Question on isolate the vmotion traffic.

Similar Questions

• Isolate the VMotion traffic

  I can't find other reasons to isolate the VMotion traffic, other than to keep the information unsecurred that they are exposed to the rest of the network.  Is a VLAN for VMotion only a safety precaution?

  Hello

  It is not required to devote vSwitch for VMotion, defining the right policy for the use of network cards is enough.

  Not sure I agree with that, but it's because of the layer 2 issues more than anything else. It's okay if you APPROVE VLAN. If you do not trust VLAN because of the possible layer 2 attacks within your physical network so it is not acceptable.

  There are two reasons to separate the VMotion traffic:

  (1) performance. When you need VMotion you want as quickly as possible, you don't want it was contesting with disk i/o or any other network IO. In generally, it was acceptable to share networks VMotion and SC SC being generally low use unless you're cold migration of virtual machines from node to node, etc..

  (2) security. You absolutely want VMOtion to be separated. Think what you are doing, you transfer the image memory of the VMs on a wire in CLEAR TEXT. Is that if you flip the bit that says to use SSL to ensure this. Despite this, SSL MiTM may be possible (not tested yet). Images of memory contains identifying information. Hackers love this type of data.

  So yes, security is the main reason... Are enough VLAN? It depends on your level of TRUST in virtual LANs as well as your security policy.

  Best regards

  Edward L. Haletky VMware communities user moderator, VMware vExpert 2009, url = http://www.virtualizationpractice.comvirtualization practical analyst [url]
  "Now available: url = http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security' VMware vSphere (TM) and Virtual Infrastructure Security: securing the virtual environment ' [url]
  Also available url = http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise"VMWare ESX Server in the enterprise" [url]
  [url =http://www.astroarch.com/wiki/index.php/Blog_Roll] SearchVMware Pro [url] | URL = http://www.astroarch.com/blog Blue Gears [url] | URL = http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links Top security virtualization [url] links | URL = http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast Virtualization Security Table round Podcast [url]

• Isolate the vMotion and storage traffic?

  We use ESXi 5.1 using two physical switches for management traffic and two physical switches for VM and storage vMotion traffic. We use a DVSwitch with VLANS separated for VMs (125), storage (126) and vMotion traffic (127). My question is really about the physical switch setting. I have installation of VLANs, 125, 126 and 127 on my main switch with each of them having a layer 3 interface. I think that only the network of the VM (vlan 125) needs a layer 3 interface. In other words, my VLAN storage and vMotion is not routable by removing the 3 layer interface.

  Does this sound correct?

  Another twist, I have a Juniper switch where all layer 3 interfaces are defined. It is connected to 4 switches in the rear of my IBM Bladecenter. Two of these switches are Cisco 1 GB switches that carry all traffic to the management through a vSwitch network. The other two switches are BNT 10 GB switches that carry traffic for Storage vMotion and VMs. Of course, it's a network connection, because it carries several VLANS.

  My only question now is should I eliminate interface layer 3 on my storage network located on one vlan separate

  Well, you need your storage system accessible on these IP addresses by the systems for the management of the other subnets or such? You already have all traffic from subnet inter between iSCSI and other networks? If this isn't the case, then there is no need to have routable iSCSI network.

  For the ESXi hosts themselves there is usually zero reason to have vmkernel iSCSI interfaces be routable since you already do management etc on another routable network (and responses of hosts would be sent there as well except if you define static routes custom).

• VMotion traffic isolation, vlan trunking

  We have 2 full length M910 blade servers sitting in the dell blade enclosure. Installed esxi 5.0 on the two blades and joined them to the cluster.

  Each server blade full length a 8 network cards.  2 ports double aboard the card NETWORK and 2-port Ethernet mezzanine card.  All are connected to the internal cisco switch 3130 installed on the module e/s A1, A2, B1 and B2. all the internal switches are stacked together by the network team. and there is a link to internal switch (uplink) and an external switch (ports) that are on the vlan 137

  All the ports that are connected to the esxi host are configured as trunk on the switches of internal physical cisco blade by the network team. in our total case 16 ports (8 cards x 2 servers) are fixed to the internal trunk on cisco switch and there is internal cisco switch uplink and our external switch (located on vlan 137)

  On esxi5.0, we set up a big flat switch affecting all physical network cards to Vswitch 0.
  Please refer page for groups of ports configured.
  
