VMware Cloud Community
manofbronze
Enthusiast
Enthusiast

How to solve a VLAN dilemma?

Okay, try not to laugh me off the forum but .... :smileyblush:

I have a Watchguard XTM510 as our firewall/spamfilter/web blocker/high over-lord of the network perimeter connected via a single uplink trunk port to my 3Com/HP switch stack (3-48 port switches). The switch stack has (2) VLANs defined, (72) ports for "basic" network traffic (ID 1), and (72) ports for iSCSI traffic (ID 2). (3) ESXi 4.1 host servers are connected to VLAN 1 by (6) 1GB ethernet ports (two each) and to VLAN 2 by (12) 1GB ethernet ports (4 each). Each host has a vSwitch for network traffic and a vSwitch for iSCSI traffic.There are approximately (30) guest VMs (all windows 2008 r2 standard edition) on (6) different private networks. 1 to 1 NAT is employed on the trusted interface of the XTM510 to map public addresses to private. The XTM510 trusted interface has (1) primary network and (5) secondary networks defined (example 10.0.1.0/24 - primary, 10.0.2.0/24 thru .5.0/24 secondary). The trusted interface is connected to the switch stack as the single uplink port.

Everything works fine except ... the XTM510 trusted interface is acting as a bridge/router between all networks defined as primary or secondary. 10.0.1.0/24 can happily see 10.0.2.0/24 and 10.0.3.0/24 and vice-versa. Not desirable because most of these networks are virtual DR standby sites for several customers. After several days of back and forth with Watchguard tech support, they essentially told me this can't be altered and I have to either use one network per interface (maximum of 5 ... not enough) or create a separate VLAN for each network on my switch stack. Creating a separate VLAN for each network on the switch stack would limit me to a maximum of (6), provided I broke NIC teaming on each host, unless I added a boat load more NICs. Also, not a desirable solution.

Short of replacing the XTM510 with a different device (physical or virtual) that would allow a single uplink trunk and keep the networks logically partitioned, does anyone know of a way to achive logical partioning within VMWare? I am also open to any alternative solutions that don't involve a jungle of cables and NICs ....

Thank you in advance for any and all recommendations.

Reply
0 Kudos
2 Replies
vmroyale
Immortal
Immortal

Note: Discussion successfully moved from VMware ESXi™ 4 to VMware vSphere™ vNetwork

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
Reply
0 Kudos
rickardnobel
Champion
Champion

manofbronze wrote:

Creating a separate VLAN for each network on the switch stack would limit me to a maximum of (6), provided I broke NIC teaming on each host, unless I added a boat load more NICs.

Could you clarify the statement above? Do you have a limit of 6 VLANs on your physical switch?

What kind of NIC teaming configuration have you done on your ESXi hosts? (That is, which NIC Teamin Policy is selected?)

And also, have you done any Link Aggregation setup on your physical switches?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos