Solved: Re: How to Create an Isolated Network in vSphere

vlgngrbrdmn · ‎06-20-2019

Hi all,

I am new to this forum and fairly new to vSphere in general. So, forgive me if the questions I am about to ask are easily found elsewhere on this site.

I spent most of my day Googling this but just ended up more confused in the end.

I currently have 3 ESXi hypervisors in my homelab in a vSphere cluster with HA, DRS, and vSAN enabled.

I am looking to setup a Windows test domain network. One VM, my gateway VM, will have two network adapters, one to connect it to the Internet, and the other to connect to the rest of the VMs in my test domain.

I cannot, for the life of me, figure out how to set this up.

In the past, when I had one ESXi box, I was able to do it by created a network with no uplinks attached to it. I cannot figure out how to set that up with distributed switches.

I have been told that the best way to replicate this would be to use VLANs. However, I am not too familiar with how to set those up and have been unsuccessful so far.

If anyone could point me in the right direction it would be much appreciated!

jburen · ‎06-21-2019

So the three ESX hosts are not physical? If they are virtual they must be connected to some virtual network. I.e. in VMware workstation you configure the network with the Virtual Network Editor. There you must also configure the VLAN.

But if they are physical you must configure the switchports of the switch the hosts are connected to.

Consider giving Kudos if you think my response helped you in any way.

View solution in original post

depping · ‎06-21-2019

There is no other way then to use VLANs when you have a clustered vSphere environment. With a single host you simply create portgroup without a NIC attached to it so that traffic doesn't go outside, but with multiple hosts the traffic needs to flow from host to host so you will need to create a portgroup with a specific VLAN assigned to it. I would highly recommend to figure out who a local partner is that can help, it isn't rocket science typically, but if you haven't done this before then a mistake is easily made and could lead to very strange situations.

Dashers · ‎06-21-2019

Don't be afraid of VLANs, you have to use them for this sort of thing. VLANs can sound a complicated subject, but honestly they're not.

A VLAN is simply a way for a switch to tag packets and keep them segregated - which can be shared across multiple switches - exactly what you're trying to do. If a device is set to work on a VLAN it won't see traffic on another VLAN etc.

As above, this is done with port-groups. Simply create a new port group and pick a number of your fancy between 1 and 4095 (exclusive), swish you now have a VLAN setup. That port group will only receive traffic with that number tagged. Any other networking device that supports tagging (such as other vmware hosts, network switches, even desktops) can send traffic with that tag on, and anything setup not to look for it, won't see those packets.

Notes:

VLAN 0 = disabled, this is the default world of traffic, and how everything will be running at the moment.

VLAN 4095 = All the VLANs, this is useful if you don't want to do your VLAN un/tagging at the switch level but want to delegate that to a guest (e.g. if you're running a dedicated virtual switch/router/thing).

Unmanaged switches: Only business-grade devices tend to support VLAN tagging, a cheap desktop switch might get confused or strip VLAN tags (or might pass through YMMV), be mindful of this when connecting devices together (a point-to-point cable will work around this).

vlgngrbrdmn · ‎06-21-2019

Thank you for your reply!

Unfortunately, I am still having issues even after setting things up in the way you described.

I created a port group under my one and only DSwitch and set the VLAN to 100.

I then connected a network adapter on two VMs to that port group and assigned IP addresses to both, 172.16.1.1 and 172.16.1.2 respectably.

I cannot ping either of them from either VM, "Destination host unreachable."

I do not think the issue is with my adapter IP settings within Windows on either system since I have created this exact same setup in Hyper-V before with an isolated network there with no issues.

Any further help/troubleshooting steps would be much appreciated.

jburen · ‎06-21-2019

If you move both VMs to the same host, and they are both connected to the same vDS, then ping should work. If it does, move one VM to another host. Then retry the ping command. If it doesn't work you probably misconfigured the VLAN on the physical switch(es).

Consider giving Kudos if you think my response helped you in any way.

vlgngrbrdmn · ‎06-21-2019

So, I am a bit confused here.

I have not touched any physical switches.

I have only modified the port group by adding the VLAN. That is it.

Do I need to mess with the physical UniFi switch I have my whole environment connected to?

Right now, I have everything under one IP range, since it is my home test lab.

jburen · ‎06-21-2019

So the three ESX hosts are not physical? If they are virtual they must be connected to some virtual network. I.e. in VMware workstation you configure the network with the Virtual Network Editor. There you must also configure the VLAN.

But if they are physical you must configure the switchports of the switch the hosts are connected to.

Consider giving Kudos if you think my response helped you in any way.

vlgngrbrdmn · ‎06-21-2019

Thanks!

This resolved my issue for me.

After creating the VLAN on my physical switch, I was able to ping both VMs from each other

Thank you you for your help!