  To isolate the vmotion traffic, we have configured tag (150) vlan different for vmotion. but vmotion does not work. Unable to ping of vmotion ips with each other.  But if I change brand VLAN to 137. vmkping works on the other and work of vmotion.

  If I change brand VLAN other than 137 to any group of ports (for example, management or virtual machine), I'm losing connection to the corresponding port group.

  
  I think that missing configure something on the blade switches internal cisco (3130). Please advise on what needs to be configured. I know that kind of why trunking is required. If you could explain the exact purpose of why the necessary circuits for esx would be great.

  What is advised to configure a virtual switch, such as a large flat switch or multiple switches
  Assigning to each switch port group. recommended configuration to enable balancing the increased load of incoming and outgoing and fail over.  detailed explanation would be really useful for non admins networks

  I will try to describe one of the possible configurations.

  First some facts/support:

  • 2 ESXi hosts
  • 4 blade switches
  • 1 external switch
  • 8 NICs in each server Blade (2 NICs for each of the switches)
  • vmnic0 and vmnic4 are connected to two different switches
  • different subnets / VLAN for vMotion (100), management (101) and VM networks (102,...)
  • all VLANS represent them different IP subnets

  Virtual network configuration:

  • 2 vSwitches: 1 for management, 1 for VM networks and vMotion
  • vSwitch0 for management and vMotion (vmnic0 + vmnic4)
    --> Management ports (VLAN 101) Group: vmnic0 (active), vmnic4 (at rest)
    -> vMotion Port Group: (VLAN 100): vmnic4 (active), vmnic0 (at rest)
  • vSwitch1: VM networks (vmnic1.. 3 + vmnic5...) 7)
    -> VM 1 (VLAN 101) port group
    -> Port VM 2 (VLAN 102) group
    -> ...

  Blade switches:

  • all the VLANS configured in the virtual network are present
  • all ports of downlink to the ESXi hosts are configured to trunk mode, all the VLANS allowed
  • at least 2 uplinks and the external switch configured as a trunk, EtherChannel (LACP)
  • ports of rising and descending liaison (on each of the switches) are a group of track link state

  External switch:

  • all the VLANS configured in the virtual network are present
  • four channels of Port/EtherChannels (LACP), one to each switch blade

  You can configure the VLANS on switches separately or by VTP. In any case, all the VLANS should be present on the switches of. If you need to route traffic between some VLANs, you must either set up a router on your network, or - in the case where the switches support and are properly authorized - configure routing ip (Inter VLAN routing).

  André

• Isolate the port on a vSphere standard switch traffic

  Hello

  I deploy an environment where I have a pool of 100 virtual machines that live on a switch standard vSphere isolated. The virtual machines to communicate with the rest of the world through a virtual double-NIC machine. This configuration does not work as expected, but I would go a little further and to isolate the connectivity network, such as each virtual machine can communicate with the system of double-NIC and not each other. The switch standard vSphere, the pool of 100 virtual machines are all located on the same VLAN and group ports. I spent some research time through documentation, but I did find a clean way to implement what I want. The best I can get to each of the virtual machines 100 puts their own VIRTUAL LAN, but it is ugly and will be difficult to maintain. Is there something easier that I missed?

  Thank you

  Steve

  PVLAN, but you will need the distributed virtual switch.

• Isolate the vCenter and management host ESXi5.1 of LAN traffic

  I would add two Dell switches to an existing installation, create a private management network (192.168.x.x subnet) containing the hosts and vCenter server, so that the management traffic is isolated and in no way dependent on connectivity LAN... for now that the vCenter server and the hosts are on the local network using public IP addresses.

  Is this possible with vCenter as vCenter that one IP can be configured and how should we switch be configured to allow access to vCenter from the local network via the web and customer management interface vSphere.

  Thank you very much

  Gary

  Facing your audience of LAN?  I think it depends a little bit of what looks like your LAN.  I don't think - you need not NAT your management network.  If you simply use public IPs rather than private to your internal LAN, the answer is no.  I have a client who does this same thing using 191.x.x.x for its internal network.  You try to access your network over the Internet?  It would be a different matter, and I recommend that to consult a competent network engineer.

