VMware Cloud Community
OGROG
Contributor
Contributor
‎11-06-2012 11:54 PM

How to separate network and Internet traffic for VMs?

I have my host connected to a physical switch, and my firewall (router) is also connected to the switch.  This means that the cable between the host and the switch carries network and Internet traffic.  The problem is that with heavy Internet traffic by the VMs, network traffic is affected even though there is sufficient bandwidth for each type of traffic if they were on separate cables.  I don't want to simply team NICs to increase bandwidth - I would rather separate the traffic (I think that VLAN may do this, but my switches don't support it).  If I had a physical only network, I would install 2 NICS in each machine and have two separate LANs with the one NIC connected to a switch for the LAN, and the other NIC connected to a switch which in turn connects to the firewall for Internet connectivity.  This way each machine has Internet and network (LAN) connections on separate cables and switches.  How do I accomplish this in vSphere (5)?  I have one host with 4 NICS, and all my VMs are on the host, plus I have a few physical machines with desktop OSs.  I thought that I could connect one Host NIC to the firewall only (with 1 vSwitch), and another NIC to the LAN only (with a second vSwitch), but how do I connect the vSwitches so that when a VM needs to connect to the Internet it can connect to the vSwitch that connects to the firewall?  Remember that my goal is to send Internet and network (LAN) traffic over separate cables.Network.png

0 Kudos
3 Replies
MKguy
Virtuoso
Virtuoso
‎11-07-2012 02:00 AM

You can do something like this:

Build two vSwitches with one physical uplink each. vSwitch A's uplink will go to your physical switch and vSwitch B's uplink will plug into your physical router.

Then create a VM with two vNICs connected to the two vSwitches that will handle the routing between your internal and external network. You can use virtual networking appliances (which might be overkill in terms of "features") or build a simple routing VM on Windows or Linux for that purpose. The VMs will plug into your internal vSwitch.

The routing VM's internal interface will be the default gateway for your VMs and physical systems connected to the physical internal switch.

Note that you of course will need to have the physical/virtual router transfer network on a separate subnet.

The routing VM's default gateway will be your physical router, which will in turn route all traffic destined for your internal subnet to the routing VM via a static route.

This will reliably separate your internet and internal traffic. Maybe you can even replace your physical router entirely with the virtual one if it just connects via ethernet to the external end.

-- http://alpacapowered.wordpress.com
jrmunday
Commander
Commander
‎11-07-2012 02:23 AM

You can separate traffic by creating two vSwitches, the first one will be connected to the uplink patched into your LAN Switch, and the second one will be connected to the uplink patched into your internet router. The guest VM will need two virtual network adapters, with one connected to the port group on vSwitch1 for LAN traffic and the second one connected to the port group on vSwitch2 for Internet traffic. This obviously works for a single host, but won't be appropriate for multiple hosts.

Assuming you only have one host, your challenge is how to setup routing between the two interfaces - can you provide more information on your network setup so that we can see if it is possible?

As an alternative, could you setup an Internet proxy (on a seperate guest VM) that is connected to vSwitch2 and configure this on your clients to send all Internet traffic through this? This should segregate your traffic as you need and negate the requirement to for the guests to have an additional adapter. Again this is only appropriate for a single host, so depending on your virtual infrastructure you may simply new to invest in some additional network infrastructure to cater for your needs.

And finally, the elephant in the room .... Have you actually got a problem with Internet traffic saturating bandwidth or are you building your infrastructure around a possible what if scenario? Unless you tested and shown this to be a problem, I would recommend not overengineeriing a solution for a problem that doesn't exist.

Hopefully this is some food for thought, and some other community members will provide input to come up with a solution that fits all your requirements.

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77
OGROG
Contributor
Contributor
‎11-08-2012 12:57 PM

Thank you to both of you for your replies.

I like the idea of setting up a VM as a proxy and just pushing the proxy settings to clients - this may solve my issues with the least amount of pain!

To answer your question as to whether I really need to make changes or not, this is my setup:

I am running View 5 with Wyse P20 zero client terminals.  I have a USB sound adapter plugged into each terminal with headphones and a mic.  My workers wear the headphones and mic and perform real-time translation using Adobe Connect web conferencing with post-secondary institutes as our clients.  This means our workers are listening to audio being transmitted from a classroom over the Internet and are speaking into a client app that sends the translation back over the Internet to the classroom.  The WinOS VM itself is pretty heavily drawn upon for resources, but the problem is that I have the PCoIP protocol streaming between the VM and the terminal over the single cable between the host and the switch; Internet traffic between the firewall and the host is also going over that single cable between the host and the switch (firewall>switch/switch>host)..

I have a second low-power host that I bring online only when I need to perform host maintenance as my vCenter is installed on a 2k8R2 VM and so needs to be moved to the second host during maintentance operations on the primary host.  This means that having the one host as my gateway to the internet via a proxy VM should suffice, but may be an issue if I add additional permanent hosts.

On the idea of a proxy VM, do you have a recommendation of an appliance that will suffice?  (I have never set up a proxy before so I don't know if the guest OS needs to be set up a certain way other than the 2 vNICs, such as proxy software???  I also have no experience with linux machines [other than ESXi of course]).

Thanks once again for your assistance!

J

0 Kudos