VMware Cloud Community
StuartLittle
Contributor
Contributor

ESXi Networking & vSwitch Question

Hello all,

I am very new to VMware and over the last few months been getting up to speed on the ESXi product. I am now familar with the basic management and implementation of ESXi and creating VM's etc but I am unclear on how I can achieve my networking goal. (I know these questions get asked all the time of the forums so I apologise if this is repeating previous posts ... I can't find exact answers traling/searching the forums)

Let me explain our scenario:

We plan to purchase a Dell PowerEdge 1950 III server with ESXi embedded. The server spec is as follows:

2 x Xeon Quad-Core Cpu's

16GB Ram

4 x 73GB SAS 15K disk (RAID5 or RAID10 still undecided)

4 x Gigabit Nics

We plan to co-locate this server in a data centre and supply our customers Virtual Windows 2003/2008 & Linux platforms for them to use on a monthly subscription etc. We would expect just to have 4 different customers with 2 VM's each running on the server (so 8 VM's in total). Nothing heavy in regards to I/O activity etc.

My question regarding networking is a) How or what is the best method to isolate each customer's VM network from each other's so there is no crossover of network traffic (so they can't see another customers server/network) ... but still get external access to the internet via our datacentre IP/Firewall/Gateay and b) how do we provide remote access to each customer network if they all come through our 1 public IP provided by the data center ... is this possible? (we actually have 5 public IPs i think).

My initial thoughts were that I could assign each Physical NIC a public IP that connects to it's own vSwitch that has each customers VM's running on it:

e.g.

Public IP Number 1 > vmnic0 > vSwitch0 > VM Port Group containing 2 x VM's for Customer 1

Public IP Number 2 > vmnic1 > vSwitch1 > VM Port Group containing 2 x VM's for Customer 2

etc etc.

But then I thought that would limit the number of customers we could have on the server to the number of physical Nics we have in the server (kind of defeats the purpose of high consolidation). I have read and understand about VLAN's and Port Groups and would expect that is the best way to do what I want but I can not figure out how I would make each seperate VLAN/Subnet go out through the 1 public IP attached to the physical NIC.

I apologise if I haven't explained the scenario very well but would welcome any advice on this situation and please ask me to clarify anything that does not make sense.

Thanks in advance to any replies.

Kind regards,

Stuart.

Reply
0 Kudos
1 Reply
RParker
Immortal
Immortal

You need to talk to a Cisco or networking admin to setup IP segments on your routers. VLANs get very complicated if you don't know what you are doing. each port on a physical nic IS a switch, from ESX perspective. So each one can have a totally different network, and if your network is setup properly, there is no way your customer VM's (assigned to a Virtual switch) can see other machines if they are on different segments, going through a firewall. That way they are isolated.

A 1950 has 2 built in NICs, you can utilize those as well (unless that's part of your 4 already). So with 6 total physical NIC ports you can have 6 completely separate networks ALL on the same ESX host, and none of them can see each other.

Some network engineers won't be happy with this, because to them this is called cross connecting, where 2 separate networks on a machine (1 DMZ and 1 Internal Lan for instance) can communicate. From a purely OS point of view, I can understand, but ESX was designed so that these networks will NEVER see each other, but they believe that the OS can be comprimised and thus traffic can combine, causing a security problem.

So what you are trying to do is a good idea, however you may find a few people in your company (including customers) thay may balk at running their machines side by side and the paranoia will sink in.. So you may end up putting machines on completely separate machines, because of this.

But you are headed in the right direction, and as a proof of concept I sincerely hope you make this work and no one complains and ti works out perfectly, because I tried to do this and was shot down. 'DMZ on a ESX server attached to our LAN, what are you smoking crack?' But it's ESX . . . .

Reply
0 Kudos