vShield Manager interface network & group of port / vlan
Hello:
I'm new to vShield and looking to use it in our environment. I read the documentation and seeks to install the first part, the Device Manager vShield. By reading the docs, it specifies the management interface for the vShield Manager is in its own group of port. Why is this? Is it okay to put this interface in a group of existing port? Is it possible in a port with another management SMV Group (vCenter, etc.)? Also, is it better practice to have this in a standard vs dvswitch, or isn't it important? I was looking through posts and the other docs and so far I don't see a clear reason why it must be in its own group of port.
So far, the only element that we will consider is vShield Endpoint, for now. We have no plans to watch App or Edge, etc.
Thanks in advance!
Hello
The Manager can be put on any standard or distributed port group. Do not create any new groups-port. The only thing that is necessary to access vCenter/SSO and DNS, NTP server (mirror).
There is no need to create a new. IMHO, this could be a failure in the doc.
Kind regards
Roland
Tags: VMware
Similar Questions
-
Nexus 7 K of the group management interface
Dear,
with regard to the release of the group management interface, if I configured a vlan intervace to be as an interface of management for a (the default vdc) vdc
When I connected to this vdc via telnet, can I switch to any other vdc? (Suppose I have the role of the Admin that allows me to enter and config all the VCC)
If possible, so that I don't have to do a management dedicated to each VDC ip
I do that only if I want to give an account of the vdc admin to allow some users access to the VLAN specific only, is it true?
Hello
Yes, it is possible. When you log on as an administrator and you want to join another vdc, you simply use this command:
SwitchTo vdc
This will lead to the vdc. If you want to return to the admin vdc, just type "switchback."
HTH
-
vShield Manager investment - clarification of required documentation
I'm trying to deploy vShield Manager in our test environment and dev (before we implement production).
I have read the documentation "vShield Installation and Upgrade Guide - vShield Manager 5.1". On page 20, the following statement is made:
NOTE do not place the management interface of the vShield Manager in the same port as well as the Service Console VMkernel group.
Question:
Is it OK for the vShield Manager to be in the same subnet and VLAN as the Service Console and VMkernel, with the help of a group of dedicated ports?
For example, I create another port that has the same VLAN as the VMkernel and Service and the vShield Manager Console uses this group?
Let me explain with an example.
On page 19, the following statement is made:
With vShield 5.0 and later, you can install the vShield Manager in a different vCenter as the vShield Manager is going to be that interacts with. A single vShield Manager offers a server environment unique vCenter.
vCenter1
- It's the vCenter the vShield Manager will be deployed to
- It uses the portgroup 'Network management' with 18 VLAN for the Service Console and VMkernel
- It's on the 192.168.10.0/24 subnet
vShield Manager
- This vShield Manager runs under vCenter 1
- It uses the portgroup 'Management network for vShield Manager ONLY' with 18 VLAN
- This is where the management of the vShield Manager interface will run
- It's on the 192.168.10.0/24 subnet
vCenter2
- It's the vCenter the vShield Manager will be Interoperation with
- It is a virtual machine running under vCenter1
- It's on the 192.168.10.0/24 subnet
- It uses the portgroup 'Network management' with 18 VLAN for VM traffic
So my question once again:
Is it OK for the vShield Manager to be in the same subnet and VLAN as the Service Console and VMkernel, with the help of a group of dedicated ports?
Yes, it's good to have the Manager on the same VLAN as the vmkernel interfaces. According to your description below you will be fine and actually following practice correctly.
Do know not why the docs say not to put it in the same portgroup as the vmkernel or console service that those are special exchanges and you can't put a virtual machine (the Director) in a GRPE ports console vmkernel or service. I'll have our people docs on that paycheck.
- It's the vCenter the vShield Manager will be deployed to
-
Dynamic management of the mobile AP management interface to another dynamic interface (WLC 2504)
Situation/configuration is the following:
-2504 WLC (8.1.131) with a total of 22 AP is connected.