  In short, just because you go to a public IP address range a private range of IP addresses does not mean you need to NAT.  You see NAT several times when these IP address ranges are used because they are intended.  For example, a company has a single public IP address assigned.  It uses private in its local network IP addresses.  For devices that must leave the LAN and access the Internet, you would NAT because everyone has to share this single public IP.

  Without knowing a little more, I think you'd be fine with the standard range or switching (inter - VLAN routing layer 3).

  All the best,

  Mike

  -----------------------------------------

  Remember to mark this reply 'proper' or 'useful', if you found it useful.

  Mike Brown

  NetApp, VMware and Cisco data center guy

  Consultant engineer

  [email protected]

  Twitter: @VirtuallyMikeB

  Blog: http://VirtuallyMikeBrown.com

  LinkedIn: http://LinkedIn.com/in/michaelbbrown

• Separate VSANS / Mgmt / Vmotion traffic on different switches

  Hello

  I want to build a hybrid Cluster VSAN 4 knots (6.x).

  I have 2 x 10GE switches dedicated for Taffic VSAN

  also 2 * 1GBE switches for management / VM / Vmotion traffic

  Each host has 2 10 GbE NIC, 1 uplink for each of 10GBE switches

  Each host also has 4 * rising 1GBE, 2 for each of the switches 1GBE

  My idea is to use 10GBE just for VSAN traffic (separate DVSWitch, an asset, a standby) on each 10GBE switch

  Also to use 2 Ports on the management traffic (separate DVSWitch, an asset, a standby) on each 1GBE switch

  And use 2 Ports on traffic VM (separate DVSWitch, an asset, a standby) on each 1GBE switch

  VMotion traffic would be on the same rising as management, but active / standby vice versa

  Question: is - this possiuble / useful to connect vmotion for 10 GbE uplink ports (active standby vice versa VSAN traffic)

  I appreciate any useful comment on my scheduled install (I have no boy networking)

  Couple thoughts.  You can run several vKernels to VSAN and vMotion (allowing one on each switch).  To VSAN, use of VLANS / subnets (one on each switch offers you a pleasant has / B space) while vMotion must have all the vkernel on the same subnet 2 ideally layer.  This allows for maximum reliability, in theory faster failover and access flow.  This also has the advantage of if your cluster is not big (bigger that say 48 ports) you can avoid having multicasting, leaving the switch (usually requires more quarrels with the cats of network) as each switch TOR will have its own VSAN network.    Then use the NIOC for butterfly and protect the traffic between them.  Now the NIOC is not as effective as SR - IOV (but its good enough) to 100% and you will maximize your investment 10 Gbps without swamping the things.

  • Network management interface VMkernel = explicit order of Fail-over = active P1 / P2 ensures 10.1.1.1/24 VLAN 100
  • vMotion VMkernel - an explicit order of Fail-over = interface = active P1 / P2 ensures 10.1.2.1/24 VLAN 101
  • vMotion VMkernel-B interface = explicit Fail-over order active = P2 / P1 ensures 10.1.2.2/24 VLAN 101
  • Machine virtual Portgroup = explicit Fail-over order = active P1 / P2 ensures 10.1.2.1/22 VLAN 102
  • Virtual VMkernel-A SAN interface = explicit order of Fail-over = active P1 / P2 in standby (or not use) * 10.1.3.1/24 VLAN 103
  • Virtual interface of SAN VMkernel-B = explicit Fail-over order active = P2 / P1 Eve (or not use) * 10.1.4.1/24 VLAN 104

  In this case, VLAN, 100, 101 and 102 will be on all switches.

  * 103 and 104 could be configured to only exist on each switch (has / B isolation, failover do not switch on the value and set up on both) or exist on both (and use standby) as described.  This design will focus on maintaining the communications host-to-host on the same switch (decreases complications with multicasting and reduces its lag time as VSAN traffic does not have to jump to another switch unless you run out of switch ports, but now with dense 40Gbps past using 10 Gbps break out in theory you could hit the limit of 64 nodes on a single switch).

  I'm curious of anyone thoughts on just disable the failover and forcing them to each core sticking to its switch (and accepting loss of communication) on this vKernel in the event of a switch failure.  I want to do some tests with both laboratory and to test the failover of the switch/path between both of these configurations (compared to a configuration unique vkernel).

