Separation of traffic

Similar Questions

• ESXi 5.1 separating SAN traffic w / VLAN

  So I learned this week that vSphere 5.1 VmKernels no longer support multiple gateways.  This causes me some confusion with how to properly configure my for my SAN.  I thought it was best practice to separate traffic, so I created VLANS separated for management and for data traffic (SAN).  Since they are in different subnets, they have their own front door.  When you try to configure it I started having a few problems before I realized that the gateway that must remain the same.  I contacted VMware and initially they said gateways may be changed before finally stating that they were incorrect and that there may be 1 door entry.  The answer I got on their part at this time there is that I don't in fact want to split the VLAN and leave the front door on my vmkernel for only san traffic they stated that both that my VLAN was correctly setup that vmware if you just know where to send data and it wouldn't matter.  When this 'magic' was not they told me I must have a problem of vlan and they couldn't help me.

  Could someone give me an idea as to what the best method is to do this?  I found an article that says you can manually add a second gateway via the CLI, but when I tried I received an error message indicating that the route existed.

  VLAN 18 (172.27.18.x/24 w/gw 172.27.18.1) - management

  VLAN 40 (172.27.40.x/24 w/gw 172.27.40.1) - data/SAN

  Any help would be greatly appreciated.

  Hi Greg,.

  Here is an example of configuration using VSS;

  -vSwitch0 = management is on VLAN130 (port, no VLAN ID configured access)

  -vMotion = vSwitch1 is on VLAN131 (port, no VLAN ID configured access)

  -vSwitch2 = IPStorage is on VLAN132 (access port, no configured VLAN ID) - L2 subnet gateway disabled

  -vSwitch3 = comments Networking (ports of junction, tagging VLAN)

  

  In this example, management and IPStorage be separated on different VLAN and for more security VLAN IPStorage has the gateway disabled (so traffic can be routed elsewhere).

  From the storage point of view, simply presented in your storage space (NFS exports for example) on the same VLAN as your port IPStorage kernel VM (or VLAN132 in this example).

  See you soon,.

  Jon

• supported vs IPSec VRF taking crypto maps for several tunnels

  Hi all!

  I came to know that we can use the same public ip address for the creation of several tunnels to different websites using crypto-cards featuring many lines each representing a reference to a particular tunnel and using vrf aware IPsec, but I would like to know what are the differences / advantages / cautions.

  Thanks for your time

  Murali.

  Murali

  That I understand the feature essentially allows you to have multiple IPSEC tunnels and traffic in the tunnel that is to say. source and destination IP of the high-end devices can be in different VRF.

  So it works mainly with the MPLS VPN IE. If you had several MPLS VPN each with their own VRF you can then run ISPEC tunnels on the MPLS network and when packets are received, they are automatically in the correct VRF.

  You could not do that normal crypto cards IE. You can cancel again several IPSEC tunnels on a public IP address but then everything would be traffic in the same global routing table.

  If the benefit is basically the same that you get with any VRF installation IE. logical separation of traffic on a single device.

  Can't really say much about the warnings as I've never used it but there are some restrictions.

  See this link for more details-

  http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_ikevpn/configuration/XE-3s/asr1000/sec-IKE-for-IPSec-VPNs-XE-3s-asr1000-book/sec-VRF-aware-IPSec.html

  Jon

• Mini of the UCS + 4 switches, no VLAN

  Hi all

  I have a mini UCS with 6324 modules e/s with B200 m3 x 5 blades, each ESXi 6.0 running.

  I want to uplink the UCS mini with four cables to four switches separated for traffic, and I wish that each host ESXi b200 see four separate vmincs, one on each network. The switches have no VLAN, but running DHCP. I want to get DHCP from each card.

  How can I go on the correspondences between the vNIC?  Groups of LAN Pin?

  Hi Alex,

  That is right. You can also implement Layer 2 disjoint explained in the guide below for more secure access.

  http://www.Cisco.com/c/en/us/solutions/collateral/data-center-virtualiza...

  I hope this helps.