-Several WLAN active each with its own interface (dynamic)
-L' (static) management interface is the option "Activate the dynamic management of AP" enabled.
-The four physical interfaces of the WLC remain TROLLING configured.
What is the problem:
In the current configuration, the management interface is in the same vlan as the AP we now want to move the management interface to a different VLAN, but keep the AP in the vlan current. The idea is to move the management interface to its new vlan and disable "enable dynamic management of AP". Then, create a new interface (dynamic) in the same vlan as of AP and select 'turn on the dynamic management of AP' on this interface. Configure it as it is no problem but is does not work. The AP will record is no longer with the WLC.
Is there something I may be missing why this does not work?
Richard.
Yes, that's the gist of it.
I recommend always making a capture packets if only just for educational purposes and to see how this works in action. I found it interesting when I did in the lab here.
-
Hello
We currently have new EqualLogic 6100 device with this network configuration:
Director of the IP - 192.168.0.2 (VLAN1).
Member network config:
eth0 - 192.168.0.3 (VLAN1)
eth1 - 10.10.10.3 (VLAN2)
eth2 - 10.10.10.4 (VLAN2)
eth3 - 10.10.10.5 (VLAN2)
ETH4 - emptyI would attribute 192.168.0.4 to eth4, but received the error: "management interface should not be on the san subnet.
I am sure that all interfaces eth has access to the VLAN1 and VLAN2, mean error indicates that eth4 should not access VLAN2 and only access the VLAN1 on the switch?
Or eth0 should also have access to the VLAN2 only to reconfigure eth0 and eth4?
Thank you
> The group eating IP should be in iscsi VLANS?
Yes!
Note: If configure you an EQL it will ask an iSCSI port because nothing is more necessary to bring it up. The doest previous EQLs have a dedicated Mgmt Port and later, you can convert the last ethX as a MGMT port. This is the reason why configure you ISCSI at the beginning. (Think of a mixed group of newer and older models, and you get a picture)
OK... once again it is the one and only member of the Group and there is making the production host connected to the right?
The change of IP address, to a 3rd. subnet for temporary use.
-Do not touch eth0-3 and the IP address of the group now
-Configure the MGMT port and IP address management in the tempr group. Subnet. Use the Config-> Adv. Group-> network MGMT. You can change the MGMT Port of the Member, and the address IP of MGMT
-For the registration of the configuration, you will lose access. You must place your admin PC in the templ. subnet so
-Connect to the GroupMgr with temp again. INTELLECTUAL PROPERTY
-Now you can change the IP address of group 10.10.10..x
-Now you can change eth0 10.10.10.2
-At the end, you can change the address IP of the Group MANAGEMENT, as well as the MGMT Port to 192.168.0.x
-Change the IP address of your admin PC rear
A failover, you should consider to hang a serial cable the active controller of the EQL. Use 9600,8,1, N with your favorite terminal program (putty.exe on windows). All the steps, you can perform from the command line.
If this group and the only member not in production, but you can reset the config and restart from the beginning.
Kind regards
Joerg
-
Use of the Trunk Ports (Cisco) on the management interface
Hi all
Background:
We are in the process of consolidation of 2 farms of esx servers and will end up with 10 guests in a single cluster. Guests come from 2 VLAN separate (say 10 of VLANs and vlan 20). A test I took one of the hosts of HA/DRS and tests with it. For HA and DRS to work efficiently and properly in common all resources, we all want vm to leave both VLAN access to move to any host in the cluster.
The test:
My single host mentioned above, I created 2 groups of ports on a vswitch, vlan10 tag and with vlan20, I deployed a VM and tried on the two IP address ranges. It worked (with the correct settings of defined IP by VLAN) but as soon as we resources shared the port used by the management of network vmkernel port we lost the connection to the HOST from a management perspective. What the question is that it is possible to connect the management network a trunk port? We have 2 network interfaces connected to the vSwitch and both used for the VM traffic as well as management traffic. That's how they are currently implemented except that the switch port is on a VLAN-specific rather than shared resources.