  However, some people prefer a 'simpler' configuration if (and I'm not opposed to that).

  Duncan drawn active passive failover configuration with of the vKernel unique for each host.

  In theory not being not not as dependent on the NIOC for insulation of storage should help the latency for the short bursts it takes to NIOC launch design active active vs.

  Control IO SAN and virtual network

  • Network management interface VMkernel = explicit order of Fail-over = active P1 / P2 ensures
  • vMotion VMkernel interface = explicit Fail-over order = active P1 / P2 ensures
  • Machine virtual Portgroup = explicit Fail-over order = active P1 / P2 ensures
  • SAN VMkernel virtual interface = explicit order of Fail-over = P2 active / standby P1

• Running the software iSCSI on a different subnet than the management traffic

  I hope I'm missing something obvious you smart people might be able to help with.

  I am trying to put in place a small instance of vSphere using ESXi 4.0 Update 2 and unlike most of our environment, we use the iSCSI instead of fibre SAN storage.

  The intention is to set up a network on subnet A, for management and Vmotion traffic which will have 2 natachasery attached.

  We have a second 'B' allocated for iSCSI storage subnet and have 2 separate natachasery which will be implemented through two vSwitches, 1 Teddy for each.

  We have implemented the switch management/vmotion on a subnet and, of course, the default for this subnet gateway entry when asked.

  The iSCSI subnet naturally has a different gateway and so when I entered IP address on subnet B in the port of core, it seems always trying to route through the gateway to subnet an attack to storage not being is not visible.

  We have verified that the problem is not with the storage or the ESXi put in place by proving that if we give the iSCSI port IP subnet A (and also the storage) then we can see storage without problems - simply, the question seems to be everywhere to try to operate on a completely isolated subnet.

  Isolation of storage traffic is a customer demand, and not something that we cannot ignore.

  Anyone know if it's possible (and if so what should I do to solve the problem) OR should we look for to move to ESX Classis and use his ability to use 2 different gateways?

  I feel that I must be missing something pretty obvious I don't know there must be a way to achieve segregation of traffic on subnets for the other core activities such as vmotion, fault tolerance and management traffic.

  There is only one door of entry for VMkernel, then you can separate VMotion / iSCSI / fault tolerance than if not routable subnets, i.e. all hosts on the same subnet.

  ---

  MCSA, MCTS Hyper-V, VCP 3/4, VMware vExpert

  http://blog.vadmin.ru

• vmotion - box connected network card question is uncheck after vmotion

  Hi all

  I have a strange problem in Cluster DRS / rules of VM, we do vmotion

  After doing vmotion, VM addresses don't not ping, in the first time I think it's trunk network was not good.

  Do vmotion on the source host and not work.

  After checking configuration of the virtual machine, I see that "Connects" network adapter box is not checked.

  The box was check before, because the ping response machine before the vmotion.

  My question is very simple you already have this behavior?

  I use the following script to facilitate the operation.

  Thanks for your help

  Ludovic112

  $pViServer = '< servername > '.

  
  If ($viCon.IsConnected - eq $false - or $viCon.IsConnected - eq $null)
  {
  $ViCred = get-credential
  $viCon = Connect-viServer-Server $pViServer - Credential $viCred

  }
  
  $vmName = "< vmname >.

  
  $maVm = get - vm $vmName

  
  $cluster = get-cluster "< NOMCLUSTER >".
  $Listvmhosts = $cluster | Get-VMHost

  foreach ($vmHost to $Listvmhosts)
  {
  If ($maVm.host.name - eq $$host.name)
  {
  Write-Host "nothing to do" $maVm.host "-" $vmHost.Name
  }
  on the other
  {
  Write-Host 'migrate' $maVm.name 'to' $vmHost.Name
  Move-VM - VM $maVm - Destination $vmHost
  sleep - 60 seconds
  }

  }

  If the connected box gets uncheked after vMotion, looks like the maximum number of ports configured for your vSwitch on your target hosts is exceeded...

  / Rubeck

• question put on the vSphere iSCSI SAN infrastructure network

  Hi all

  We are a small company with a small virtualized environment (3 ESX servers) and are about to buy an AX-5 SAN EMC (model Ethernet not CF) to implement some of the features of high availability of vSphere. My question is related to the networking of the SAN: we switch dual Cisco 2960 G Gigabit and dual Cisco ASA 5510 firewalls in a redundant configuration.