  Qiese Sa'di

• Build lab ESXi for new user. low cost and power, a lot of questions

  I've never touched of ESXi, but a customer is going to have it in place so I want to get familiar with it to some extent. I need a reality check of some of you who know what you're going before I start ordering components. I'm not trying to become an expert to ESXi, I just want to know my way around.

  I would like to build a mini server that uses ESXi, and that hosts Windows 2008 Server to act as a domain controller for my small network. This is the only use for the server and ESXi, but other needs can happen, and I want to be able to test other virtual machines within ESXi.

  I have read through a good number of blog posts on the creation of laboratories of the House, and those who have let me know to a certain extent. But still, like a newb, there are a lot of questions. ESXi is not a normal BONE, and I would like to get things right the first time.

  Given that the box will be on 24/7, I would like to lower energy consumption. Performance is better, but I like to keep the use of the power down. I'm pretty sure I'll be able to do without a video card. I'll go with a kind of small form factor case, and the motherboard will probably mini itx or micro atx.

  Here are some of my ideas, if please correct me or suggest that you feel appropriate.

  1. As far as I know, ESXi and vSphere Client all I need VMware and are free for my use will be.
  2. I'll be able to install x 64 guests in ESXi, correct? (I think if ESXi is running inside vmware workstation, only x 32 guests work?).
  3. Is it true that a single physical NETWORK card is necessary for my simple needs (not really sure on this subject).
  4. I was going to get an i3, but am now wondering if I should opt for a faster chip. I almost always used Intel for my desktop, but would consider AMD if it aligns well (power, graphics, mobo that works well with ESXi). I3 is the less power-hungry, but it's not clear to me that one of the faster chips will pull down a lot more power in standby mode. This server will have a quiet life. If it becomes more than one domain controller, it's ok if the power use goes up. I want to just make sure that it is intended as a DC for a very small network, it uses power as little as possible.
  5. I would get a mobo that has a compatible network of ESXi on that card, but those who seem to be quite rare, or the less difficult to ID. I'm guessing that the integrated nic will be less power hungry? Suggetions mobo?
  6. I'll use a 2.5 hard drive "to save energy

  Indeed. In this network interface cards, Intel 82574 L is of approximately $30, the street.

  To develop further-

  #1 Yes

  #2 Yes, as long as the chipset have VT-x (Intel) or AMD - V (AMD).

  #3 Yes, other network cards is for redundancy, load balancing, and the separation of traffic

  #4-6 should be addressed with the links above.

  Edit - link added to VT - x

• vShield Zones vs. other solutions

  I am looking for a high-level comparison of solutions (vshield zones, pvlans, VMsafe 3rd pary solutions, etc.).  to isolate a network of virtual machines within a vSphere environment.

  Here's the scenario:

  The physical LAN is divided into several VIRTUAL LANs already, but we do not rely on this alone to isolate groups of virtual machines, one of the other.  We also want to isolate traffic from groups of virtual machines that belong to similar groups in the same environment virtual and not necessary to create a separate vlan on the physical switches for each group of vm needs its traffic in isolated from other virtual machines.  (all the VMS need to internet connectivity)

  I know it can be done with vShield zones, but I would like to get a vision of the otherwise, that this can be done, and how they compare and the advantages and disadvantages of each.  In addition, no matter what other traps that I need to be wary as incompatibility with HA, FT, etc..

  If needed 10 new virtual machines to create and they will be distributed on between different groups and esx hosts, we want to have all the layer 2 chassis of these invisible to all other vm vm.  Facilitated internal management VLAN / vShield Zones and solutions that are free or equipped for business/business more versions are preferred.

  Any thoughts are appreciated.

  Hello

  Thanks - this is a useful article.  In this scenario, one of the objectives is to have a host group esx, clusters and vms, all on the same physical subnet with the IP on that subnet-, then this great group of VMS to separate groups of virtual machines and allow them to talk only to the virtual machine in their group.  For example, suppose that there are 200 vm on the 192.168.1.0/24 subnet.  They all go to keep their IP addresses.  Suppose that 20 are these vm "group a" and 20 are in "Group B".  Group A vm should be able to talk to the other group a Vm only.  Group B vm should be able to talk only to the other group B vm.