Thank you very much
Chris
Hi Chris
Yes, the network management also accepts the vlan tagging/trunking.
Just add the number VLAN on the Portgroup.
Maybe you can do a printscreen with the current configuration?
-
Two groups of ports with same VLAN on the same Vswitch?
I'm doing a consolidation. We had two different people put up two closed different of Vsphere and different network labels were used. Of course the network labels must exactly match vmotion without losing connectivity. So I was hoping that I could just create groups in double port on my vswitch for VLAN do not match them. I know I could just migrate them and move quickly from the network label, but some of them are essential and may not fall.
For example, on a cluster, I might have a port for Vlan ID 88 group that says 'Web DMZ'. But the other cluster has "WWW" VLan ID 88. Can I just create a second group of ports on the first group which also used Vlan ID 88 with the name 'WWW' and I started? Which will cause problems with switching (loops, etc.)?
Hope it makes sense. Guess the short answer is can I I have two groups of different ports on a vswitch using the same VLAN ID tag without causing problems?
Creation of several groups of ports with the same VLAN ID should not cause any problem. This is only marking/close the traffic to and from the virtual machine, is nothing like that of loops,... to be afraid of.
André
-
Group of port and the naming convention for vLAN
What is the naming convention better for groups of ports on vSwitches? This naming convention should match how we name them VLAN on the physical switches and how important is that?
Hi VMinator,
To answer your question, he has not agreed to 'standard' for names of portgroup. That's all what you're comfortable with the support and what works for you and your organization. A bit like server names; Some companies are going hardcore with the naming conventions and others their name after the characters in science fiction or world of warcraft bosses
Forensic science more you pack in a naming of the control standard more you have (i.e. for scripts, health check, etc. see below). Also, if the name itself answers questions on his own and allows you to save a phone call that is priceless. For example - the guys says unix... "Uh which network to choose for my new virtual machine. My IP is blah blah blah. "Well, with right portgroup name, this question would have answered itself... and maybe even recorded some interruptions of service in other cases by the simple fact of being clear and effective in the communication of how this virtual device should work: purely expressed through an appropriate naming convention.
Here's another one. My last concert, we had thousands of virtual machines that had to move data centers and when they landed, they needed to change the IPs and start using 3 vNIC (instead of 1) on each virtual machine. Each vNIC with a different subnet mask. All support should be conducted by a team of outsourced with minimum experience of VMware. The only way to support something like this and be effective is PowerCLI. With just invited the naming convention only, you can perform various tasks such as query the virtual computer and check its settings of portgroup compared to its actual IP information in the operating system, initiate a ping from .NET to the virtual machine, if there is any questions Act automatically. Some actions that will have to be performed include, for example, change the portgroup or mask on a set of clients; Or questioning guests and glean information network (CDP, vSwitch, portgroup of information etc.) and compare observed network vs network expected enumerated in the PG naming convention. etc etc. The list of actions that you can take are limited only by your creativity. The naming standards give you effective power both in manual and automatic efforts.
Still, notice of one man, but every site I care and feeding generally ends with a PG standard similar to what I first described above in my previous post. Don't forget my example naming convention is Basic. There are many other attributes that you can add (i.e. in vCloud deployments, in addition to the info network, you can choose to identify various features specific to vCloud org-networks, etc.).
TBH just most of the companies have appointed VM-network exchanges (ok not bad) or some random shortname which doesn't help troubleshooting. They are fairly easy to fix and also change over time, if necessary. You can easily drag and drop a set of virtual machines (although I don't personally do this way) in the new port group (via the page of networking to CTRL + SHIFT + N) or PowerCLI it (Yes! way to go). Of course, always the ping tests before and after the change. There are a lot of scripts out there (or ask master lucd post in PowerCLI VMTN forums). If this is net-news, then you are ahead of the game and will have a standard to follow, whatever it is.
