VMware Cloud Community
renndabull
Contributor
Contributor

Switch Configuration

Hey All, Just got all my equipment and am ready to roll. My setup:

-2 HP DL380 (6 nics, 2 teamed=VM's, 2 teamed=VMotion, 1=DMZ firewall (web server), and 1=SC)

-2 HP Procurve 2900 (24)

-1 Equallogic PS100E

-VI3 Enterprise (will use VMotion via ISCSI)

Question (s):

1) How to configure the 2900's to allow for a ISCSI connectivity (6 ISCSI Equallogic SAN ports). Should I setup a 1 VLAN on each switch (3 ports each) for ISCSI/SAN traffic and only allow jumbo and flow control on these VLAN'd ports eg: 192.168.1.x?

2) Should I create additional VLANs on each 2900 for VMotion, SC, and VM's, or just use the default VLAN 1 that comes configured for the 6 ports on each DL380 eg:10.1.1.x?

3) Should I trunk the 2 2900's together?

4) One of the VM's will eventually be publically accessible web server, what is the best way to physically or virtually segment this VM? Currently the physical web server connects directly to the DMZ port, and our firewall routes the traffic to our internal sql database.

Any info you can provide will be greatly appreciated!!

0 Kudos
3 Replies
DougBaer
Commander
Commander

I would never recommend using VLAN 1 for anything Smiley Wink

Definitely separate the iSCSI traffic from the other traffic on the 2900s. Don't know about the jumbos/flow control config, but it sounds like a good idea to me Smiley Happy

What would you hope to gain by trunking them together? Keeping the 2900s separate will give you physical separation and may help with STP issues, but it kind of depends on what your core looks like. Do each of the 2900s go to a different core switch, or do they plug into the same core switch?

Many security professionals still prefer physical separation for DMZ-based VMs: attach the DMZ port to a NIC (ideally a pair of them) on the ESX host and create a DMZ vSwitch that the Web server VM uses for connectivity. Alternatively, if you can trunk the DMZ VLAN onto the same interface as the production traffic (warning: security heartburn!), you can create a DMZ port group for that VLAN on the same vSwitch that you're using for other VM traffic.

As for the team you have allocated for VMotion, I would use the team for DMZ and a single interface for VMotion since the VMotion net going down doesn't really take anything down.

Doug Baer, Solution Architect, Advanced Services, Broadcom | VCDX #019, vExpert 2012-23
renndabull
Contributor
Contributor

Ok, for VLAN1 just leave it, or delete it and create a new VLAN for the LAN traffic?

I've seen multiple posts that say you should enable (if supported) jumbos and flow control for VMotion, so unless anyone has further comments, i'll enable it on both switches/VLAN.

As for Trunking, we have a small shop so my thoughts were to put a 2900 + cisco wireless AP in our warehouse to provide connectivity to about 30 wireless desktops and 2 Ghost imaging servers. Trunk the warehouse switch to (2) 24 port Procurve 1800's (wired desktops), than trunk the 1800's to the (2) 2900's (SAN/VMWare). So we basically have 5 edge switches that comprise our network. The main reason I thought trunking was important was to provide enough bandwidth between the SAN and the warehouse ghost servers. Techs will be pulling Ghost images from the SAN to the servers in the warehouse to re-image laptops (2-6GB images). Would it be better to trunk the warehouse 2900 directly to the SAN/VMWare 2900's?

Good recommodation on the VMotion team, I'll do that, makes sense.

Thanks for all your input, much appreciated!!!

0 Kudos
DougBaer
Commander
Commander

Just leave VLAN 1 alone

From an ESX perspective, presenting 2 independent 1 GB interfaces to it is roughly the same as presenting a 2 gb etherchannel (roughly) ... and requires less configuration on both sides.

Doug Baer, Solution Architect, Advanced Services, Broadcom | VCDX #019, vExpert 2012-23
0 Kudos