Solved: VCD network to Vsphere network mapping

xianmacx · ‎02-05-2012

Hello,

So I am new to VCD and trying to understand the best practice on how to map vcd networks back to vsphere networking.

I'll start with the external Network.

In my vsphere network I already have a distributed with multiple production port groups. This distributed switch is backed by 2 pnics from each host. The pnics connect to trunked pswitch ports that allows traffic on all those vlans.

To setup my external vcd network. Should I start with a whole new Distributed Switch with dedicated port groups for vcd? If so, I guess I would need to dedicate pnics to this new dvs? I am assuming this new "External Network" should have no access to my production networks?

So this is what I am thinking.

1. New DS with a pnic connected to my cisco switch.

2. Set up a single vlan on that pswitch port that just goes out through my firewall to the internet.

3. Creat the port group on that new Distributed switch

3. Create my vcd External Network to use that port group that only has access to the vlan that goes out to the internet. No connectivity to my production vsphere network?

Again, I am new to vcd so feel free to offer a completely different solution. I am tryin to understand how the vsphere networking should be setup to back those vcd networks.

Thanks in advance,
Ian

cfor · ‎02-09-2012

Let me start by asking what the goal of this cloud is. Is it to run systems for yourself, or for other entitys (like other companies).

He is a quick setup that I think will works for many people, or at least as a starting place to get an idea how it goes toghether. I used it in a small cloud set that was a private cloud, it worked well for the needs so might help in giving you a start.

In VCenter

Single DVS

4 uplink nics on DVS

dvPortGroup for VMKernel/VMotion name "VMotion" VLAN 11

dvPortGroup for Managment named "Management" VLAN 10

dvPortGroup for Internet Only traffice name "InternetDirect" VLAN 12

dvPortGroup for Normal network traffic name "VMNetwork" VLAN 13

VLAN 14 also setup on switch as private to be used for VCNI traffice between fenced vApp's

In VCLoud

2x Provider network setup in VCD

"Internet Only" - pointed at the DVS dvPortGroup named "InternetDirect"

"Normal Network" - pointed at the dvPortGroup named "VMNetwork"

1x Network Pool

"Standard Network Pool" - set to use VNCI on VLAN 14

For each org (we had a few, but they are all the same company so a little easy)

2 networks for each added, and pointed to the provider networks

Unless I am forgetting something this is all we had to do in order to have a "normal network", and Internet only network, and allow for vApp's to be fenced and have private network segments. - A few of the vlans we used could have been consolidated, but we liked the idea of knowing esxi-esxi traffic was segmented wit ha vlan away from other traffic.

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

View solution in original post

xianmacx · ‎02-08-2012

Just a bump, any help would be appreciated!

cfor · ‎02-09-2012

Let me start by asking what the goal of this cloud is. Is it to run systems for yourself, or for other entitys (like other companies).

He is a quick setup that I think will works for many people, or at least as a starting place to get an idea how it goes toghether. I used it in a small cloud set that was a private cloud, it worked well for the needs so might help in giving you a start.

In VCenter

Single DVS

4 uplink nics on DVS

dvPortGroup for VMKernel/VMotion name "VMotion" VLAN 11

dvPortGroup for Managment named "Management" VLAN 10

dvPortGroup for Internet Only traffice name "InternetDirect" VLAN 12

dvPortGroup for Normal network traffic name "VMNetwork" VLAN 13

VLAN 14 also setup on switch as private to be used for VCNI traffice between fenced vApp's

In VCLoud

2x Provider network setup in VCD

"Internet Only" - pointed at the DVS dvPortGroup named "InternetDirect"

"Normal Network" - pointed at the dvPortGroup named "VMNetwork"

1x Network Pool

"Standard Network Pool" - set to use VNCI on VLAN 14

For each org (we had a few, but they are all the same company so a little easy)

2 networks for each added, and pointed to the provider networks

Unless I am forgetting something this is all we had to do in order to have a "normal network", and Internet only network, and allow for vApp's to be fenced and have private network segments. - A few of the vlans we used could have been consolidated, but we liked the idea of knowing esxi-esxi traffic was segmented wit ha vlan away from other traffic.

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

xianmacx · ‎02-09-2012

cfor,

Ultimately I would like to be able to setup a mach public cloud with "company1", "company2" etc that would have their traffic segregated from other customers and also from the exsi/infrastructure traffic.

You example looks great and I will build this out tonight to help understand the mappings more.

In your example the traffic on 10, 11, 12, and 13 can still talk to the other vlans, right?

Thanks you very much for your help,
Ian

cfor · ‎02-09-2012

I have not done that but if I was starting I would think the same model would work, however maybe no need for the "Normal network" I listed. The provider networks would just be direct to internet vlans. The Org networks would all just point to that network. If you HAD to make sure no possible way traffic could cross you might need to setup a provider network for each org (seems a little extreme) - and I might suggest a network pool per org. (each VCNI pool requires a private vlan, it does not need to be full routable so usably they are easy to setup a big stack to use).

Edit (as a I think I might not have answered some things in your post)

---

I would make each VLAN only able to talk to waht they should. or example the managment vlan only needs to talk to cell servewrs, esxi hosts, and the vcenter server. The internet vlan groups could cross talk - however most the time the orginiation netweork that you setup for the org will be a NAT with a firewall to protect against this. I would have sperate VCNI network pools for each org jsut to make sure the vapp -> vapp traffic does not get crossed between orgs.

Hope that helps some

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

chadwickking · ‎02-09-2012

Pretty much right on.

That would be one of the ways you can do it. Sometimes depending on the security level you may want to have like what he was talking about with an external network per tenant. We have to do that for security reasons.

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

xianmacx · ‎02-11-2012

Thank you guys very much for your help. Based on your recommendations I was able to get everything mapped and it all makes sense now.

1. I just used my existing vDS as mentioned.

2. I created a VLAN50 on my physical switch and ACL'ed it so it would only have internet access.

3. I created a Port group in vsphere with the VLAN50.

4. I created an 1 external network in vcloud that used that VLAN50 to only give it access to the web. "Public Connection"

5. I created 1 network pool backed by VLANs (900-1000)

6. For each of my "tenants" I created 3 org networks

a. direct connection to "Public Connection"

b. routed connection to "Public Connection" (backed by the network pool)

c. Internal only connection (backed by the network pool)

I really appreciate your help,

Thanks,
Ian

All

VCD network to Vsphere network mapping