Best of luck and have fun!
-
Number of groups of ports and VLANs by vSwitch
Hi all
I'm looking for any insight or best practices in what concerns the number of VLANs that are ongoing to shared resources on a vSwitch. Our ESX servers, there are 6 physical network adapters associated with (using the property intellectual hash). These cards are the uplinks to the vSwitch which provides the virtual machine networks. We use VLAN Tagging (VST) and created groups of ports for each Vlan ID. Until now, we have about 7 groups of ports for 7 different VLAN. I know the max is 512, but are there aspects to add several groups / VLAN port that I'm missing? (We use vSphere 4.1)
Thank you...
Groups of ports by vCenter limit is 5000, but you do not sound as it reaches.
Really, for the number, you have (7) you are a pretty small network as much as standard implementations are going, and you'll be fine.
I don't think it is interesting to look at if you really expect to be using all six ports - it is rare for aggregation in order to get increases in actual performance beyond two, and often 'more' is not better.
LACP changes things a bit, but it does not apply to many environments.
-
groups of ports (number of network cards)
I understand that a virtual machine vMotion between esx hosts network configurations must match (port groups/virtual switches).
I would like to know as long as port groups and virtual switches correspond between the guests, whatever the number of network cards is assigned to a virtual switch for vMotion work?
Example:
ESX host: Host1 - vSwitch2 with groups A, B - a vmnic2, vmnic3
ESX host: Host2 - vSwitch2 with Group A, B - a vmnic2, vmnic3, vmnic5
VMotion will still work in this scenario. I think that the game groups and port vSwitches, he cares about the number of network interface cards.
Thanks in advance!
You are right. It does not matter if you don't have the same number of physical adapter assigned to a vSwitch for vMotion to work.
VCP 3, 4
www.vstable.com
-
Difference between groups of ports and VLANS
Hi guys
I read ESX Admin guide 2 times till now, but I still don't know what exactly is the difference between groups of ports and VLANS? I understand, but if someone asks me this question I will not be able to respond with confidence.
Network also label: my understanding is that it's just label No technical significance in configuration?
Thanks in advance
One VLAN is one of the many settings that you can configure for a group of ports, you also have the tabs security, Traffic Shaping and consolidation of NETWORK cards.
Port group name, you associate you a VM port group must be placed systematically on other hosts if you want to migrate or virtual failover from one host to another.
Scott.
-
-
Dell EqualLogic PS4000 management interface port
The management interface port can be configured as a port of e/s additional iSCSI on the PS4000 series?
The online help in the Workgroup Manager console provides instructions on how to do it, but the checkbox "restrict access to the administration" in the parameters of property intellectual eth2 is grayed out. Also the data sheet for the States of SAN: ' two 2 GbE copper, copper 1 1 10/100 (network management only optionally) by controller.
This option was available that on previous EQL without or is there a way to enable it on the PS4000? Maybe through the CLI.
Thank you
Nick
It's a single management interface.
In tables PS5x00 and PS6x00 an iSCSI port could be spent to be a single management interface.
-
Hi, I have a design requiring a WLC 5508 be connected to two separate swithces specific wireless. WLC 1 port is connected to the switch A trunk and WLC Port 2 is connected to the switch B. Each switch has its own local VLANS. When I connect the years 1130 towers they need find the interface of management initially then only use management. AP interfaces since there is only a single management interface, if the assignment of management interface on a VLAN that is configured on the switch then APs on spend a fine join but those switch B continue to ask for the management interface and the version debug capwap on WLC he says that this query Join were received on the bad ineterface...
the only work around that was to do the routing between switch A and switch B for both VLAN residing APs... but for security reasons - customer would like to avoid this
any help is appreciated...
