Re: adivice on service console / Vmotion / network...

aleceiffel · ‎04-15-2009

I currently have 3 ESX 3.5 servers managed by virtual center server. Right now I have 1 pNIC for the service console and 2 pNICS for the virtual machines all on the same VLAN with the same IP scheme (172.16.0.0/16). I am in the process of bringing in iSCSI for shared storage and implementing Vmotion and HA features. This has led me to reconsider my network.

The new network setup I am looking at is the following:

-Virtual machines remain on the same physical switch with 2 pNICs in each server and no VLAN. I'll keep the same IP address scheme of 172.16.0.0/16

-iSCSI on its own physical switch with 2 iSCSI HBAs in each ESX server. IP address scheme 172.16.1.0 /16

-Service console and Vmotion will share 2 pNICs on each ESX server with 2 port groups and VLANs set on the switches. The service console will connect to port group 1 which will operate on VLAN A with pNIC1 as active and pNIC2 as standby. VMotion will connect to port group 2 which will operate on VLAN B with pNIC2 as active and pNIC1 as standby. Service Console/VMotion will share the same physical switch as the Virtual machine network with the ports on the switch configured to trunk for VLAN A and VLAN B. Service Console will use IP scheme 172.16.2.0/16 and VMotion will use 172.16.3.0/16

This setup appears to provide sufficient separation of network traffic for security and performance reasons as well as redundant paths for failover although I am open for comments and suggestions on this. My concerns are the following:

-How do I connect the Virtual Center Server to the Service console network? Do I need to multihome the virtual center server with one card on the virtual machine network (where I can access it from my admin station) and one card on the Service console network?

-I heard that VMware HA will not work if the VMware Hosts are connected to the Virtual Center Server by their IP address. It needs to be connected by their DNS name. This seems to put an unnecessary reliance on DNS but I have read supporting documents. Is this true? And how do I connect my hosts to the Virtual center server if the hosts are completely segregated from my DNS servers? Does only the Virtual Center Server need DNS access for name resolution?

-How do I change the IP address scheme for my ESX servers and Virtual center server to put them on a separated network (from 172.16.0.0/16 to 172.16.2.0/16) without causing connection problems?

I have been unable to find any documentation on this and your help is greatly appreciated.

Texiwill · ‎04-15-2009

Hello,

-How do I connect the Virtual Center Server to the Service console network? Do I need to multihome the virtual center server with one card on the virtual machine network (where I can access it from my admin station) and one card on the Service console network?

No your Service Console and vCenter server should share the same network.

-I heard that VMware HA will not work if the VMware Hosts are connected to the Virtual Center Server by their IP address. It needs to be connected by their DNS name. This seems to put an unnecessary reliance on DNS but I have read supporting documents. Is this true? And how do I connect my hosts to the Virtual center server if the hosts are completely segregated from my DNS servers? Does only the Virtual Center Server need DNS access for name resolution?

Yes you need working DNS for the ESX hosts.

-How do I change the IP address scheme for my ESX servers and Virtual center server to put them on a separated network (from 172.16.0.0/16 to 172.16.2.0/16) without causing connection problems?

Remove them from VCMS then change the IP address then re-add them. However you may loose historical data.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

aleceiffel · ‎04-15-2009

It makes sense that the Virtual center server needs to be on the same network as the ESX service consoles but what is the best practice for accessing the virtual center server for administration and allowing it access to DNS and Active Directory on the main network? Do people typicaly multihome it (one NIC on the main network and another on the service console network) or route through a firewall? Creating an open route between the VLANs would seem to defeat the purpose of putting it on another network.

And how do the ESX hosts typicaly access DNS servers if their service consoles are on a completely different network?

Texiwill · ‎04-15-2009

Hello,

Best practice is to use route through a Firewall do not make VCMS an firewall/router as it then becomes an attack point.

Creating an open route between the VLANs would seem to defeat the purpose of putting it on another network.

That is correct.

And how do the ESX hosts typicaly access DNS servers if their service consoles are on a completely different network?

Through the same firewall.

ESX Management (including VCMS) <-> Firewall <-> production network w/DNS AD, etc.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

adivice on service console / Vmotion / network setup?