  Yes it is possible with many solutions virtualization security VMsafe if or not. It's area of area protections available to vShield App, vShield Zones, Altor networks, systems SLR, Trend Micro, IBM, Checkpoint, mocking, etc... Very basic requirement.

  However, it could be spread of Group A vm among different esx hosts and clusters.  But some management tool is to control isolation still monitors hence Group A vm is even if they are distributed among different ESX hosts and ESX clusters.  Amidst all this, it goes without requiring the creation of a separate subnet and keeping all the 192.168.1.0/24 subnet IP addresses.   The piece of management that administers the (vshield zones/vshield edge or what the solution is) for example, can a place manage virtual machines that are in these distinct groups and separate their traffic.

  One of the solutions can do it too... The traffic is not necessary 'isolated', as it might be on a VIRTUAL LAN, but if you think that it is quite distinct, so that is very good.

  Although the article mentioned some of these subjects from a high level perspective, I'm not quite clear on the distinctions between the products and what they can and cannot do to understand what product if none will actually just that.  Is this possible with Vshield Zones?  The next questioner talked vshield Edge "that separates traffic on layer 2" occupies Vshield edge with separation of traffic between virtual machines on the same subnet or subnets that separate as would a router logical?  (In this scenario all the vm could be created on and stay on the 192.168.1.0/24 subnet)

  vShield Edge is just an a little perimeter firewall as a PIX firewall, etc. Just a virtual version of such a firewall. He has other capabilities not found in physical firewall.

  The idea that you have a fluid network must be managed is why you need a virtualization within your network security device. All current devices require that you put at least one virtual device on each host which in turn talk to a console management for all devices. So if you have 200 guests you have 200 aircraft, talk with a single management node that controls what each of these devices can do and the policies to be applied on each host. So, let's assume the following:

  200 guests. 20 virtual machines by the Zone of confidence, confidence in 20 areas, no two areas of trust can talk to each other and 20 virtual machines can be spread over 200 guests, and there is no known place of the virtual machines. All the virtual machines on the same subnet.

  Your security Console would be the description of the policy that says that every trusted zone is separated from the other, etc. The policy is sent to the appliances on each of the 200 guests. and these devices apply policy denying access between areas of different trust virtual machines.

  The tools to do this. Some cela via VMsafe such as vShield App, Altor networks, reflex systems, TrendMicro, CheckPoint or IBM. Others do so via online/offline terminals vShield Edge, mocking, Trend Micro. And still others may make using PVLANS as the distributed virtual switch. Inline devices separate virtual machines by trade in order to provide the necessary protection, while the VMsafe style devices could do this within the hypervisor. In both cases your 'policy' would be applied.

  NOTE however that if the virtual machines are all on the same subnet, then while the policies will work with these tools, a misconfigured vSwitch Portgroup allow VM only, see all the traffic on a host given to the subnet. So now audit becomes an important requirement to ensure vSwtich and Portgroup settings do not allow such behavior.

  Best regards
  Edward L. Haletky VMware communities user moderator, VMware vExpert 2009, 2010

  Now available: url = http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security'VMware vSphere (TM) and Virtual Infrastructure Security' [/ URL]

  Also available url = http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise"VMWare ESX Server in the enterprise" [url]

  Blogs: url = http://www.virtualizationpractice.comvirtualization practice [/ URL] | URL = http://www.astroarch.com/blog Blue Gears [url] | URL = http://itknowledgeexchange.techtarget.com/virtualization-pro/ TechTarget [url] | URL = http://www.networkworld.com/community/haletky Global network [url]

  Podcast: url = http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcastvirtualization security Table round Podcast [url] | Twitter: url = http://www.twitter.com/TexiwillTexiwll [/ URL]