Unfortunately, the initial discovery must arrive in the management interface. Once this has happened the AP expected the second AP manager who is on the subnet of comments, therefore, they are able to stand. But if the AP is restarted, it would need to discover once again and would fail.
What is the concern of customers to have all routable network mgmt AP? guest users can not see anything there.
IMO, let the AP able to connect to the subnet of mgmt, but then put an ACL L3 upward, to block the subnet of comments to achieve anything in the internal network.
-
WLC 5508 Management interfaces
I'll put up a new 5508. I have used the config of a 4402, have successfully connected to the path of Service to manage the device, but for some reason any cannot connect to the management interface. In this case, port 1.
The service port is connected to a catalyst switch and grabbed an IP (subnet 10.2.x.x) no problem. I can access the 5508 via https using MS. However, port 1 is connected to the same Catalyst switch, but on one vlan different (10.20.x.x subnet). Both ends show that interfaces are in place, I can ping the interface from any other host on the network, but when I try to run the device via https I can't connect. We use the WCS and I can't add the device to the WCS. About all I can do is ping this interface.
I probably forgot something very basic, but I'm stumped.
We have the same Cisco 5508 controller and we discovered that if you use a computer on the same subnet that the Service interface, you won't not be able to connect to the management of a via HTTP or SSH, even though you 'll be able to ping. We changed the IP address of the service interface, and then we were able to connect to the management of a site.
-
The ASA Independand IP management interface
Hello
I have a pair of ASA 5510 running like a pair of failover 8.4.
Currently, we have 3 interfaces prod and are also using the management interface in the form of a group management interface.
AS I joined the two using failover, the interface of management on the second ASA took the IP address of the first. Is it possible to exclude this HA interface so that we can manage, via IP, each device independently? The main reason for this is that two devices sit in different DC so we have another out-of-band to each site network.
Thank you
Anthony
Hello
I have not personally at least knows of anyway to do this because the devices share the same configuration and switch interface IP address depending on which device is active in the pair.
To my knowledge each physical interface that is not configured for subinterfaces should be part of the default recovery. I guess in your case, even if it is not accomplish what you're after, you should probably configure "without monitor-interface", if not, to my knowledge, it might affect the State of failover?
I don't know if there really is a way to make it work as you want. I think Cisco assumes that the management interface is like any other data interface in failover and it requires connectivity between sites where pairs of ASA.
I guess it would be better if the Console port has been used for this purpose and you had a separate device you can remote access to the Console of the machine you want.
If you want to send commands to the other ASA the failover and link then it is possible
For example, you can connect to an ASA and execute commands from the failover link
exec failover partner
But again, I don't know if this will be of any help in your situation.
-Jouni
Maybe you are looking for
-
Download Itunes, Win 7, could not get error MCV80. CRT type win 32
Hi people New laptop, Windows 7, can not download Itunes, plug in phone and it is not visible by the computer. Uninstalled, retried, not restarted, no joy. Get this error message. Any help would be appreciated! Thank you Hannah
-
string 1-d dynamic data conversion
Greetings, I am acquiring data controller series. Now the problem is that the data is a string which I converted in table 1 d NOW I want to save that live data in text files that can be viewed in EXCEL.I used 'write to measure file' box that is used
-
I tried to print a document, and it came out white. I checked all the print settings on my computer and they looked OK. I did no changes, but the pages continue to print Virgin. I have a wireless printing configuration on my laptop. My husband uses
-
Bought new 4630 to replace 5610, given that several errors occurred for reasons any. I followed the instructions and thought this would be a quick installation, as with other printers. It will print and copy, but no scan option. (Did not fax yet.)
-
Cannot start Windows Mail because "file MSOE. DLL could not be loaded. " System files corrupted...
I have problems starting Windows Mail because «file MSOE.» DLL could not be loaded. " I ran the SFC function, and after checking my file system, he said there was some corrupted files, and some of them could not be fixed. Any suggestions on what I mi