Bob_Jenkins
Contributor
Contributor

To use Port Groups or to not use Port Groups, that is the question...

Jump to solution

Hi Everyone.

I'm setting up a 3.5 environment with HP's Virtual Connect blade system. We aim to have a 10GB connection to the back of the chassis and to use Virtual Connect to split this stream (of VLANs from the CISCO 6509's) into various VLANs (Service Console, VMotion, VM Data Group1, VM Data Group2 etc etc).

I have two questions, hope I can get my thoughts into words correctly...

(1) How will physical ESX host blades see the various VLANs? Will each one of the VLANs above be shown as a "physical" (i.e. not physical, but presented as physical via Virtual Connect to the blades) NIC? If this is the case, then the "teaming" of NICs has already been done at the Virtual Connect end, leaving one visible NIC for Service Console, one for VMkernel, one each for VMs etc as far as ESX is concerned?

(2) On a related topic, if I am able to present stream after stream of VLANs to the various ESX hosts (which could then be encapsulated as a Virtual Switch), is there any point in using Port Groups? If I can just set up a new VSwitch for connection of new VMs to the new VLAN, why bother with Port Groups?

Your ideas / comments greatly appreciated - I've also included a .jpg to show the infrastructure as I'm planning it - please let me know if there are any glaring errors!

.

0 Kudos
1 Solution

Accepted Solutions
RussH
Enthusiast
Enthusiast

Hello -

I like what your trying do with 10gig and VC - makes sense.

Anyway, you will still have physical NICS in your servers that attach to the VSwitches within which you will create Portgroups. My advice is to not use Virtual Connect to strip any VLAN information out - Instead within the Virtual Connect profile specify which VLANS are propogated to which pNICS, so VC is just passing it thru without stripping any tags. At this point the VLAN tags within the portgroup on the vSwitch will determine which VMs etc.. get which packets. This is how I have implemented VC in the past and am pretty happy with it.

If you use VC to strip the VLAN tags and have only a 1:1 mapping of VLAN to pNIC - you will lose the capability to VST.

View solution in original post

0 Kudos
2 Replies
RussH
Enthusiast
Enthusiast

Hello -

I like what your trying do with 10gig and VC - makes sense.

Anyway, you will still have physical NICS in your servers that attach to the VSwitches within which you will create Portgroups. My advice is to not use Virtual Connect to strip any VLAN information out - Instead within the Virtual Connect profile specify which VLANS are propogated to which pNICS, so VC is just passing it thru without stripping any tags. At this point the VLAN tags within the portgroup on the vSwitch will determine which VMs etc.. get which packets. This is how I have implemented VC in the past and am pretty happy with it.

If you use VC to strip the VLAN tags and have only a 1:1 mapping of VLAN to pNIC - you will lose the capability to VST.

View solution in original post

0 Kudos
Texiwill
Leadership
Leadership

Hello,

Whether to use portgroups or not depends on your security policy more than anything. If your policy does not allow VLANs then use of portgroups would not be acceptable. However, VLANs within ESX maybe secure and the CIsco equipment has methods to secure this, other equipment may not be so safe. I would investigate everything from the perspective of security.

As the other poster stated, VirtualConnect is great but you need to let the VLAN tags go through to the ESX server vSwitch which is called VST (Virtual Switch Tagging). Even with tagging I would not place on the same vSwitch my production VMs and my SC/vMotion pairs.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill