier to replicate the VMs but it unfortunately does not solve that problem. But there are other solutions available. You need to look at how you would do this with a normal switching/DNS non-virtual network. How you do this also depends on if the VMs are in the DMZ or internal.

If in the DMZ then they may have internet IP addresses and I know people solving this problem by placing systems behind a top level device that does the mapping for them. If its an internal address, then why not use their own IP and setup a gateway between the hotsite network and the internal network? You could also do the same for a DMZ network. There are many ways to solve this issue existing today.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
kjb007
Immortal
Immortal

As Texiwill clarified, since the two datacenters are using their own DNS servers, using FQDN is better. In that case, you wouldn't even need to extend the Layer 3 to both sites, you can have different IP configurations at both sites. SRM will allow you to change the IP at the failover site. I don't currently use SRM, but what SRM does in an automated fashion, is what I've done manually with scripts and such.

I've seen the full end-to-end live demos several times with real servers, and what I stated previously is what I've actually seen happen.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
PhilipArnason
Enthusiast
Enthusiast

I know one company, I think they presented in VMWorld 2007, virtualized their firewall. This way, they were able to keep the same IP address for all their servers no matter which datacenter they were in. The only IP address that needed changing was the single IP address of the virtualized firewall device. They were a huge managed services company and wrote their own firewall code in Unix----probably more than what most people can do feasibly.

There are some telecom providers that will extend Layer 2 across sites, but I would not recommend this unless you have a ridiculous amount of money to spend on bandwidth. Remember, unless specifically programmed, extending Layer 2 will extend all broadcast traffic as well.

Sometimes the simplest solution is best. Since we don't have a lot of public facing web servers, we simply run DHCP for our servers. If there's a disaster, we can bring them up at our DR site, the servers automatically get new DHCP address's, and DNS automatically updates.

Philip

Reply
0 Kudos