Wikkie
Contributor
Contributor

Using Vlan for LAN & DMZ

Jump to solution

Hi there,

At the moment I have assigned my LAN and DMZ networks to two separated Nic's (So thus no Vlan tagging)

eg vmnic0 = LAN, vmnic1 = DMZ.

This works all fine but I like to make some changes in that way I going to use two separated physical nic's and use on both nic's both LAN and DMZ but now by using VLAN.

So thinking about this setup:

For each network I create a Vswitch, So getting a Vswitch named VsLAN, VsDMZ for case.

At the Vswitch I assign two Nic's one nic will be the standby one. so like vmnic0, vmnic2 (standby)

At this Vswitch I will create a Port group and assign the right VLan number like 10 to LAN and 20 to DMZ.

Creating the other Vswitch will have the same Nic's but now vmnic0 will be the stanby one.

Probalby all fine so far I think or not ? Smiley Happy

Questions:

- Well this concept where there is a one to one relation between Vswitch and Port Group or one switch with multiple PortGroups ?

In case one Vswitch with multiple Port Groups I will assign at Port Group level the active and standby Nic.

- If I create a Port Group and assiging a Vlan number will the IP packets received by the VM itself also be tagged or untagged ?

Other words. Do I need to setup the NIC at the VM also to the same Vlan ID or not.

Thanks for your feedback.

0 Kudos
1 Solution

Accepted Solutions
dkfbp
Expert
Expert

Hi,

Changing to vlan is a pretty good idea to get failover and performance for the LAN and DMZ network. You have the concepts mixed up somewhat though.

A vmnic can only be used in one vSwitch. So what you want to do is the following:

Create a vSwitch

On the vSwitch create two Port Groups: LAN (vlan10), DMZ (vlan20)

If vmnic0 and vmnic1 both have access to vlan10 and 20 then just add both vmnics to the virtual switch. Per default they will both be active and that is fine. If you don't want that EDIT the LAN portgroup and goto the "failover" tab and put vmnic0 as active and vmnic1 as standby. Then do it the other way on the DMZ port group.






Best regards

Frank Brix Pedersen

blog: http://www.vfrank.org

Best regards Frank Brix Pedersen blog: http://www.vfrank.org

View solution in original post

0 Kudos
5 Replies
dkfbp
Expert
Expert

Hi,

Changing to vlan is a pretty good idea to get failover and performance for the LAN and DMZ network. You have the concepts mixed up somewhat though.

A vmnic can only be used in one vSwitch. So what you want to do is the following:

Create a vSwitch

On the vSwitch create two Port Groups: LAN (vlan10), DMZ (vlan20)

If vmnic0 and vmnic1 both have access to vlan10 and 20 then just add both vmnics to the virtual switch. Per default they will both be active and that is fine. If you don't want that EDIT the LAN portgroup and goto the "failover" tab and put vmnic0 as active and vmnic1 as standby. Then do it the other way on the DMZ port group.






Best regards

Frank Brix Pedersen

blog: http://www.vfrank.org

Best regards Frank Brix Pedersen blog: http://www.vfrank.org
0 Kudos
weinstein5
Immortal
Immortal

  • Well this concept where there is a one to one relation between Vswitch and Port Group or one switch with multiple PortGroups ?

In case one Vswitch with multiple Port Groups I will assign at Port Group level the active and standby Nic.


As llong as the physical switch is configured correctly - with the 1 to 1 relationship you only need to make sur ethe port is configured for the vLAN it will see -- in the 1 to many you will have to configure the physical port as Trunk Port configured to recognize all the possible vVLANs that come across that port




  • If I create a Port Group and assiging a Vlan number will the IP packets received by the VM itself also be tagged or untagged ?

Other words. Do I need to setup the NIC at the VM also to the same Vlan ID or not.

</div>

The vLAN tag is stripped by the virtual switch so there is no need to configure the NIC for the vLAN -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos
Wikkie
Contributor
Contributor

Thx "Weinstein" very helpfull but you also confusing me Smiley Happy

The Vlan topic all clear very nice.

But I understand I have to trunk let's say two ports on my switch which connects to the ESX host ?

Is it not better what "Frank" is suggesting and at the Port Group set one Nic Active and the other as standby. Then at the other port group doing the opposite. I probably missing here something.

This because I working with 2 switches for failover. so it is not possible to create this trunk !

0 Kudos
dkfbp
Expert
Expert

Hi,

The big questions is: Is your DMZ and LAN seperated in different switches with AIRGAP. Or do the live as VLAN on both switches? If they live on both

switches you create a TRUNK port (cisco terminology) that forwards vlan 10 and 20 on both switches.






Best regards

Frank Brix Pedersen

blog: http://www.vfrank.org

Best regards Frank Brix Pedersen blog: http://www.vfrank.org
Wikkie
Contributor
Contributor

We running the LAN and DMZ as Vlan on both switches.

So we "trunk" the Vlans not the ethernet ports itself that clears it up. thx

0 Kudos