LiamSinton
Contributor
Contributor

2 subnets on 1 vswitch

Jump to solution

Hi

Platform: vpshere 4.0 essentials plus

ESX Hosts: 2 X Dell PE2950

NICS: 6 in each host

My issue is that I have allocated 2 Pnics for iSCSI traffic (isolated subnet), 1 Pnic for management traffic (same subnet as production environment) and 3 Pnics for VM traffic (same subnet as management environment)on each host. I have some servers running in our production environment of 192.168.1.X and some (web servers) in a DMZ of 192.168.30.X. I need to make the VMs in both subnets communicate but I do not want to sacrifice one of the Pnics from my VM traffic vswitch. I wanted to be able to add 2 subnets in the same VM traffic switch so both subnets can use the 3 uplinks. I don't seem to be able to do this, can anyone advise please?

Cheers

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
proden20
Hot Shot
Hot Shot

Create 2 different port groups on the vswitch dedicated to your virtual machines. One for your dmz and one for your production VM's. Then use VLAN tagging (and VLAN tags on your switches, respectively) to let the vmkernel route the traffic to the intended subnet. When you create VMs, you will be able to assign its vnic to one of the port groups (vlans).

You may face challenges in doing so, but try to keep your management network away from your production network for security reasons. Another option in your scenario is to add that nic for your service console to the vswitch for your virtual machines, and run your service console and virtual machine port groups on the 4-port vswitch. Not a best security practice but could offer further redundancy to your service console (you don't want to lose that.)

Dennis Procopio - VCP

View solution in original post

0 Kudos
10 Replies
proden20
Hot Shot
Hot Shot

Create 2 different port groups on the vswitch dedicated to your virtual machines. One for your dmz and one for your production VM's. Then use VLAN tagging (and VLAN tags on your switches, respectively) to let the vmkernel route the traffic to the intended subnet. When you create VMs, you will be able to assign its vnic to one of the port groups (vlans).

You may face challenges in doing so, but try to keep your management network away from your production network for security reasons. Another option in your scenario is to add that nic for your service console to the vswitch for your virtual machines, and run your service console and virtual machine port groups on the 4-port vswitch. Not a best security practice but could offer further redundancy to your service console (you don't want to lose that.)

Dennis Procopio - VCP

View solution in original post

0 Kudos
LiamSinton
Contributor
Contributor

Hi Dennis

The whole idea behind the DMZ was never implemented correctly originally and when I came in, I took over 2 web servers each with 2 nics. One was a private IP and the other was public believe it or not :smileyalert:

I removed the public IPs (and one of the web servers to be honest and I am now natting http through to the web server so I am not sure I really need it in a DMZ anymore?

If you think I do though, I need to connect the web server to my firewall (that does the seperation) which means I will not have a physical switch to connect it to (as the machine only has a single nic anyway). This means that I am confused about this:

Then use VLAN tagging (and VLAN tags on your switches, respectively)

Without a physical switch, would I just need to create 2 port groups on my vswitch and add the VMs to the correct one? I am not exactly sure about the VLAN tagging thing ?:|

The only reason I keptthe management network on the same subnet as production was so that I didn't have to attach it into another switch and then patch into the IT room so we can connect as we are limited with network ports in the room and it would mean adding extra nics to the IT PCs. Plus I have already planned to set up an isolated IT test environment so we can take live copies of our servers which is going to mean a seperate network anyway. If I seperated the management network, I would end up with the IT PCs requiring 3 nics each? Correct me if I'm wrong though Smiley Happy

I do agree with the redundancy on the service console and I suppose the reason I only gave it 1 uplink was the fact that I would be able to connect directly to the hosts if the vCenter server was down. Now I think about it, that must be rubbish as wouldn't connecting to the hosts directly require the same service console port??

I think I am confusing myself now....

:_|

0 Kudos
proden20
Hot Shot
Hot Shot

Liam,

Can you provide a diagram of your hosts, physical segments, and subnets and clarify your requirements?

It sounds like you can use some network infrastructure modifications to make the best use of the product. You will want to segregate broadcast domains if you are using multiple subnets in your infrastructure.

Also, you have not yet virtualized these systems yet, correct?

Dennis Procopio - VCP

0 Kudos
LiamSinton
Contributor
Contributor

I have virtualised some of the production servers and I am planning to do the web server shortly. It was sort of an afterthought remembering they were on seperate networks I am afriad to say :smileyshocked:

Do you think it would be a security risk if I changed the web server IP back to match our production network now that it does not have a public IP? Would make it much easier that way but I appreciate someone could breach the web server so I guess it's probably not the best idea.

I don't have a diagram I'm afraid but I can try to knock something up in visio? What exactly do you want to see, the physical or virtual environment (or both)?

0 Kudos
proden20
Hot Shot
Hot Shot

Reading back over your web server issue...if you are currently plugging it directly into the firewall and want to continue to do so, you will need to use a seperate nic. Otherwise you are going to need to get some routing into play somehow.

Think of it this way

4 physical nics in your vswitch should all plug into 4 ports on the same physical switch.

You should enable lacp on the ports on that physical switch to prevent packet reflection.

If you are carrying multiple subnets over this aggregated trunk, you should setup vlans on those ports.

Once those vlans are setup on the physical infrastructure, modify the port groups on the vswitch and add the vlan tag id for each port group's respective subnet.

When you virtualize your guest, set its vnic to use the port group for the subnet that you want it on.

Another cure for what ails you is simply buying more nics and creating another vswitch.

Dennis Procopio - VCP

proden20
Hot Shot
Hot Shot

If your web server is in a DMZ I wouldn't put it on your production network.

Dennis Procopio - VCP

0 Kudos
LiamSinton
Contributor
Contributor

Sounds complicated and I don't even know what lacp is....

I think I will just change the web server IP so they are on the same subnet as I think it would take a while to get my head around the switching, port groups and vlans ?:|

I appreciate your help though

Liam

0 Kudos
LiamSinton
Contributor
Contributor

I can take it out of the DMZ quite easily. To be perfectly honest, I'm looking for someone else to host it soon anyway so my problems will all go away :smileylaugh:

0 Kudos
proden20
Hot Shot
Hot Shot

OK Liam. For future use...Adding physical nics is a common solution you will find when studying network bottleneck scenarios.

If you found this question to be correct or helpful, please remember to award points.

Dennis Procopio - VCP

LiamSinton
Contributor
Contributor

Cheers Dennis

0 Kudos