VMkernel traffic

Similar Questions

• VMkernel

  Is it normal to have the following scenarios:

  management traffic 2

  traffic 2 vmotion

  traffic 2 vsan

  traffic 2 ft

  IM referring to the configuration to a standard switch, distributed switch or both as long as two vmkernel traffic for each is present.

  I met in distributed switch, 2 vmkernels are created for vmotion (1 in each distributed switch. I created 2 distributed switch).

  When we tried to vmotion, it does not.

  2 adapter VSAN VMkernel that you plan to create, something important to consider there is regarding

  Unlike multiple-NIC vMotion, Virtual SAN does not support several cards VMkernel on the same subnet.

  Please check the following guide Virtual Network Infrastructure section

  http://www.VMware.com/files/PDF/products/VSAN/VMware-virtual-San-network-design-guide.PDF

• On nic vmkernel/vmmanagement in ESXi 5.0

  Hi guys,.

  I need to configure my server esxi newsest 5.1 and I'm not sure which is the requirement of network vmkernel and vmmanagment configuration.

  I need to create a Vswitch and "dedicate" nic 2 (1 for vmkernel) and 1 for vmmanagement and I did not ' use the same NIC another vswitch for production of VM network?

  Is it mandatory (by design esxi) have a nic dedicate for this or is it just a best practice?

  I have 6 network adapters on each server.

  Thanks in advance.

  It is not necessary for the use of a dedicated NETWORK adapter for management traffic (which btw. is the VMKernel traffic). It actually depends on your design of physical network (e.g., flat, VLANs) and who has, you will use on the ESXi host (e.g. vMotion, fault tolerance, software iSCSI) how vSwitches and port groups you need and if you need to separate traffic.

  André

• Vmkernel does need access to the VC?

  Hello

  I'm installing ESX4.1i U1 and I have 4 network cards. Two will be to shared resources with CASL for VM traffic on one vlan 10.x.x.x.  VMkernel traffic will be sitting on one of the other network cards in a local network virtual 192.x.x.x.   Question is the vlan VMKernel should talk to the VC at all?  Trying to keep the VLAN as secure as possible.  Look at other discussions of the forum seems to be contradictory answers there.  Some say that guests need to talk on this vlan, while others say that the VC also has need of access.  We will not use iSCSI, VMotion, HA, DRS and possibly fault tolerance.

  Thank you

  Glenn

  With ESXi, you can configure a VMkernel port for vMotion, storage, management, etc.  The VMkernel port you installation for purposes of management must be able to communicate with your host vCenter.

  Dave
  VMware communities user moderator

  ESXi Essentials free training / eBook offer

  Now available - VMware ESXi: planning, implementation, and security

  Also available - vSphere Quick Start Guide

• Migration to ESXi and dealing with the VMkernel changes

  We are running ESX 4.1 in our group, and with the release of 4.1u1, I wanted to migrate to ESXi. However, it is to be a little difficult because of changes in the service console.

  Because I can have is no longer 2 different gateways, I have to keep all the VMkernel traffic on the same bridge, my service previously ran on 10.157.188.x console, but my iSCSI traffic ran on 10.72.66.x.

  If I move all my VMkernels to 10.72.66.x, then VMware HA will not and I can't join the host to the cluster that has its service on the network 10.157.188.x consoles.

  How can I get around this?

  Hello

  We had a similar design, where we used a second NETWORK adapter for the NFS storage.

  The solution was to create the second VMKernel port on the host and tie it directly on the (non-routable) storage network

  As everything was on the same IP, no DG only required Beach and bonus was that the traffic of storage was always 100% secure and isolated.

• Configuration of IPSec in VMWare ESXi can be applied to virtual machines running?

  Hello

  I have an operating system running inside VMWare ESXi 5.1.  Let's call is "MyLinux".  It is a modified version of Linux which does not support IPSec.  So I try to get VMWare to manipulate IPSec for MyLinux.

  I used esxcli orders to successfully create configurations for IPSec between VMWare itself and other systems.

  However, I wonder if I can use the same esxcli commands to configure IPSec between MyLinux and other systems?  In my tests, VMWare does not perform tunneling IPSec data between the running machines and other virtual systems.

  It is an illustration of the configuration I created for MyLinux in VMWare.  I also have a security policy that is not visible.

  Name Source address Destination address State SPI Mode Encryption Algorithm, integrity algorithm to life

  --------                              -------------------------------------      -------------------------------------  ------      -----     ---------     --------------------               -------------------           --------

  MyLinuxToExternalSA MyLINUX.IPv6.ADDRESS EXTERNAL. Mature IPv6.ADDRESS infinity 0 x 300 transport 3des-cbc hmac-sha2-256

  ExternalToMyLinuxSA EXTERNAL. IPv6.ADDRESS infinite mature MyLINUX.IPv6.ADDRESS of hmac-sha2-256 0 x 256 transport 3des-cbc

  When I captured a trace TCP ping between MyLinux and the external system, MyLinux never sent the IPSec packets. Everything was sent in the clear.  This suggests that VMWare does not apply the rule for MyLinux, but I would like to confirm.  Thank you.

  Kwabena

  When you configure IPSec on ESXi, you sécuriserez the VMkernel traffic, not the virtual machine... If you want to protect the traffic of the virtual machine, you will need to enable IPSec on guest operating system.

  Here is more information on IPSec on ESXi: VMware KB: IPv6 and IPsec configuration on vSphere ESX and ESXi 4.1, 5.x ESXi

• ESXi 5.5u1 added iscsi storage adapter - reboot and now vSphere Client could not connect to "my ip" an unknown error has occurred.  The server could not interpret the customer's request.  The remote server returned an error (503) server unavailable

  I have not yet connect to an iSCSI target device.

  I can ping my host

  when I open http:// "hostip" in a web browser, I get a 503 service not available.

  restart the host gets me nowhere.

  SSH opens somehow, but can not connect

  Console seems OK

  vSphere Client can not connect

  If I reset to the default values of the console it is ok, but when I reconfigure the host, this error will be returned.

  I tried to reinstall from DVD

  I'm completely corrected to date via SSH esxcli

  This happens on both my hosts, although they are almost identical Lenovo thinkserver TS140s with broadcom 10Gig NIC and intel NETWORK card integrated

  It almost always seems to happen the next time I reboot after enabling iscsi support

  The only weird thing I have is that my Integrated NIC is a processor intel 217's and I have to use a special VIB so that it can be used in ESXi

  Customer's winning 8.1

  Here is my installation notes

  Install on USB/SSD stick with custimized ISO i217 NIC driver, reset the configuration and reboot

  Management NIC set to NIC0:1Gig

  IP management: hostIP/24 GW: my gateway

  DNS:DNS on windows vm1, vm2 Windows dns

  HostName:ESXi1.Sub.myregistereddomainname custom DNS Suffixes: sub.myregistereddomainname

  Reset

  Patch to date (https://www.youtube.com/watch?v=_O0Pac0a6g8)

  Download the VIB and .zip in a data store using the vSphere Client

  To get them (https://www.vmware.com/patchmgr/findPatch.portal)

  Start the SSH ESXi service and establish a Putty SSH connection to the ESXi server.

  Put the ESXi server in maintenance mode,

  example of order: software esxcli vib install /vmfs/volumes/ESXi2-2/patch/ESXi550-201404020.zip d

  Re install the Intel 217 NIC driver if removed by patch

  Change acceptance ESXi host sustained community level,

  command: esxcli software - acceptance-level = CommunitySupported

  Install the VIB

  command:esxcli vib software install - v /vmfs/volumes/datastore1/net-e1000e-2.3.2.x86_64.vib

  command: restart

  Connect via VSphere client

  -Storage

  Check/fix/create local storage. VMFS5

  -Networking

  vSwitch0

  Check vmnic0 (1)

  Network port group rename VM to the 'essential '.

  Rename management group of network ports for management of basic-VMkernel traffic.

  -Configuration time

  Enable NTP Client to start and stop the host. ntp.org set 0-3 time servers

  DNS and routing

  Start the virtual machine and stop

  -enable - continue immediately if tools start - stop - prompted action Shutdown - the two delay to 10 seconds

  Security profile

  Services

  SSH - startup - enable the start and stop with host

  Cache host configuration

  -Properties to start SSD - allocate 40GB for the cache host.

  Flashing warnings SSH:

  Advanced settings, UserVars, UserVars.SuppressShellWarning, change from 0 to 1.

  Storage adapters

  -Add - add-in adapter software iSCSI

  I think I saw that I was wrong.  In fact, I applied two patches when only suited. I started with 5.5u1rollup2 and then applied the ESXi550-201404001 and ESXi550-201404020.  Strangely I did not t o had problems until I worked with iSCSI.

• vSphere 5 and Dell Equallogic iSCSI

  Hi all

  I need some suggestions on how to implement my iSCSI network

  I habe 2 x power R520 edges with 2 network cards to edge, 4 x PCI Nic and 1 x Dual Port Nic Cards-> network so 8 total

  and an Equallogic PS4100 with 2 controllers and 2 network cards on each controller

  I have 2 Dell switches for my iSCSI network.