• SQL 2005 Ent on machine virtual ESX 3.5

  I built a Windows Server 2003 Enterprise VM inside VMware (ESX Server 3.5 Update 3) host. We have Celerra NS20 Unifided EMC storage, which is where the server VM using different LUN. Does anyone have recommendations on installation of SQL 2005 Enterprise on a given server to Win2k3 VM, with regard to the way in which it must be installed in order to get the best performance and reliability... I'm looking for suggestions as SQL must be installed on the drive main hard and stored on a different LUN or SQL databases must be installed on a different LUN of the operating system? I intend setting up a LUN specifically for newspapers, so to keep separated from traffic, but wonder about the base installation of SQL and databases...

  Thanks for any advise you might have.

  It is a big question.  Here are a few things I do in this case...

  • Do not install anything - even the binary SQL on C

  • Prune/use a VMFS RAID5 for the SQL programs and databases on a volume

  • Want/use a VMFS RAID1 for newspapers

  There are 2 important things here.  One is that you have isolated the OS - DB and registers all logical drives different worms.  It is very nice to be able to make a hot grow of these disks

  The other is more for performance.  It depends on how transactional (how'RE Ops / s) the system will be.  In most cases, you should be able to have the other VM to share these same volumes, but changing the RAID level can provide a performance gain based on how the data are accessible.

  I don't know if it would be necessary to isolate a VMFS LUNS () set to the SQL database for a virtual machine.  It is a function of your SAN infrastructure and how hard the VM SQL is hit.

  We have several virtual machines with DB on the same LUN, and so far it hasn't appeared to cause problems.  You can always start with a more conservative approach and slowly add that you feel comfortable.

• scan in VLAN OAM listener

  We set up a node 2 RAC on linux/ASM 11 GR 2 where we have separated the traffic app - db DB vlan OAM (operations and management) and subnet VLANs in a separate subnet for that back-office asks to talk to DB. With scan 11 GR 2 listeners, how can I make the vlan control have always access to the DB, when the scan listeners will listen on DB vlan subnet. DB Vlan is accessible only to the nodes of the app.
  
  Thank you
  Steve

  Hi Steve,.

  11 GR 2 supports multiple subnets - which is exactly what you need.

  If you can read German (or you can use google translate) see here:
  http://www.Oracle.com/WebFolder/technetwork/de/community/dbadmin/tipps/grid_networks/index.html

  Most important, you need to add VIP for your second subnet, and then configure the listener_networks parameter in the database, not redirected to a network connections wrong.

  Concerning
  Sebastian

• Protection of the SPA112/SPA122 of the outside traffic

  Some of our resellers (ISPS in most cases) are huge problems with their client of SPA112/SPA122 lock up due to malicious traffic to SIP from the outside. To alleviate these problems, the best solution for us would be the ability to put the whole SPA112/122 VoIP service in one VLAN separated, i.e. the unit all of its 'clean' traffic marked with a personalized label of VLAN and provided regular service (bridge/nat) for not marked WAN traffic. I think some license of Cisco IP phone models.

  Other options, we thought:

  1 change port 5060 to something random source SIP

  2 activate TLS on units

  3. put an ACL in the unit allow SIP of our subnets traffic (not possible with the SPA112/122 to the best of my knowledge?)

  .. .or other good way, minimum of effort and the pain is of course preferable. Allowing TLS would solve the issue? Customers with these problems are those who have connected their SPA directly to the internet, most often used as a router/bridge, the need of the solution to that account, placing the connection of any customer in one vlan voice is not an option.

  Any advice on that? I guess that we are not alone in these matters...

  Based on my best knowledge, the SPA phones has not been designed to be exposed to the public without restriction. They have no back implemented countermeasures and they seems to not be designed to be placed in the network accessible without restriction of global. Read Dangerous default, bill fraud can happen - it's so dangerous to have accessible unit unreliable peer.

  You should put not only the ATA in separate VLANS. ATA special is allowed to speak to the PBX only (and vice versa). Direct communication between two ATA does not. Remember that anyone can disconnect ATA, connect the computer instead of him and attack no matter what ATA in the VLAN so.

  Of course, it is not the solution for the distance units.

  According to the options you mentioned...

  [1] will help a lot if the unit is accessible worldwide, but even with it, this unit is in danger of back and/or unauthorized access

  [2] ATA CPU not so powerful and TLS configuration is causing significant delays with call originating and answering. We have unacceptable to our users, but try it for yourself.

  [3] ATA has no ACLs. The unit is designed to be placed in the secure network

  I guess we're not the only ones with these issues...

  I suspect that our approach will not help you much...

  We arrange closed VPN between the user's network and dedicated to the<->Unit switch switch communication. Non - VPN packets are not allowed to join in everything and only switch unit and the switch packets are allowed to pass through the tunnel. We monitor the connection, we are responsible for the configuration and security unit of the ATA. User is not authorized to access its configuration at all.

  But our users are sensitive to security and reliability.

  I imagine a device connected to a network with security and uncertain reliability. But in this case, we cannot take any responsibility for the parameters out of our control. It is the responsibility of the customer to configure its network to be sure or take the risks associated with the device connected to the unsecured network...

• Routing of traffic between two VPN Site-to-Site Tunnels

  Hi people,

  I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

  Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

  Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

  How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

  Thank you very much.

  Hello

  Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

  I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

  Site has

  access-list NAT0 note NAT0 rule for SiteA SiteC traffic

  access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  NAT (inside) 0 access-list NAT0

  Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

  access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  Where

  • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

  Site B

  access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

  OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

  NAT (outside) 0-list of access OUTSIDE-NAT0

  Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

  access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

  access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  Where

  • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

  Site C

  access-list NAT0 note NAT0 rule for SiteC SiteA traffic

  NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (inside) 0 access-list NAT0

  Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

  L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  Where

  • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

  To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

  Hope this helps

  -Jouni

• creating groups of VLAN - traffic disruption

  I asked this question of TAC and got a vague response, so I was going to post here to see if someone had actually done this and what were their results.

  We have a fairly basic config of UCS currently, there is a port on each fabric channel and our uplinks can take care of all our VLAN so all VLAN can use all uplinks.

  We will soon add a new channel of port that will only serve the VLAN specific (trafifc for the external VCC of our Nexus 7 k). So we will now have a disjoint network layer 2, where VLAN 1xx require port-channel 1 and VLAN 4xx can only use the port-channel 2.

  I have read all Cisco docs and it seems rather simple to deal with groups VLAN so that we make sure VLANS only try to use correct rising/port-channel binding, however our concern is moving all our VLAN existing in a group VLAN and the final outcome of this. I ran this by TAC and they said that there could be a "brief traffic disruption" when we apply this config.

  It gives me some anxiety b/c we are talking about all our ESXi hosts and each VM on these hosts (500 +). However it may be brief, that could be a problem if all of a sudden everything is unable to speak.

  Someone had an existing config that they moved to a configuration group VLAN and what has been your experience? It disrupt all traffic?

  We have not added the new port-channel, so everything we do now is entering a group of our existing VLANs and by assigning them to the existing port-channel.

  Any comments or thoughts would be appreciated

  We did just that. We moved in four areas separated into four groups of clan. We have created our groups and then all the VLAN for this corresponding uplink at the same time. We didn't see any packet loss or impact to end users.

  We have a facility of similar size. About 20 blades, ESXi server and windows, behind the pair of FIs. About 400 machines behind that. The movement is quick and easy.

  Previously, we were using the uplink of LAN Manager. I found it a bit heavy. Clan group works much easier in my opinion.

  Plan a window of maintenance, to be careful, but my experience of 25 VLAN moving through four interfaces different disjoint layer 2, we have not had any problems.

• Separating the iOS and Android product ID

  We have created a number of our applications years there in the iOS only before considering Android. Some of our bundle ID capital letters - com.publisher.MAGAZINE etc, so our product ID is structured as: com.publisher.MAGAZINE.issuenumber for individual questions.

