parthmaniar
Enthusiast
Enthusiast

VLANs to segregate traffic.

Hello,
I hope you and your loved ones are safe and healthy.
 
I am want to integrate a Cisco Integrated Service Router "RV-345" into my network & use VLAN to segregate traffic.
 
Current setup:
Netgear Wi-Fi router is the only component carrying out network access and routing. Here is a simple representation of the network:
homelab_v_1-current_state.png
 
  1. WAN port is connected via CAT-6 cable to ISPs box.
  2. NAS with 2 network port working in bond mode (combined speed instead of fault tolerance) connected to port 1 & 2 of the Netgear.
  3. Workstation with 2 Intel NICs connected to ports 3 & 4 of the Netgear router. This workstation has ESXi installed and 12 VMs running on it.
 
 
Proposed setup:
Cisco ISR 345 will carry out wired access and routing while setting Netgear to access point mode. Further requirements for VLANs:
 
homelab_v_1-desired_state.png
 
  1. VMs running on ESXi require separation using VLANs. I will have multiple VLANs which while segregated from each other need access for few central services like the DHCP, DNS (reachable via Wi-Fi access point port) and one VLAN on the ESXi which will be for logging.
  2. Currently, a Raspberry Pi running DHCP and DNS servers provides these network services. This is connected via Wi-Fi for now. This is important to note as I would need Wi-Fi to extend all VLANs to reach these central services.
  3. Raspberry Pis will eventually be connected via ethernet, but right now, they are connected via Wi-Fi.
 
Questions:
  1. As per my understanding, ESXi is where I have to create the VLANs and extend them via Cisco ISR. Is this correct?
  2. How do I ensure that the Wi-Fi port forwards all VLANs? In other words, how do I ensure that backbone network services (DHCP, DNS) are available irrespective of the VLANs
  3. From the NAS, I have a volume mounted on the workstation using iSCSI. Are there any implications using VLANs on this?
 
I apologise if the post is missing information and more is required. Kindly let me know if something needs to be added.
0 Kudos
7 Replies
engyak
Contributor
Contributor

First of all, well done starting with a diagram! This is really important and useful.

Second - a handful of vulns recently came out on that box - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rce-dos-9ZAjkx4 I'd recommend double-checking.

To the questions:

1. vSphere switches aren't really switches - no VLAN truly exists in ESXi. You'd build the VLANs on the RV-345, then "subscribe" to them via the VSS/VDS in ESXi. VSS/VDS more closely resembles a MAC proxy than a switch (transitive network device) which is something of a superpower.

2. You will need to enable "inter-VLAN routing" and configure network segmentation accordingly(https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/1393-I...). VLANs that depend on DHCP will need a "DHCP helper" or "DHCP relay" set: https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb570...

3. Generally, I don't like running iSCSI at these speeds / without some heavy-duty enterprise-grade hardware. NFS should be a bit more resilient here - this matters more when you're routing storage traffic.

parthmaniar
Enthusiast
Enthusiast

Thank you very much for your reply. I hope you and your loved ones are safe and healthy.

I realise that I have been sloppy with the diagram. Please let me come back with more meaningful one. Thank you for the links you've given. I've used them to further enhance information that I am asking for.

Tags (1)
0 Kudos
engyak
Contributor
Contributor

You too.

As someone who does a lot of network diagrams, you'll never be done once you start 😂

0 Kudos
parthmaniar
Enthusiast
Enthusiast

Hello, please find the updated diagram with more information and requirements. Getting architecture right is extremely crucial. I'm struggling between draw.io and Visio that work laptop has 😫

 

That being said as you can see I am trying to design a network but the reason it is in VMWare forums is because my workstation hosting servers is crucial to my final year projects, having segregated VMs (without only explicitly allowed routing) are essential to my final paper.

 

homelab_v_1-desired_state.png

 

0 Kudos
engyak
Contributor
Contributor

Yep, with that build just configure all VLANs as trunked on the RV345 and build corresponding port groups in ESXi.

HassanAlKak88
Expert
Expert

Hello,

Yeah please correct me if I am wrong, as I understood you wanna use a different workload VMs that is connected to multiple VLANs behind your workstation with ESXi.

So what you need to configure is trunk interfaces allowing all VLANs for the uplinks coming from this workstation (in your case port 1 & 2), and under ESXi create a specific port group for each VLAN and tag it with the proper ID. Then you will attach the VMs to the needed VLAN.

And from the Cisco device, you will figure out the routing in order to achieve access to WIFI services.

Feel free for any new requests.


Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak
Tags (1)
parthmaniar
Enthusiast
Enthusiast

Thank you very much. Let me test this and get back to you.

0 Kudos