VMware Cloud Community
lbomb
Contributor
Contributor
‎09-14-2017 07:08 AM

Distributed switch config question

I have a XenDesktop dev environment sandboxed currently on 2 esxi hosts in a cluster.  I have a Distributed switch & port group named Test/Dev with no uplinks attached that all the dev vm's are attached to.

My problem is, the vm's can only communicate with one another if they are located on the same host.  A vm located on the opposite host, with the same Test/Dev dvs port group attached, cannot communicate with the vm's on initial host.  Which makes sense since there is no uplink, but what is the best way to configure this setup to work without the Test/Dev vm's on 192.168.1.0 subnet being able to communicate with my production network on 192.168.0.0?

Test/Dev has its own DHCP, DNS, DC, and am using Routing Services as a Default Gateway at 192.168.1.1.  My physical switches don't have vlan capabilities, can i possibly attach an uplink to it and use vlan tagging in vsphere on all the test/dev machines to isolate the network?

0 Kudos
3 Replies
virtualg_uk
Leadership
Leadership
‎09-14-2017 07:23 AM

Technically you don't need VLANs if the VMs are on separate subnets and the router does not permit traffic to route between those networks (there is a level of security in place there) now there are other considerations but in very basic terms could could do it this way.

VLANs offer an additional level of logical security but you can get away without using them if required.

Is the attached your topology?

My understanding is that you want the VMs on dev / test to communicate between each other when on different hosts so you are going to add an uplink to the distributed switch per host which in turn is connected to an uplink switch?

If this is the case and your uplink switches do not support VLANs then a long as the distributed switch is on all hosts and the VMs are on the same portgroup it should work as is?


Graham | User Moderator | https://virtualg.uk
Preview file
14 KB
0 Kudos
lbomb
Contributor
Contributor
‎09-14-2017 08:53 AM

Topology is close, only difference is i technically have 2 routers.  One for production (physical) 192.168.0.1 then i have an additional virtual router used for Test/Dev gateway at 192.168.1.1.

My concern is mainly if i attach an uplink to the DVS Test/Dev port group it would allow VMs to communicate with my production environment due to the uplink being connected into my production physical switch & router.  I don't want my Test/Dev DHCP server offering out IP addresses to random Production Devices on the production network.

I'm a bit unclear i guess on how subnet communication works inside a broadcast domain.. so you are saying if i add the uplink to the Test/Dev Port group as long as all the Test/Dev VM's are on that 192.168.1.1 subnet they will not be able to communicate with my production network unless i specify a relationship inside my 192.168.0.1 Production Router?

0 Kudos
virtualg_uk
Leadership
Leadership
‎09-14-2017 01:14 PM

They will be on the same physical layer so there is a risk unless you put something else in place.

Since they are on different subsets, they will not be able to route between each other unless the gateway is configured to allow traffic to route between those networks. If you firewall this or remove routes then you should be okay.


Graham | User Moderator | https://virtualg.uk
0 Kudos