  The address of the Equallogic MGMT is 10.10.1.100

  The group IP address is 10.10.1.101 - or should these IP in the iSCSI network

  My iSCSI network should be

  192.168.1.x / 24

  do I need to a single network or do I have to use 2 different networks in order to obtain the failover job.

  I plan 2 or 4 NICs for iSCSI vmkernel traffic - what do you suggest?

  If I use 4 network cards - use 2 vmkernel ports with 2 links and aggregation of links on the switches? Or can I use 4 ports vmkernel and round robin?

  ESX1

  vnmic0 192.168.1.1

  vmnic1 192.168.1.2

  ESX2

  vnmic0 192.168.1.3

  vmnic1 192.168.1.4

  EqualLogic

  eth0 192.168.1.5

  eth1 192.168.1.6

  ESX1 + ESX2

  vmnic0 - iSCSI01

  vmnic1 - iSCSI02

  SwitchA

  vmnic0 Esx1, vmnic1 ESX2, eth0, eth1 ControllerB controlled

  SwitchB

  vmnic1 ESX1, vmnic0 ESX2, the controller has ControllerB eth0, eth1

  Do I have to master two switches?

  concerning

  Bestfriend

  Hello

  I recommend 2 virtual switches with 2 network cards in each. Multipathing in fixed for each switch if it's an active-passive array and Round Robin if it is an active-active array.

  1 VLAN should be fine.

  MTU = 9000 in all the components of your infrastructure iSCSI (jumbo frames).

  Try to have HA in each part of your infrastructure and you sure you don't have 1 vSwitch connected to the 2 ports on the same HBA and using the same switch...

  If you have the option to make the "fast track" in your switch, do it.

  CHAP authentication more secure, you can (if initiator software, I think that they are, mutual CHAP)

  You don't need chest 2 switches.

  Try to keep your number of VMs distributed among your LUN (to not collapse them with SCSI reservations)

  That's all I can think of at this time. I hope this has helped you! If that were the case, do not forget to assign the corresponding points, so we are all winners!

  Kind regards

  elgreco81

• Installation of a second switch to support redundancy

  Hey people.

  VMware ESX 4.0 w/Update 4 installed, Vmotion license as well.

  4 machines four HOSTS

  Switches - HP Procurve 2910al - 48G

  EMC Clariion AX4 - 5i SAN Bay

  This network configuration has been inherited by me came on board here, not my fault. The mentioned above, switches that I bought just for this project.

  I have a HP Procurve switch.  The switch has two defined VLANs.

  One for VMkernel and VMotion (vlan 200)

  A Console Service (Vlan 201)

  Currently, the console service Vlan (201) is also set to a second former switch, with four connections going to the aforementioned switch and four others to the second switch.

  What I want to do is to add a second switch for redundancy of the network VLAN 200. It would be as simple to install a new switch, create another VLAN 200, then spend half of connections (currently two coming from each HOST, so one of each) to switch B?

  Do I have to change the properties on the vswitch, NIC Teaming tab to "Route based on ip hash", or leave it alone (it is currently 'Route based on the original virtual port code'). ?

  Both switches would still be on shared resources to our main switch, so that there is a path to associate the VLANS set.

  Thanks for the help!

  James

  Welcome to the community - Yes it would be that easy - as long as you do not change VLAN you won't them needt to change anything within the vmware environment.

  For all mix I'd say separating your vmotion and vmkernel traffic on VLANS separated who would follow the best practices - but if all works well I would wait until you make the change of the physical network.

• New ESX5 host - questions see SAN storage data and much more

  Just installed a new vSphere host 5 and added to a cluster with 2 x 3.5 host (in my vCenter Server 5)

  3 questions.

  1. I can't see LUN (on SAN datastore). Have zoned out my new HBA etc and still no joy. Tried the host that it recharges and rescan option etc. Any ideas?

  2 - my 3.5 hosts I was able to specify different default gateways for my Console and VMKernel Service (both on the same vswitch). I have the Service Console configured vmkernel. 10.16.5.x and 172.16.5.x (I know there is no Service Console in vSphere 5\ESXi) but on my ESX5 host I can't specify different gateways for VMKernel and network management. I'm afraid that vmotion etc will not work between 3.5 hosts and host 5, because although the VMkernels have addresses in the same range, they have not the same gateway. I have to add a local route on the host ESX 5? Or am I wrong configured somewhere?

  3 minor irritation. My local drive in my new server is showing that the data store. Can it be hidden or changed to not be visible in the data store? I want to only display my SAN data stores.

