the VM would exist in which environment? how would one set this up?

let's say I have VLAN 110 is my standard production environment, and VLAN 130 is my first isolated bubble and VLAN 131 is my second isolated bubble.

You would create another portgroup for this VM, which allows all VLANs. The router software has to be able to do VGT (VLAN guest tagging)

for VGT see http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

André

the VM would exist in which environment? how would one set this up?

let's say I have VLAN 110 is my standard production environment,

Which, as I understand it, you don't want to talk to either bubble...

and VLAN 130 is my first isolated bubble and VLAN 131 is my second isolated bubble.

You use a 2nd vSwitch with no pnics. Put both bubble VLANs on the new switch. Add a VM to both VLANs running the OS of your choice to act as the router between the VLANs.

Happy virtualizing!

JP

Please consider awarding points to helpful or correct replies.

Hello,

To allow the two 'bubbles' to talk to each other you need to bridge the portgroups on which those VLANs reside using some form of virtual appliance. virtual router, gateway, firewall all work. You can keep the two portgroups isolated from all else as well.

You can use a Private vSwitch with 2 portgroups or two private vswitches. But without some way to bridge between your VLAN bubbles (such as a virtual appliance) there is no way to communicate between them.

Which virtual appliance style you choose, firewall, gateway, router is up to you.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

So in following those details, I have setup a new vSwitch, with as of now, a single associated port group, attached to fake VLAN 130. When I try to change the port group association in the config settings of an existing VM to use this new port group / VLAN, it doesn't show up in the list. When I setup the new vSwitch I did NOT associate any adapters with it. Is this causing this inability to associate the port group with the existing VMs?

I read it but I can't believe it

Are you sure you added a "Virtual Machine" port group on the new vSwitch and did not accidently add a VMkernel port group?

André

LOL thanks! I'm admittedly a noob, but not THAT bad!! LOL

nope, just eyeballed it again in case it was my bad, but alas no. I created a new vSwitch (vSwitch2, as I already have two existing), and added a virtual machine port group called ocx-staging-test, associated with VLAN 200 (which is a fake, it doesn't exist on any physical switch). I added no adapters to vSwitch2, and when I try to select the new port group from the drop down list in the vNIC settings of the appropriate VMs, its not in the list.

any ideas?

I never saw something like that.

Which version build of ESX do you use?

Can you add another virtual machine port group, just default without VLAN configuration, to see whether this one shows up in the list?

André

sorry, should have stated that earlier. ESX 4.0, not sure of the build though.

I added another virtual machine port group with no VLAN association, and it does NOT show up in the list available to the VMs.

one thing I noticed though, I've been creating these networking components from the Networking section of the Configuration tab of one of my 6 hypervisors (randomly chosen). when I look in the same sections on the other 5, my networking additions (the vSwitch and the virtual machine port groups) don't show either. it just so happens that the VMs, to which I want to assign the isolated virtual machine port groups on the new vSwitch are on different hypervisors than the networking components which I had just created.

why are the new networking components not propagating to the other hypervisors? and is this my problem? have I been creating the networking components incorrectly? I tried creating them from the Inventory->Networking view (in the vSphere client), but there was no option to create anything other than a distributed vSwitch, which was not what I was looking for...

why are the new networking components not propagating to the other hypervisors? and is this my problem? have I been creating the networking components incorrectly? I tried creating them from the Inventory->Networking view (in the vSphere client), but there was no option to create anything other than a distributed vSwitch, which was not what I was looking for...

You have to create standard vSwitches and port groups on each host separately. They are not replicated.

This is one of the pros for the new "Virtual Distributed Switch" in vSphere 4.x.

André

argh!!!! are you kidding me??? so we should've setup two distributed vswitches for the environment instead of two on each hypervisor!!!!

although, wait a sec, when I went through the distributed vswitch setup process, I was stymied at the Add Hosts and Physical Adapters section, as there was no population in the list that I was to select from. Even when I chose the Add Later option, later there was still no population of hosts or physical adapters to choose from. How is that field populated? (its quite useless otherwise)

argh!!!! are you kidding me??? so we should've setup two distributed vswitches for the environment instead of two on each hypervisor!!!!

