VMware Cloud Community
zeeshani
Contributor
Contributor

VM network / System setup

Hi All,

I have to setup a new desktop vistualization setup. Having not much experiecne, i have made one and thought to discuss it over with u guys to mature it further.

I am here attaching the image of my perceieved design.

As shown in the figure , i will be using different subnets for each domain. One thing i am confuse about is the cisco switch. i was planning to use L3 swtich so those subnets can talk to eachother.Like VMs can talk to DC and DNS etc. Is this design seems ok to u ? Or should i put my DC and DNS in a separate DMZ not accessible over the cisco switch. That will be ok , but my DNS has to go over internet for name resolving. My all VMs will be using that DNS for name resolution.

What will be the placement of connection broker. In which subnet ? I am unable to built any idea for this.

I would appreciate if you can share your deisgn strageies with me. it will be highly appreciated.

Reply
0 Kudos
18 Replies
Yattong
Expert
Expert

Hey,

1. You dont need to have specific NICs for each vlan as you can trunk multiple vlans to a NIC.

So, I would just place servers and vm's on the same vswitch with teamed NICs

2. If you want to use technology such as HA (High Availability) the Service Console port must have redundancy, either by creating another service console port or again by NIC teaming.

3. Connection Broker, this can be placed on the same virtual switch as the other servers/vms, but trunk the neccesary VLAN. Then route the neccessary traffic to the broker.

4. You dont have any redundancy on your NAS storage connection, is this important to you? Then you may want to add another NIC, or place this vmkernel port on the same vSwitch as the Service Console.

5. You can use Port Group policies to choose which NICs to use per port group on a virtual switch in a Active/Active or Active/Standby configuration.

This may help you have redundancy if you choose to use multiple port groups on a vswitch and especially if you have hardware constraints such as no. of NICs



Good Luck

~y

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points ~y
Reply
0 Kudos
zeeshani
Contributor
Contributor

Humm....really helpful . Thanks man for ur suggestions.

Can you please share with me some diagram explaining your suggestinos, if possible. It will really be greatly helpful for a newbie like me.I tried to find one on this forum (if any) but didnt.

Let me think over your points depply and will come back to u for any further queries / clarifications.

Tons of thanks for your kind efforts to assist me.

Reply
0 Kudos
zeeshani
Contributor
Contributor

By this i understand, that i can place both the subnets of VMs and Servers on a same vswitch (vswitch2 in my case).And then i can make there intervlan / intersubnet routing using the cisco L3 device.

As per my knoweledge, Vswitch is a L2 switch. How can i use 2 different subnets on a single vswtch. can u please elloborate a little.

Thanks

Reply
0 Kudos
Yattong
Expert
Expert

no problem,

a vswitch should act just like a physical switch correct?

a vswitch is layer2 only.

We can segregate a physical switch into different vlans, correct? We can do the same for vswitches.

For example, We can create a vswitch with one NIC.

We can then create 2 virtual machine port groups on that vswitch. Both port groups can be on different VLAN, by defining the VLAN ID. e.g. VLAN 10 and 11

On the physical switch side, we then need to trunk the port to VLAN 10 and 11.

The routing takes place on the physical network, not virtual.

So all packets (that need routing) must travel to the physical network before being routed back in to the virtual network.



Good Luck

~y

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points ~y
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

First thing I would do is involve your Networking team in this design. THey know networking so let them help.

1. You dont need to have specific NICs for each vlan as you can trunk multiple vlans to a NIC.

So, I would just place servers and vm's on the same vswitch with teamed NICs

You can. This is a security trust decision however.

2. If you want to use technology such as HA (High Availability) the Service Console port must have redundancy, either by creating another service console port or again by NIC teaming.

This is NOT a requirement. You will get an error if you do not, but HA will still function.

3. Connection Broker, this can be placed on the same virtual switch as the other servers/vms, but trunk the neccesary VLAN. Then route the neccessary traffic to the broker.

If you are bridging from outside to inside, the Connection Broker is the main gateway for this. You most likely want your security and network teams involved in placing this properly.

4. You dont have any redundancy on your NAS storage connection, is this important to you? Then you may want to add another NIC, or place this vmkernel port on the same vSwitch as the Service Console.

I would say this is a bare minimum. You really want redundancy.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

a vswitch should act just like a physical switch correct?

a vswitch is layer2 only.

Yes and no. It is a simple Layer2 vSwitch.

We can segregate a physical switch into different vlans, correct? We can do the same for vswitches.

Yes that is possible. But this is a security question. Some companies do not use VLANs.

For example, We can create a vswitch with one NIC.

