VMware Cloud Community
netwrkmgr
Contributor
Contributor
‎10-28-2013 11:24 AM

Join vCenter Server to AD in different VLAN Subnet

We are finalizing our vSphere setup. The current enviroment consists of 4 vlans on different subnets. 192.168.1.x is our production, including Active Directory. When vshpere was setup it was split into the other vlans for segregation. vCenter, including the management network  is on 192.168.11.x (vlan11). There is trunking and acls to allow mgmt access to vlan 11. We now would like to join the vCenter server to AD, however, it is on a different vlan and subnet than AD and cannot join without making changes. Should the vCenter server be in the production network? Is it better to leave vCenter in the current vlan and open access for AD or to place it in the production network and maintain the management vlan for the vSphere mgmt network?  Many thanks in advance for any assistance.

0 Kudos
3 Replies
abhilashhb
VMware Employee
VMware Employee
‎10-28-2013 11:54 AM

Its really based on how you require it to be. Most of the customers have a requirement of strict rule that vCenter should be on a particular VLAN. But that's something that they decide based on some rules. As far as vcenter can talk to AD there's is no particular rule. In your case if production vlan and vlan11 are trunked you can have AD integrated with vCenter.

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

0 Kudos
Gortee
Hot Shot
Hot Shot
‎10-28-2013 03:31 PM

It all depends.  Personally I would just open the firewall and allow access for AD.  I am sure you have other machines that already have to do it if you run much of a Windows environment.  Of course with AD it's a lot of ports so be prepared to open it all the way.  If security requirements don't allow for this then move it into the lan.

Just my two cents.

Joseph Griffiths http://blog.jgriffiths.org @Gortees VCDX-DCV #143
0 Kudos
admin
Immortal
Immortal
‎11-11-2013 08:30 AM

please see this

how to use  Multiple subnets with one VMware ESXi host

 

As we’ve moved more and more of our critical infrastructure at The Chapel to the virtual world, I’ve struggled on occasion with the issue of setting up network cards in VM’s to work on different subnets.

This became a real issue when we migrated from our Cisco phone system to our virtualized MiTel phone system. All was good until I needed to setup the “MiTel Boarder Gateway” which acts as a firewall and SIP gateway for the phone system. Since I had to get this up and running quickly I just installed another network card then mapped it to a virtual switch in VMware and mapped the second NIC in the VM to that virtual switch.

image

This approach however is not very efficient or redundant. It also takes up valuable NIC’s and switch ports. My plan is to update this configuration with what I’ve learned when setting up our print server to work with FingerPrint which I’m going to detail below.

How to setup Vlan tagging in VMware ESXi

  1. First, you need to have a working ESXi host. The setup isn’t that hard but is more than I’m going to go into here.
  2. Setup your switch port(s) that connect to the server as a “trunk” in Cisco speak with a “Native Vlan” set to what a majority of your servers use. That way you don’t have to setup tagging on every vNIC.
  3. If your looking to have a server that needs to talk to two different subnets like a firewall or my print server running FingerPrint, add another Ethernet adapter to your VM and assign it to your default network. Mine is “VM Network”.
  4. You need to check that the Virtual Network on your primary vSwitch allows all Vlans. By default it is set to “None(0)“.  Set it to “All(4095)” or just the ones you want.
    image  
    image
  5. Now, start up your VM and log in. Navigate to the Device Manager and select the network card you want to configure a different Vlan on. 
    image
  6. Once you configure the tagging, make sure that you have the IP addresses setup correctly. For a firewall type VM, you will have different IP’s and gateways on different subnets. If you have a server connecting to two private networks, only set a default gateway on the “Primary” network. Windows doesn’t like it if you set different gateways to the same routed network.
0 Kudos