  Thank you very much

  Steve

  (1) sounds like a SAN configuration problem - you should be able to see the LUN masking and zoning is correct in the FC switch and storage array.

  (2) you could specify wear two ways because the vmkernel and the Service Console were different and supposed to be on different networks - you no longer have a gateway single vmkernel - traffic will work as long as they are on the same subnet - a gateway is used only when you exit the subnet

  (3) I do not think it is possible to hide the local data store - but I could be wrong

• Newbie question: accessibility vs. insulation Service Console

  Hi all

  I wonder what people do in practice to balance isolate the service console/vCenter to be able to access essential services (updates, NTP, etc.) and to administer the host and vCenter.

  Quick reminder:

  Local government, not a department store. Just is about to go into production with ESX3.5/VC2.5, have licenses for the VDI which is one of the reasons why I'm not starting with v4. Had ESX in test for about a year.

  Network is a bit sophisticated, equipment Alcatel, can do VLAN etc., but managed by one other team so I didn't know very well how it can or can not do access control.

  Firewall is on the periphery of the network only; an inter - VLAN firewall or an ISA Server would be new for me, and probably ask a negotiation.

  Because I'm not quite yet in production, I know that my best chance now is to configure the network according to best practices. I have read the Security Hardening Guide, now I'm hoping to get some opinions 'the street '. Should I go the distance and set up a firewall, or can configure us a VLAN enough tight to be a good (if the second best) choice? What are the trade-offs of usability? How do you get updates if you do not connect that network to the Internet? All the creative solutions out there for the budget conscious?

  Thanks for your help,

  Jenna Flanagan

  City of Belmont COMPUTER service

  The service console is often regarded as the "keys to the Kingdom", if it is compromised, you have access to all the guests running.  the hardening guide is a very good starting point, an internal firewall would be a very good option there are several out there that are safe, but have a low learning curve, ISA is one, but there so smoothwall.

  However that said, even VLAN even though they are not considered as a security mechanism, should be used to separate your traffic, more important still is to separate traffic flows.  Make sure that your Service console and VMKernel traffic are separated from your Production comments traffic, this may be at the lowest level by exchanges and VLANs (not particularly sure, but better than nothing), moving to separate from Teddy and vSwitches and finally a game completely separated from pSwitches in order to guarantee a circulation independent flow (very safe but also very expensive.

  How many bears will you have in the comments. We're crazy.  with as little as 4 pNiICs you can start the design with real security in mind.

  vmnic0 + vmnic2-> traffic Service Console and VMKernel

  vmnic1 + vmnic3-> traffic Production comments.

  Very good Ed Haletky (Texiwill) reading series on the placement of NIC in design found here

  Now you are aware that the view output 4 is just around the corner, (guesstimated release date: mid November) this would introduce you to all the benefits of vSphere and use of VDI.  just a thought

  If you have found this device or any other answer useful please consider useful or correct buttons using attribute points

  Tom Howarth VCP / vExpert

  VMware communities user moderator

  Blog: www.planetvm.net

  Writer on "[vSphere of VMware and Virtual Infrastructure Security: securing ESX and virtual environment | ]. "[http://www.Amazon.co.uk/VMware-vSphere-Virtual-Infrastructure-Security/DP/0137158009/ref=sr_1_1?ie=UTF8&s=Books&qid=1256146240&SR=1-1].

• Wake on LAN support

  ESXi 4 is installed on a system with a dual port Intel NIC and configured to use vmnic0 to vSwitch0, supporting LAN traffic for virtual machines and management for VMkernel traffic.  vmnic1 is associated with vSwitch1 and is exclusively used for iSCSI traffic.  vSphere Client shows that Wake on Lan is supported for vmnic0 but not vmnic1.  I understand that some Intel adapters do support WoL on port A, so this is not really surprising.

  Given that all guest virtual machines use vmnic0, which has the support of WoL, I assumed that guests can receive support WoL.  What I have found however is that while the option 'Allow this device to wake the computer from sleep mode' can be selected tab in the power management of the properties of the network adapter (Intel Pro/1000 MT) comments on WIndows 2003 server, it cannot be defined for Vista or Windows Server 2008 SMV.  The option is grayed out in the latter two VMS and option notes indicate that the port does not support Wake on Lan.

  Is there something in the settings of the virtual machine that I'm missing?

  Thank you

  Scott

  Hi Scott, welcome to the forums of the VMware community.  What kind of NIC you selected for virtual machines?