  When we launched on Android, we discovered that they do not TRAFFIC in their product ID so we have a slightly different structure: com.publisher.magazine.issuenumber. This has been an inconvenience, but not a problem because separate us our content Android and iOS, through different Adobe ID and can therefore provide a different product for each question ID.

  Because the new DPS is much easier to cross-platform and we won't have to split our content, in my opinion, we will need the ability to offer different products based on the platform - IDs unless Google is loosening their conventions around characters etc. ?

  That we will be able to do?

  The uppercase letters in the product ID will not be a problem in 2015 of DPS. Product ID can have the following characters: ^[a-z0-9A-Z][a-zA-Z0-9._]{0,99}$

  We recommend that you use the product ID that meet the requirements of the markets different (iOS, Android, Windows)

  Currently in 2015 of DPS, a collection of content can have a unique product ID (a single product ID can be attributed to several collections). In order to continue to serve & honoring content entitled previous to your users on iOS and Android, the workaround is to create 2 separate projects for iOS and Android. You will not have to log in to the portal DPS separately, but projects must be unique in order to have the product ID different associated collections & applications for iOS and Android.

  The ability to assign several product ID to a unique collection is our future roadmap. This would allow the two 'caps' and 'tiny' ID to be assigned to the same collection and honored of product based on the device platform where the user engaged with the content.

  Kristy

• Traffic on the management ports load

  Can someone tell me what traffic is running on the management port?  I install vsphere 5.1 with 3 hosts, vmotion and san iscsi drive. I intend to separate management traffic on a closed network of 1 GB in which the management ports will connect to a 1 GB switch which will have a port connected to the global network.  Use VMotion cela this port strongly with its activities?

  The cluster will be slightly loaded with only 8 to 10 vm across all 3 four hosts of Quad Core processor.

  I intend to connect with NICs 10Gb iscsi san and dedicated switch.

  If I had to, I could use a 10G switch to the management network.

  The individual virtual machine will be nic interfaces 1 Gb individual key of the network if necessary.

  If you could tell me the documents that would also be appreceiated.

  any thoughts would be appreciated.

  Thank you

  Ken

  "Best Practice" is said to have a network card dedicated to the management, and a dedicated for vmotion. Ideally different subnets / VLAN.

  In smaller environments, but I often will create this:

  vSwitch0 with 2 network cards (if everything goes well on the cards separated/asics) and with the management and vmotion vmkernel port. It works very well, thank you very much despite sometimes described as not "best practices." Well - I think that the concern is that in situations of heavy vmotion (especially when storage vmotion is concerned) traffic management could be hampered/flooded. I just never saw him in the real world, although in environments with more than 4-5 guests I always put in place in accordance with the "best practices" just because...

  vswitch 1 with 2 maps, 2 vmkernel ports (each with its own ip address) for iSCSI

  vswitch 2 with 2 (or more) network cards and however many ports of VM / VLANS are necessary.

  (just to be clear, the 'best practice' would vswitch 0 with 2 network cards and 2 vmkernel ports that configured in the management and the other as vmotion.) Each nic will be dedicated to a vmkernel, but available failover for others...)

• Isolate the vMotion and storage traffic?

  We use ESXi 5.1 using two physical switches for management traffic and two physical switches for VM and storage vMotion traffic. We use a DVSwitch with VLANS separated for VMs (125), storage (126) and vMotion traffic (127). My question is really about the physical switch setting. I have installation of VLANs, 125, 126 and 127 on my main switch with each of them having a layer 3 interface. I think that only the network of the VM (vlan 125) needs a layer 3 interface. In other words, my VLAN storage and vMotion is not routable by removing the 3 layer interface.

  Does this sound correct?

  Another twist, I have a Juniper switch where all layer 3 interfaces are defined. It is connected to 4 switches in the rear of my IBM Bladecenter. Two of these switches are Cisco 1 GB switches that carry all traffic to the management through a vSwitch network. The other two switches are BNT 10 GB switches that carry traffic for Storage vMotion and VMs. Of course, it's a network connection, because it carries several VLANS.