No, what I said was that when using Standard vSwitches (which I assume you have in place) you have to create them on each host separately.

The use of a dvSwitch is an option you have with the Enterprise Plus version. However that's a completely different setup.

although, wait a sec, when I went through the distributed vswitch setup process, I was stymied at the Add Hosts and Physical Adapters section, as there was no population in the list that I was to select from. Even when I chose the Add Later option, later there was still no population of hosts or physical adapters to choose from. How is that field populated? (its quite useless otherwise)

If you want to create a dvSwitch you will need at least 1 free NIC. You should not start creating a dvSwitch unless you are familiar with all the pros and cons of this.

André

ah! OK, so I'm good, I just need to replicate my process on all hypervisors (yuck), and not monkey around with distributed vswitches, which I don't understand anyways.

that sounds much better!!

Hi,

If you are wanting to be able to make changes to multiple ESX servers I would recommend looking into powerCLI, vCLI, or a Vma appliance. It essentially scripting to do the work for you. It helps us keep thing exactly the same across all our host when doing setups and configurations. Just thought I would throw that out for you.

Power CLI: (uses powershell)

http://communities.vmware.com/community/vmtn/vsphere/automationtools/powercli?rls=com.microsoft:en-u...

vCLI:

http://www.vmware.com/support/developer/vcli/

vMA:

http://www.vmware.com/appliances/directory/178973

Cheers,

Chad King

VCP-410 | Server+

"If you find this post helpful in anyway please award points as necessary"

so I have a few VMs in my isolated port group, on my new vswitch, but, eventhough they're addressed using consecutive IPs, they can't talk or even ping. I'm assuming this requires some sort of virtual router appliance? something to placehold for a default gateway?

so I have a few VMs in my isolated port group, on my new vswitch, but, eventhough they're addressed using consecutive IPs, they can't talk or even ping. I'm assuming this requires some sort of virtual router appliance? something to placehold for a default gateway?

You shouldn't need one. Make sure it's not a private VLAN, you're not doing any tagging in the guests, and you have an appropriate subnet mask for them.

Also, make sure you have the NICs set to Connect at poweron in the VM settings, and it is enabled in the guest.

Happy virtualizing!

JP

Please consider awarding points to helpful or correct replies.

OK, after all the postings and explanations, I know this sounds like super noob time, but none of the VMs in my isolated port group can talk to each other. I have 10 test VMs in this new, isolated stating environment. I did P2V migrations for some and created new VMs from templates for others. I even setup a VM router appliance to act as a fake default gateway, just in case. No go. I have static IPs setup for the Windows servers (the linux servers won't even let me define NICs, but I think that might be an issue with VMWare Tools, which I'll post about elsewhere) and the router, and none of them can see each other.

Here's the named environment: I created a new vswitch2, with no defined physical adapters. in it, I created a virtual machine port group called "ocx_staging_lan" to which I assigned a fake VLAN 200. this vswitch and port group I propogated to all 6 of my ESX 4 hypervisors. I created a test workstation (staging_workstation at IP 192.168.115.200) and downloaded and setup a router appliance (staging_router at IP 192.168.115.1) as a default gateway. I then successfully P2V migrated 8 physical servers into vsphere, and configured each of their vNICs to use the "ocx_staging_lan" port group (and, I presume, be members of the vVLAN 200). all of the P2V migrated servers have 192.168.115.x addresses. all the servers have their NICs connected and all are assigned to "ocx_staging_lan".

am I missing something fundamental here? everyone in the community thinks this ought to work, even without the router appliance, but its not. this is really getting aggravating... any and all suggestions welcome!

Instead of creating 1 vSwitch with multiple VLAN'd port groups, create 1 vSwitch with only 1 port group (no VLAN configured) for each of your subnets.

It should actually work to remove the VLAN setting from your current port groups. In this case all VM's in the same IP subnet should be able to communicate with each other. However with only 1 vSwitch a VM could access the other VM's by just modifying the IP address. Therefore I would go with the 1 vSwitch per IP subnet method.

André