  Not all operating systems invited support Wake on LAN. Only the following types of NIC supported Wake

  on LAN:

  soft n (VMware tools required).

  vmxnet n

  n Enhanced vmxnet

  vmxnet n 3

  Options are disabled if they are not supported.

• How to use the VMKernel vSphere replication traffic

  I'm trying to set up my host with my camera of replication with a stand-alone VMKernal with activated on its own virtual replication traffic vSphere VLAN.

  After that I have it set to 2 guests (each with local data warehouses) and tried to replicate a virtual machine from one host to the host with the VR device, traffic goes out on the management vlan / network card on the host of the virtual machine is received on the host with the device (where I'm storing data) on the VM nic inbound / vlan.

  I want 100% of my replication traffic off the coast of the management and the network of the VM, just as I did with vmotion.

  Hello

  On the establishment of the vmkernel to tag in ESXi 5.0.x and 5.1.x replication traffic is an experimental feature and still not officially supported.

  You have to somehow router ports of replication traffic. Some people use solutions WAN optimizer (Riverbed or similar).

  The VR device must be have access to vCenter Server and the hosts that can be used to write to data warehouses target. Link to article with the correct port numbers should be present in the Administrator's guide.

  Kind regards

  Martin

• Separate the VMkernel for pulse data store traffic?

  Hello.

  I was just reading Tech EqualLogic report 'Configuring iSCSI connectivity with VMware vSphere 5 and Dell EqualLogic PS Series storage' and saw something again on pages 3-4.

  Dell recommends to create a vmkernel port highly available on the subnet iSCSI serving as vmkernel default port for pulse data store traffic, so that the pulsation of data store traffic will then sit outside the iSCSI Software initiator and consumes any connection of additional iSCSI storage. He goes on to say that the traffic of pulsation of the data store will always use the lowest numbered VMkernel ports on the vSwitch.

  It makes sense, but this is the first I've heard of this. Everybody does that, with EQ or other iSCSI solutions?

  Thank you

  Brian

  
  

  Not sure that what talking about Dell, but the heartbeat "traffic" data store using the links normal iSCSI. Each host will have a file on one of the heartbeat data stores and open it which means there a lock on the file. The overhead is minimal and there is no need to worry at all.

• Question about VMKernel iSCSI traffic and VLANS

  Hello

  This is a very fundamental question that I'm sure I know the answer too, but I want to ask him anyway just to reassure myself.  As a precursor to my question, the configuration of my ESX infrastructure is best described here: http://www.delltechcenter.com/page/VMware+ESX+4.0+and+PowerVault+MD3000i.  Or more precisely, we have two controllers MD3000i.  Each controller has two ports and each port is configured on two different subnets, with every subnet connected to the different switch.  ESX host are connected to two switches.  The only difference for the guide, is we have two MD3000i configured the same, connection to the same switches.  Each MD ports is configured on the same subnet, but different IP addresses.

  At present, we are in the process of upgrading our two iSCSI switches of humble Dlink DGS - 1224T to Cisco 2960 T of.  The switches have been and continue to be dedicated to iSCSI traffic, however, I'm trying to set up VLAN s on the side of the switch.  Originally, we used the default VLANS on switches, however, after you have added an another MD3000i, noted the Support Dell best practices is to separate each on its own subnet and VLAN MD3000i iSCSI traffic. This would result in iSCSI 4 VLANS, two on each switch and two for each MD3000i.  Firstly, is this in fact of good practices?

  Second, if I migrate preceding 4 iSCSI VLANS, as each switch port will actually be an access port, will there need to complete the VLAN ID field in the VMKernel configuration page? Presumably, this field is used when the tagging VLAN is used, but as our switches do not need any other rocking trunk (as they are dedicated to iSCSI traffic), there should be no need to fill?  I guess it would be prudent to keep the two existing subnets, create two new subnets and make changes to an MD3000i and connection of the ESX host.  Provided the switch and switch ports has been appropriate configured with VLAN on the right, the rest should be transparent and he wouldn't be Intel VLAN in all ESX hosts?

  Would be nice to get answers and thank you in advance!

  Gene

  (1) Yes, it is best practice for ESX iscsi, having an independent network and vlan for iscsi traffic.

  (2) No, there is no need to mention anything in the area of vlan, if you use an access port. Its a mandatory thing than a choice. If you supply the id vland with access port, it loses connectivity.

  Please explain a bit why you need to create two different virtual local networks for each MD3000i. You are going to use several on the same ESX box iscsi storage? Alternatively, you use only a single iscsi and use these 4 ports for the same single VMkernel interface?

  NUTZ

  VCP 3.5

  (Preparation for VCP 4)