VMware Cloud Community
StefanoChiappin
Contributor
Contributor
‎04-10-2008 03:16 AM

Vmotion and DMZ: how to solve ?

Hello,

I have two ESX 3.5 hosts configured in a cluster (enterprise license with HA and Vmotion) with about 20 VMs. One of these VM runs a firewall, and other VMs are on a DMZ zone (Web server, ftp servers, etc...). The DMZ zone is made with a dedicated virtual switch, obviuosly not linked to any phisical nic, because access to it must be provided only through the dedicated firewall.

Now the issue: I replicated the whole network configuration (virtual switches with same names and nics) on both hosts, but when I try to migrate a VM on DMZ, I get an error, saying: "Unable to migrate from host1 to host2: Currently connected network interface 'Network Adapter 1' uses network 'DMZ' which is a 'virtual intranet' ".

Please, can anybody tell me the way on how to solve this error, and take advantage og HA and Vmotion features of my licences ?

Thanks in advance, Stefano

0 Kudos
7 Replies
Roman_Romano
Enthusiast
Enthusiast
‎04-10-2008 03:35 AM

i seem to remember a post that said you have to make some modification to the vpxd.cfg file on the VirtualCenter. Some thing like:

<migrate>

<test>

<CompatibleNetworks>

<VMOnVirtualIntranet>false</VMOnVirtualIntranet>

</CompatibleNetworks>

</test>

</migrate>

I think you have to create the section at the end of the vpxd.cfg file but still within the <config> section.

regards

Ken_Cline
Champion
Champion
‎04-10-2008 05:44 AM

If you can work around this (I've never tried...), you will have to be very certain of what you're doing. HA will not be a problem - if the host fails, all of the VMs will be restarted on another host (assuming there's capacity) - make sure you set DRS affinity rules to keep them together. VMotion could be another can of worms! Do the VMs behind the firewall need to talk to each other? If so, then once you migrate one of them to another host, it will become isolated - there is no connectivity between the two vNetworks (isolated vSwitches) on the two hosts. While the IP configuration may work, it may be that nothing else does!

As an example, let's assume you have something like this:

(HOST 1) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> Web Server | FTP Server | DNS Server | DB Server

(HOST 2) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> <No VMs>

Now, what happens when you VMotion the DB server to the other host? You now have a configuration like this:

(HOST 1) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> Web Server | FTP Server | DNS Server

(HOST 2) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> DB Server

Your DB Server is now isolated behind a vSwitch (with the same name on both hosts...), but it can't talk to anything - and nothing can talk to it. Are you sure this is what you want?

Ken Cline

Technical Director, Virtualization

Wells Landers

VMware Communities User Moderator

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/
0 Kudos
Chris_S_UK
Expert
Expert
‎04-10-2008 05:50 AM

see here:

0 Kudos
Ken_Cline
Champion
Champion
‎04-10-2008 06:14 AM

Thanks Chris! I didn't think it was supported...just too lazy to look for the KB article.

Ken Cline

Technical Director, Virtualization

Wells Landers

VMware Communities User Moderator

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/
0 Kudos
kjb007
Immortal
Immortal
‎04-10-2008 06:33 AM

If you only have two ESX hosts, and are not planning on adding more quickly, you can connect a crossover between the two and create a similar effect of the internal only network, and now the two DMZ VM's can still talk to each other, and you will be using a supported config.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
StefanoChiappin
Contributor
Contributor
‎04-10-2008 06:38 AM

Hi Ken,

I understand what you want to warn me about, but I have many H24 services, and whenever I have to do maintenance on ESX servers I prefer migrate VMs then shutting them down/move/restart. Even because the startup procedure is often long and tricky. So even if a service is unreachable, it will be for a short time, much shorter with Vmotion then manually moving.

Also Chris knowledge base link is not helpful, because: 1) I have no more phis nic to assign, 2) Again I do no want to shutdown VMs.

Instead, I found this post: http://communities.vmware.com/message/778360#778360 where is explained how to modifyVC to enable Vmotion even in this scenario (thanks to Romano).

Bye, Stefano

0 Kudos
Roman_Romano
Enthusiast
Enthusiast
‎04-10-2008 06:41 AM

That was the thread! i knew i'd saw it somewhere. Glad it helped.

Regards

0 Kudos