Two ESX 3.0.1 server with HA & DRS enabled
How does it work when DMZ is involved?
Of course if the software firewall server as VM runs on the same physical ESX as the DMZ VM then it is not a problem, they both communicate via virtual DMZ switch only
But what happens if the system decides to move them to separate ESX servers?
Does the DMZ virtual switch communication still carries on (do not see how it could be)
In case it does not, is there a way to specify that these two machines must always be together?
Seb
If the DMZ network does not exsist on the the other host Vmotion will not work so DRS will not move the VMs. There is a setting on the cluster (right click on the cluster, edit settings then Virtual Machine Options under DRS) where you can create rules for virtual machines to keep togeter or seperate
If the DMZ network does not exsist on the the other host Vmotion will not work so DRS will not move the VMs. There is a setting on the cluster (right click on the cluster, edit settings then Virtual Machine Options under DRS) where you can create rules for virtual machines to keep togeter or seperate
DMZ network DOES exist on both ESX hosts
But the settings for cluster is probably what I would want
Thanks
Seb
All DRS cares about is whether a port group of the same name exists on both servers.
Which physical NIC(s) and VLANs that the portgroup is connected to is entirely up to you. (so make sure you get it right!)
So, if you have one pNIC from each server plugged into wherever the DMZ is talking to at the moment, andhave that pNic on a separate vSwitch with a port group configured on your host, then the session will continue. When the vm moves, it will latch on to the same port group name on the other server.
I just would like to understand on which physical NIC the comminication continues if DMZ VM is on host A & the firewall VM is on host B
There are only 2 choices that I can see - VMotion or Private physical NICs (as DMZ is ONLY a vSwitch with NO corresponding physical NIC at all)
None of the choices above make any sense for DMZ communication
Thanks
Seb
Ahh... I see. If there's no pNIC bound to the vSwitch, then once the machines are separated there won't be any communication.
You could assign a DRS rule that both machines need to be on the same host. This will (generally) works but there may be some brief interruption to comms if one server finishes migration and the other one has not. If what is happening between the servers is TCP traffic, and the migration finishes before the reset timeout, then there will be lag but the session will continue. If you're using UDP, or the lag is longer, the session will be lost.
Another option (for a 2 host cluster) would be to put another network card in each host, and string a cross-over cable between them. Bind that pNIC to the vSwitch at both ends..
In my setup so far DRS never kicked in (that I noticed), as my servers do pretty much close to nothing
Or maybe it worked so well?!
So I can not say I saw the lag, but I use only TCP, so I simply might have not noticed
I use the rule in DRS to keep them together
An option of another pNIC is now workable, as I already have 6 in each server and simply no more space
for any extra
Seb