VMware vDefend

 View Only
  • 1.  VLANs to segregate traffic.

    Posted May 13, 2021 09:47 AM
    I hope you and your loved ones are safe and healthy.
    I am want to integrate a Cisco Integrated Service Router "RV-345" into my network & use VLAN to segregate traffic.
    Current setup:
    Netgear Wi-Fi router is the only component carrying out network access and routing. Here is a simple representation of the network:
    1. WAN port is connected via CAT-6 cable to ISPs box.
    2. NAS with 2 network port working in bond mode (combined speed instead of fault tolerance) connected to port 1 & 2 of the Netgear.
    3. Workstation with 2 Intel NICs connected to ports 3 & 4 of the Netgear router. This workstation has ESXi installed and 12 VMs running on it.
    Proposed setup:
    Cisco ISR 345 will carry out wired access and routing while setting Netgear to access point mode. Further requirements for VLANs:
    1. VMs running on ESXi require separation using VLANs. I will have multiple VLANs which while segregated from each other need access for few central services like the DHCP, DNS (reachable via Wi-Fi access point port) and one VLAN on the ESXi which will be for logging.
    2. Currently, a Raspberry Pi running DHCP and DNS servers provides these network services. This is connected via Wi-Fi for now. This is important to note as I would need Wi-Fi to extend all VLANs to reach these central services.
    3. Raspberry Pis will eventually be connected via ethernet, but right now, they are connected via Wi-Fi.
    1. As per my understanding, ESXi is where I have to create the VLANs and extend them via Cisco ISR. Is this correct?
    2. How do I ensure that the Wi-Fi port forwards all VLANs? In other words, how do I ensure that backbone network services (DHCP, DNS) are available irrespective of the VLANs
    3. From the NAS, I have a volume mounted on the workstation using iSCSI. Are there any implications using VLANs on this?
    I apologise if the post is missing information and more is required. Kindly let me know if something needs to be added.

  • 2.  RE: VLANs to segregate traffic.

    Posted May 13, 2021 04:06 PM

    First of all, well done starting with a diagram! This is really important and useful.

    Second - a handful of vulns recently came out on that box - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rce-dos-9ZAjkx4 I'd recommend double-checking.

    To the questions:

    1. vSphere switches aren't really switches - no VLAN truly exists in ESXi. You'd build the VLANs on the RV-345, then "subscribe" to them via the VSS/VDS in ESXi. VSS/VDS more closely resembles a MAC proxy than a switch (transitive network device) which is something of a superpower.

    2. You will need to enable "inter-VLAN routing" and configure network segmentation accordingly(https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/1393-Inter-VLAN-Routing-with-Targeted-ACL-Restrictions.html). VLANs that depend on DHCP will need a "DHCP helper" or "DHCP relay" set: https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5708-configure-the-lan-and-dhcp-settings-on-the-rv34x-series-rout.html

    3. Generally, I don't like running iSCSI at these speeds / without some heavy-duty enterprise-grade hardware. NFS should be a bit more resilient here - this matters more when you're routing storage traffic.

  • 3.  RE: VLANs to segregate traffic.

    Posted May 13, 2021 05:37 PM

    Thank you very much for your reply. I hope you and your loved ones are safe and healthy.

    I realise that I have been sloppy with the diagram. Please let me come back with more meaningful one. Thank you for the links you've given. I've used them to further enhance information that I am asking for.

  • 4.  RE: VLANs to segregate traffic.

    Posted May 13, 2021 05:40 PM

    You too.

    As someone who does a lot of network diagrams, you'll never be done once you start 

  • 5.  RE: VLANs to segregate traffic.

    Posted May 13, 2021 07:47 PM

    Hello, please find the updated diagram with more information and requirements. Getting architecture right is extremely crucial. I'm struggling between draw.io and Visio that work laptop has


    That being said as you can see I am trying to design a network but the reason it is in VMWare forums is because my workstation hosting servers is crucial to my final year projects, having segregated VMs (without only explicitly allowed routing) are essential to my final paper.




  • 6.  RE: VLANs to segregate traffic.

    Posted May 14, 2021 12:12 AM

    Yep, with that build just configure all VLANs as trunked on the RV345 and build corresponding port groups in ESXi.

  • 7.  RE: VLANs to segregate traffic.

    Posted May 17, 2021 06:10 AM


    Yeah please correct me if I am wrong, as I understood you wanna use a different workload VMs that is connected to multiple VLANs behind your workstation with ESXi.

    So what you need to configure is trunk interfaces allowing all VLANs for the uplinks coming from this workstation (in your case port 1 & 2), and under ESXi create a specific port group for each VLAN and tag it with the proper ID. Then you will attach the VMs to the needed VLAN.

    And from the Cisco device, you will figure out the routing in order to achieve access to WIFI services.

    Feel free for any new requests.

  • 8.  RE: VLANs to segregate traffic.

    Posted May 20, 2021 01:18 PM

    Thank you very much. Let me test this and get back to you.