VLANs

frizzo23 · ‎09-22-2008

Hi Folks

I'm planning my first ESX implementation and I'm currently getting up to speed with networking in ESX. The environment I have has one subnet and does not currently use VLANs. The question I have is do I need to use/consider VLANs in my ESX environment?

As a bit of background info I'm using a 3 host plus FC SAN configuration. I have two separate physical switches to connect the VM traffic to. I have another separate physical switch I was considering connecting the service console and vMotion traffic to. I couldn't see a reason to VLAN my virtual machine traffic but perhaps there's good cause to VLAN the S/C and vMotion traffic?

Thanks for your help!

Franko

mike_laspina · ‎09-22-2008

Hello,

It would be a good thing to use the two switches in a fault tolerant configuration rather than separate functions. VLAN's are a best practice and I highly recommend them.

If you have a fault tolerant config you can update switch firmware etc. without an outage. Better yet if one dies your not going to have an outage.

http://blog.laspina.ca/ vExpert 2009

Texiwill · ‎09-23-2008

Hello,

No you do not need to use VLANs. People use VLANs to help in low port density situations. Currently for full redundancy, security, and performance it is recommended to have 2 pNICS for every network. There are minimally 3 networks on your system ignoring the FC-HBA. Those are SC, vMotion, and VM Network. So you would minimally need 6 pNICS to make this solution work without VLANs.

If you want a DMZ network you will need 2 distinct pNICs unrelated to your Production network.

If you have enough pNIC you can bypass VLANs within the vNetwork and go with EST. Security wise VLANs are a trust issue.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

frizzo23 · ‎09-24-2008

Should I put my SC & vMotion on a different subnet to my virtual machine traffic? and therefore use a VLAN to do this?

V_2 · ‎09-24-2008

I would VLAN away... stick with 2 core switches and put your VM network on one VLAN/subnet and your SC/VMotion on another VLAN/subnet. As mentioned above, if you can, try to have at least 2 pNICS (teamed) per function for added resilience.

Texiwill · ‎09-25-2008

Hello,

Without knowing your # of pNICs available it is hard to say.

If you have only 4 pNICs and no DMZ I would use, I would not use this configuration for production and DMZ together, I would purchase 2 more pNICs.

pNIC0 -> vSwitch0 -> portgroup0 -> SC (backup for vMotion) -

> requires VLAN

pNIC1 -> vSwitch0 -> portgroup1 -> vMotion (backup for SC) ---> requires VLAN

pNIC2&3 -> vSwitch1 -> portgroup2 -> VMs

If you have 6 pNICs with no DMZ then I would not use VLANs. If you have a DMZ as well then I would use VLANs.....

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

mike_laspina · ‎09-25-2008

I totally agree. VLAN's have so many pros. Broadcast isolation, Data plane and Management plane control.....

http://blog.laspina.ca/ vExpert 2009

frizzo23 · ‎09-25-2008

Thanks for the info folks, my ESX hosts have 6 physical NICs available and no DMZ requirement.

Texiwill · ‎09-26-2008

Hello,

The biggest drawback to VLANs unfortunately is there is no security controls. The RFC for 802.1q does not mention that VLANs provide security.

With 6 pNICS, I would bypass VLANs all together within the vNetwork just to simplify things which leaves the network security in the hands of the networking team.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

mike_laspina · ‎09-26-2008

You are correct does not provide any security controls. As well as most of the RFC's out there.

Even with or without VLAN's it is the switchs and nodes that must be configured for security e.g GVRP, 802.1x, IPsec and so on.

In this case I think the reader is not required to provide this granularity level of security and it would not be prudent to dissmiss the features of VLAN's without good reason.

VLAN's do not make the readers VMware system any less secure than a physical world.

http://blog.laspina.ca/ vExpert 2009

Texiwill · ‎09-26-2008

Hello,

Many people who use VLANs and express that it protects them and therefore have a false sense of security. Once the network leaves the ESX server there are all sorts of VLAN attacks. So knowing they exist will help better design your networks. But VLANs do not provide security, the do however provide for situations with low port density where trunking is a must.

I use VLANs, but I am also aware of the security risks.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

VLANs