vSphere vNetwork

 View Only
  • 1.  Using Vlan for LAN & DMZ

    Posted Apr 13, 2010 08:13 AM

    Hi there,

    At the moment I have assigned my LAN and DMZ networks to two separated Nic's (So thus no Vlan tagging)

    eg vmnic0 = LAN, vmnic1 = DMZ.

    This works all fine but I like to make some changes in that way I going to use two separated physical nic's and use on both nic's both LAN and DMZ but now by using VLAN.

    So thinking about this setup:

    For each network I create a Vswitch, So getting a Vswitch named VsLAN, VsDMZ for case.

    At the Vswitch I assign two Nic's one nic will be the standby one. so like vmnic0, vmnic2 (standby)

    At this Vswitch I will create a Port group and assign the right VLan number like 10 to LAN and 20 to DMZ.

    Creating the other Vswitch will have the same Nic's but now vmnic0 will be the stanby one.

    Probalby all fine so far I think or not ? :smileyhappy:

    Questions:

    - Well this concept where there is a one to one relation between Vswitch and Port Group or one switch with multiple PortGroups ?

    In case one Vswitch with multiple Port Groups I will assign at Port Group level the active and standby Nic.

    - If I create a Port Group and assiging a Vlan number will the IP packets received by the VM itself also be tagged or untagged ?

    Other words. Do I need to setup the NIC at the VM also to the same Vlan ID or not.

    Thanks for your feedback.



  • 2.  RE: Using Vlan for LAN & DMZ
    Best Answer

    Posted Apr 13, 2010 11:09 AM

    Hi,

    Changing to vlan is a pretty good idea to get failover and performance for the LAN and DMZ network. You have the concepts mixed up somewhat though.

    A vmnic can only be used in one vSwitch. So what you want to do is the following:

    Create a vSwitch

    On the vSwitch create two Port Groups: LAN (vlan10), DMZ (vlan20)

    If vmnic0 and vmnic1 both have access to vlan10 and 20 then just add both vmnics to the virtual switch. Per default they will both be active and that is fine. If you don't want that EDIT the LAN portgroup and goto the "failover" tab and put vmnic0 as active and vmnic1 as standby. Then do it the other way on the DMZ port group.






    Best regards

    Frank Brix Pedersen

    blog: http://www.vfrank.org



  • 3.  RE: Using Vlan for LAN & DMZ

    Posted Apr 13, 2010 11:17 AM

    • Well this concept where there is a one to one relation between Vswitch and Port Group or one switch with multiple PortGroups ?

    In case one Vswitch with multiple Port Groups I will assign at Port Group level the active and standby Nic.


    As llong as the physical switch is configured correctly - with the 1 to 1 relationship you only need to make sur ethe port is configured for the vLAN it will see -- in the 1 to many you will have to configure the physical port as Trunk Port configured to recognize all the possible vVLANs that come across that port




    • If I create a Port Group and assiging a Vlan number will the IP packets received by the VM itself also be tagged or untagged ?

    Other words. Do I need to setup the NIC at the VM also to the same Vlan ID or not.

    </div>

    The vLAN tag is stripped by the virtual switch so there is no need to configure the NIC for the vLAN -

    If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful



  • 4.  RE: Using Vlan for LAN & DMZ

    Posted Apr 13, 2010 11:46 AM

    Thx "Weinstein" very helpfull but you also confusing me :smileyhappy:

    The Vlan topic all clear very nice.

    But I understand I have to trunk let's say two ports on my switch which connects to the ESX host ?

    Is it not better what "Frank" is suggesting and at the Port Group set one Nic Active and the other as standby. Then at the other port group doing the opposite. I probably missing here something.

    This because I working with 2 switches for failover. so it is not possible to create this trunk !



  • 5.  RE: Using Vlan for LAN & DMZ

    Posted Apr 13, 2010 12:25 PM

    Hi,

    The big questions is: Is your DMZ and LAN seperated in different switches with AIRGAP. Or do the live as VLAN on both switches? If they live on both

    switches you create a TRUNK port (cisco terminology) that forwards vlan 10 and 20 on both switches.






    Best regards

    Frank Brix Pedersen

    blog: http://www.vfrank.org



  • 6.  RE: Using Vlan for LAN & DMZ

    Posted Apr 13, 2010 12:40 PM

    We running the LAN and DMZ as Vlan on both switches.

    So we "trunk" the Vlans not the ethernet ports itself that clears it up. thx