  I understand that the best practice is to implement iSCSI traffic on a separate from all other traffic LAN switch. However, I do not have the knowledge and experience to determine the real difference than a separate switch would really vs the plan to create a separate VLAN on the switches Cisco dedicated to iSCSI traffic only. I would ensure that the iSCSI traffic has been on a VLAN dedicated Physics (not just a logic) with any other VLAN logical (subinterfaces) on the same VLAN). It is difficult for me to understand how a port gigabit on a VLAN isolated on kit Cisco will perform much poorer than on a dedicated Cisco switch somehow. But then again, I don't know what I don't know...

  The thoughts and the input would be appreciated here: I'm (very) hard not to drop another $6 + in another pair of Cisco switches, at least that this decision will significantly compromised performance iSCSI SAN.

  Enjoy your time,

  Rob

  You have 2 SP each with 2 iSCSI, for example:

  SPA: 10.0.101.1 101 VLANS and VLAN 102 10.0.102.1

  SPB: 10.0.101.2 101 VLANS and VLAN 102 10.0.102.2

  On your ESX to create 2 vSwithes, each with a port vmkernel on an iSCSI network and each with a single physical NIC.

  See also:

  http://www.DG.com/microsites/CLARiiON-support/PDF/300-003-807.PDF

  André

• Why don't I have easily select my questions open after the connection support?

  Why don't I have easily select my questions open after the connection support?

  When I connect support communities, I have still no clear idea where to find my support questions which remain open to check updates.

  Seems to me that this should be a great, distinct and separate button on the homepage of support after you have connected.  "My open issues Apple Community Support."

  Is this too much to ask?

  Steve

  1. Click / tap your username
  2. Click / tap 'manage subscriptions '.

  

• What is the yellow square with a question mark on the page OPTIONS of FireFox? Have a peak.

  There is a yellow square with a question mark on the FireFox OPTIONS / settings page.
  If the mouse enters it, it reacts like it is something to click, but no indication that it is.
  Is it supposed to be there and if so, why?
  He has a POINT of MARK BLACK inside the small SQUARE of YELLOW.
  Any help is appreciated.

  This is the help screen. Press the key.

• our macbook copy all messages and other activities of the iMac in the office. Is there a way to isolate the macbook?

  our macbook copy all messages and other activities of the Office of the IMac. Is there a way to isolate the macbook

  to be a fully independent computer?

  Your iCloud and any IMAP will be synchronized. You can connect with one another on the MacBook Apple ID, or you can turn off sync iCloud and IMAP account.

  System Preferences > iCloud

  Uncheck the items you don't want not synchronized.

  Mail > accounts

  Uncheck all of the accounts that you don't want not synchronized.

• Hello.. I've forgotten the answers to my security questions... I do not have the chance to remember the... What can I do now? No idea how delet old questions and put the new ones? PLEASEEE help me

  Hello.. I've forgotten the answers to my security questions... I do not have the chance to remember the... What can I do now? No idea how delet old questions and put the new ones? PLEASEEE help me

  Hello

  If you set an alternate e-mail address, you can reset your security questions. Follow the instructions here to check if this option is available:

  If you forgot the answers to your questions of security of Apple ID - Apple Support

  Otherwise, you will need to contact the Apple Support. The information is available here:

  Contact Apple for assistance with the security of the Apple ID - Apple Support accounts

• I recently dropped my laptop and it is weird, one day he int open up to 4 start times and sometimes it shows me a folder and a question mark in the interface and sometimes asked to reset my password, what are the steps to take?

  I recently dropped my laptop and it is weird, one day he int open up to 4 start times and sometimes it shows me a folder and a question mark in the interface and sometimes asked to reset my password, what are the steps to take?

  Anything can be corrupted on your MacBook Pro, but from what you say, it seems that the cable drive/SSD/flash memory/SATA hard was seriously damaged. Him "question mark" means that your Mac is unable to find any bootable device, meaning that it does not yet detect your OS X drive.

  You should make a backup of your files (if you can still do it) and take the Mac at the Apple Store or dealer to get a diagnosis. There may be several damaged parts.