scerazy
Enthusiast
Enthusiast

DMZ and DRS

Jump to solution

Two ESX 3.0.1 server with HA & DRS enabled

How does it work when DMZ is involved?

Of course if the software firewall server as VM runs on the same physical ESX as the DMZ VM then it is not a problem, they both communicate via virtual DMZ switch only

But what happens if the system decides to move them to separate ESX servers?

Does the DMZ virtual switch communication still carries on (do not see how it could be)

In case it does not, is there a way to specify that these two machines must always be together?

Seb

0 Kudos
1 Solution

Accepted Solutions
nadger
Enthusiast
Enthusiast

If the DMZ network does not exsist on the the other host Vmotion will not work so DRS will not move the VMs. There is a setting on the cluster (right click on the cluster, edit settings then Virtual Machine Options under DRS) where you can create rules for virtual machines to keep togeter or seperate

View solution in original post

0 Kudos
6 Replies
nadger
Enthusiast
Enthusiast

If the DMZ network does not exsist on the the other host Vmotion will not work so DRS will not move the VMs. There is a setting on the cluster (right click on the cluster, edit settings then Virtual Machine Options under DRS) where you can create rules for virtual machines to keep togeter or seperate

0 Kudos
scerazy
Enthusiast
Enthusiast

DMZ network DOES exist on both ESX hosts

But the settings for cluster is probably what I would want

Thanks

Seb

0 Kudos
GBromage
Expert
Expert

All DRS cares about is whether a port group of the same name exists on both servers.

Which physical NIC(s) and VLANs that the portgroup is connected to is entirely up to you. (so make sure you get it right!)

So, if you have one pNIC from each server plugged into wherever the DMZ is talking to at the moment, andhave that pNic on a separate vSwitch with a port group configured on your host, then the session will continue. When the vm moves, it will latch on to the same port group name on the other server.

I hope this information helps you. If it does, please consider awarding points with the 'Helpful' or 'Correct' buttons. If it doesn't help you, please ask for clarification!
0 Kudos
scerazy
Enthusiast
Enthusiast

I just would like to understand on which physical NIC the comminication continues if DMZ VM is on host A & the firewall VM is on host B

There are only 2 choices that I can see - VMotion or Private physical NICs (as DMZ is ONLY a vSwitch with NO corresponding physical NIC at all)

None of the choices above make any sense for DMZ communication

Thanks

Seb

0 Kudos
GBromage
Expert
Expert

Ahh... I see. If there's no pNIC bound to the vSwitch, then once the machines are separated there won't be any communication.

You could assign a DRS rule that both machines need to be on the same host. This will (generally) works but there may be some brief interruption to comms if one server finishes migration and the other one has not. If what is happening between the servers is TCP traffic, and the migration finishes before the reset timeout, then there will be lag but the session will continue. If you're using UDP, or the lag is longer, the session will be lost.

Another option (for a 2 host cluster) would be to put another network card in each host, and string a cross-over cable between them. Bind that pNIC to the vSwitch at both ends..

I hope this information helps you. If it does, please consider awarding points with the 'Helpful' or 'Correct' buttons. If it doesn't help you, please ask for clarification!
0 Kudos
scerazy
Enthusiast
Enthusiast

In my setup so far DRS never kicked in (that I noticed), as my servers do pretty much close to nothing

Or maybe it worked so well?!

So I can not say I saw the lag, but I use only TCP, so I simply might have not noticed

I use the rule in DRS to keep them together

An option of another pNIC is now workable, as I already have 6 in each server and simply no more space

for any extra

Seb

0 Kudos