  My only question now is should I eliminate interface layer 3 on my storage network located on one vlan separate

  Well, you need your storage system accessible on these IP addresses by the systems for the management of the other subnets or such? You already have all traffic from subnet inter between iSCSI and other networks? If this isn't the case, then there is no need to have routable iSCSI network.

  For the ESXi hosts themselves there is usually zero reason to have vmkernel iSCSI interfaces be routable since you already do management etc on another routable network (and responses of hosts would be sent there as well except if you define static routes custom).

• VMotion traffic isolation, vlan trunking

  We have 2 full length M910 blade servers sitting in the dell blade enclosure. Installed esxi 5.0 on the two blades and joined them to the cluster.

  Each server blade full length a 8 network cards.  2 ports double aboard the card NETWORK and 2-port Ethernet mezzanine card.  All are connected to the internal cisco switch 3130 installed on the module e/s A1, A2, B1 and B2. all the internal switches are stacked together by the network team. and there is a link to internal switch (uplink) and an external switch (ports) that are on the vlan 137

  All the ports that are connected to the esxi host are configured as trunk on the switches of internal physical cisco blade by the network team. in our total case 16 ports (8 cards x 2 servers) are fixed to the internal trunk on cisco switch and there is internal cisco switch uplink and our external switch (located on vlan 137)

  On esxi5.0, we set up a big flat switch affecting all physical network cards to Vswitch 0.
  Please refer page for groups of ports configured.
  
  To isolate the vmotion traffic, we have configured tag (150) vlan different for vmotion. but vmotion does not work. Unable to ping of vmotion ips with each other.  But if I change brand VLAN to 137. vmkping works on the other and work of vmotion.

  If I change brand VLAN other than 137 to any group of ports (for example, management or virtual machine), I'm losing connection to the corresponding port group.

  
  I think that missing configure something on the blade switches internal cisco (3130). Please advise on what needs to be configured. I know that kind of why trunking is required. If you could explain the exact purpose of why the necessary circuits for esx would be great.

  What is advised to configure a virtual switch, such as a large flat switch or multiple switches
  Assigning to each switch port group. recommended configuration to enable balancing the increased load of incoming and outgoing and fail over.  detailed explanation would be really useful for non admins networks

  I will try to describe one of the possible configurations.

  First some facts/support:

  • 2 ESXi hosts
  • 4 blade switches
  • 1 external switch
  • 8 NICs in each server Blade (2 NICs for each of the switches)
  • vmnic0 and vmnic4 are connected to two different switches
  • different subnets / VLAN for vMotion (100), management (101) and VM networks (102,...)
  • all VLANS represent them different IP subnets

  Virtual network configuration:

  • 2 vSwitches: 1 for management, 1 for VM networks and vMotion
  • vSwitch0 for management and vMotion (vmnic0 + vmnic4)
    --> Management ports (VLAN 101) Group: vmnic0 (active), vmnic4 (at rest)
    -> vMotion Port Group: (VLAN 100): vmnic4 (active), vmnic0 (at rest)
  • vSwitch1: VM networks (vmnic1.. 3 + vmnic5...) 7)
    -> VM 1 (VLAN 101) port group
    -> Port VM 2 (VLAN 102) group
    -> ...

  Blade switches:

  • all the VLANS configured in the virtual network are present
  • all ports of downlink to the ESXi hosts are configured to trunk mode, all the VLANS allowed
  • at least 2 uplinks and the external switch configured as a trunk, EtherChannel (LACP)
  • ports of rising and descending liaison (on each of the switches) are a group of track link state

  External switch:

  • all the VLANS configured in the virtual network are present
  • four channels of Port/EtherChannels (LACP), one to each switch blade

  You can configure the VLANS on switches separately or by VTP. In any case, all the VLANS should be present on the switches of. If you need to route traffic between some VLANs, you must either set up a router on your network, or - in the case where the switches support and are properly authorized - configure routing ip (Inter VLAN routing).

  André