We can then create 2 virtual machine port groups on that vswitch. Both port groups can be on different VLAN, by defining the VLAN ID. e.g. VLAN 10 and 11

Yes that is correct.

One thing that strikes me on the network diagram is that the L3 Cisco switch has dotted lines to everything. So I must assume you are using VLANs. However, they are directly internet facing without a firewall? The OP's diagram is very confusing.

You want to have 'External Network pSwitch <-> Firewall <-> DMZ <-> Firewall <-> Internal Network pSwitch'. I do not see this within the diagram. So given the OP's diagram I would consider this an insecure setup.

I urge you to discuss this with your Network and Security teams. The virtual network is just an extension of the physical network through a bridged set of physical NICs.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
zeeshani
Contributor
Contributor

WOW...great forum...Nice suggestions.

So, after reading all those you ppls adviced , i have redesigned my infra. Attached find the updated diagram.

I decided to have my VLANs at Layer 3 switch level. All the vswitches will have there own subents, with no vlan tagging, connecting to Cisco L3 switch which in-turn will be doing VLaning and intervlaning etc.

I will really appreciate any comments OR feedback on this. It will really be very helpful for my final design..

Regards and thanks

Reply
0 Kudos
zeeshani
Contributor
Contributor

Hi All,

So, as mentioned above my VmWare infra. its looking good , i hope. Now, i intends to add one more ESX server and Switch for redundancey and failover. A little confused about this.

Ok, i can make the new ESX server setup the same way as the existing setup is, BUT how i wil be tackling it at network level. I mean, if one ESX server goes down how all the request / users will be automatically diverted to the second ESC server. Will i have to do it at Connectin Broker level ? Please illustrate a little and gve me some hints.

thanks,

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

HA would kick in if you use HA to boot VMs from Host to Host. So yes, I would configure the same way.

You are still using VLANs, if your Cisco is a high end switch this should not be a problem but there are 6 known attacks against all VLANs and some only work on Layer 3 devices and Layer2 are not susceptible. That is quite a bit of trust in your VLANs. As you can guess I really do not trust VLANs very much.

However, how VDI works I will leave up to another person to answer. I would assume the connection broker would manage all this.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
zeeshani
Contributor
Contributor

Thanks for the reply.

HA is good and can help me in achieving in what i desire, but its expensive. i dont have much budget in pocket at this stage to go for HA solution.

CB ---&gt; Switch -


&gt; Server 1

-


&gt; DAS (Storage)

-


&gt; Server 2

I am now planning to have a setup like this as above. Server 1 is primary and server 2 will be for failover. Every time a user connects he must get his same vmdk either from server 1 or from server 2 (if server 1 is down). If server 1 is down i will manually divert users to server 2. The thing is, how i make possible at storage side to have the both servers access to same vmdk files. As i think i will make 2 volumes on the DAS. One for server 1 and one for server 2. Is it possibel through any DAS technology that i can present same volume to both servers, so if one server is down, other server can have access to the vmdks stored on that volume ? OR if i make 2 volumes one for server 1 and other for server 2, can i replicate / synch both these volumes to each other so i get the same data through any server ?

If anyone have some other good design advice regarding this, it is highly welcome.

Thanks for your all time.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Use of a VMFS on some form of remote storage (SAN, iSCSI), or use of NFS presented to both nodes is the best way to go. THis way both nodes share the same data stores. If all you have is local disk or locally attached SCSI devices then I suggest you make an inexpensive iSCSI or NFS server to solve this problem.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
zeeshani
Contributor
Contributor

Yes, Thats also seems good to me.

Can you advice me some good NAS with good speed and IO and on some good price.

Thanks

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

NetApp or Equalogic


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
zeeshani
Contributor
Contributor

Thanks for the advice.

I have cheked these 2 NAS but those seems preety expensive.

Can some one suggest me some cheap solution, with good performance which can hold upto 15 vms io traffic.

Thnaks

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Any Linux NFS/iSCSI Enterprise Target Server. As well as Openfiler. I would look into Openfiler.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
DwayneL
Enthusiast
Enthusiast

In the end you get what you pay for, I use Equallogic..... I remember hearing about a free appliance that could take two esx servers with local attached storage and treat them as a SAN. Edward should know the name as I believe it was on one of his podcasts.

-Dwayne Lessner
Reply
0 Kudos
TomHowarth
Leadership
Leadership

The name you are looking for the XVS. the xtrvirt storage appliance. it can be found here . and yes it does work Smiley Happy

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
EllettIT
Enthusiast
Enthusiast

The dell MD300i is on the HCL and reasonably priced.

Reply
0 Kudos