impire
asked on
Virtualiation: Network connection between Virtual Machines (theory applies to both VMWARE & Virtual Server 2005)
Greetings,
I have read up on quite a few posts, but could not find a solid answers which I could really bank on. For the entire weekend, I have been draw, draw, and redraw my network diagram. My mind is going in circle and I am hoping someone could help. I am doing my best to avoid a trip to a psychiatrist <grin>
1) CURRENT CONFIGS & SCENARIO:
Current configurations (inbound):
--------------------------
PIX-525 ----> External Cisco Switch1 -----> Internal Cisco Switch2 ---> HOSTs
Scenario 1:
-----------
HOST A:
- Dual NIC; NIC1 = IP NOT YET ASSIGNED / NIC2 = 192.168.1.1
*** NIC1 is connected to External Switch1, NIC2 is connected to Internal SWitch2
- VM1: MS Small Business Server with ISA 2004 (to server as application server)
- VM2: WINXP PRO (as workstation)
HOSt B:
- Dual NIC: NIC1 = 192.168.1.2 / NIC2 = IP NOT YET ASSIGNED
*** BOTH NICs are connected to Internal Switch2
- VM1: WINXP PRO (as workstation)
- VM2: WINXP PRO (as workstation)
Scenario 2:
-----------
Similar to Scenario 1, but the HOST B VM1 is now a
MS Small Business Server with ISA 2004 (to serve as application server). This VM1 in HOST B now acts as a firewall.
2) PURPOSE:
a) I would like for the HOSTS to be on a different subnet. Example, right now it is assigned to 192.168.1.x range.
b) The host will need to see each other.
c) The VMs need to see each other, but does not need to see the host.
d) The VMs need access to the internet.
e) The HOSTS also need access to the internet.
f) From outside, we also need VPN access to both the host and the VMS.
*** Please suggest the best method to configure this Virtualization network based on the current set-up & purposes.
3) OTHER QUESTIONS:
a) I am sure we are not the first to have this need. In brief, how are the VMs be able to communicate with each other on a different subnets from the hosts.
b) The reason as to why I created Scenario 2 with the VM1 as the ISA are: Second backup ISA and second backup eMail server (fail over). Is this not the right way to do it?
c) I saw a post which suggested to let VMs bridge through the server NIC, then remove all services and leave only virtual machines. But doing so also leave my hosts inaccessible to the internet and other hosts. Any suggestions?
d) I am thinking of installing another NIC (NIC3) to HOSTA and assigned IP in the same subnet as NIC2 (192.168.1.x). Then I also assign the same subnet IP to NIC2 on HOSTB (192.168.1.x). Next, I remove all services in the NIC properties and leave only virtual machines access. Is this one way to do it?
This mean I am having all of the VMs on the same subnet, but they can only see each other and does not have access to the hosts (even on the same subnet). Am I correct or is this a crazy way to do it?
Thank you very much in advance for your help.
I have read up on quite a few posts, but could not find a solid answers which I could really bank on. For the entire weekend, I have been draw, draw, and redraw my network diagram. My mind is going in circle and I am hoping someone could help. I am doing my best to avoid a trip to a psychiatrist <grin>
1) CURRENT CONFIGS & SCENARIO:
Current configurations (inbound):
--------------------------
PIX-525 ----> External Cisco Switch1 -----> Internal Cisco Switch2 ---> HOSTs
Scenario 1:
-----------
HOST A:
- Dual NIC; NIC1 = IP NOT YET ASSIGNED / NIC2 = 192.168.1.1
*** NIC1 is connected to External Switch1, NIC2 is connected to Internal SWitch2
- VM1: MS Small Business Server with ISA 2004 (to server as application server)
- VM2: WINXP PRO (as workstation)
HOSt B:
- Dual NIC: NIC1 = 192.168.1.2 / NIC2 = IP NOT YET ASSIGNED
*** BOTH NICs are connected to Internal Switch2
- VM1: WINXP PRO (as workstation)
- VM2: WINXP PRO (as workstation)
Scenario 2:
-----------
Similar to Scenario 1, but the HOST B VM1 is now a
MS Small Business Server with ISA 2004 (to serve as application server). This VM1 in HOST B now acts as a firewall.
2) PURPOSE:
a) I would like for the HOSTS to be on a different subnet. Example, right now it is assigned to 192.168.1.x range.
b) The host will need to see each other.
c) The VMs need to see each other, but does not need to see the host.
d) The VMs need access to the internet.
e) The HOSTS also need access to the internet.
f) From outside, we also need VPN access to both the host and the VMS.
*** Please suggest the best method to configure this Virtualization network based on the current set-up & purposes.
3) OTHER QUESTIONS:
a) I am sure we are not the first to have this need. In brief, how are the VMs be able to communicate with each other on a different subnets from the hosts.
b) The reason as to why I created Scenario 2 with the VM1 as the ISA are: Second backup ISA and second backup eMail server (fail over). Is this not the right way to do it?
c) I saw a post which suggested to let VMs bridge through the server NIC, then remove all services and leave only virtual machines. But doing so also leave my hosts inaccessible to the internet and other hosts. Any suggestions?
d) I am thinking of installing another NIC (NIC3) to HOSTA and assigned IP in the same subnet as NIC2 (192.168.1.x). Then I also assign the same subnet IP to NIC2 on HOSTB (192.168.1.x). Next, I remove all services in the NIC properties and leave only virtual machines access. Is this one way to do it?
This mean I am having all of the VMs on the same subnet, but they can only see each other and does not have access to the hosts (even on the same subnet). Am I correct or is this a crazy way to do it?
Thank you very much in advance for your help.
What are you running as your HOST operating system? Because you can certainly use SBS as the HOST OS, and then just run a single VM on top of that as detailed in this paper: http://sbsurl.com/vs
Also, what do you mean by "to server as application server" with regards to your SBS with ISA 2004 setup? SBS is not really an application server... although you can run some apps on it.
Then my next question is... have you ever installed a virtual server and virtual machine before? Because from the tone of your question I'm assuming that you haven't and if not, you need to do that as a test... just a single host, running either SBS or Server 2003 Standard and a couple of virtual machines. Doing this will help you to better understand how virtualization works (including how to use Virtual Network Interfaces if you like -- avoiding that 3 NIC setup you are talking about).
Jeff
TechSoEasy
Also, what do you mean by "to server as application server" with regards to your SBS with ISA 2004 setup? SBS is not really an application server... although you can run some apps on it.
Then my next question is... have you ever installed a virtual server and virtual machine before? Because from the tone of your question I'm assuming that you haven't and if not, you need to do that as a test... just a single host, running either SBS or Server 2003 Standard and a couple of virtual machines. Doing this will help you to better understand how virtualization works (including how to use Virtual Network Interfaces if you like -- avoiding that 3 NIC setup you are talking about).
Jeff
TechSoEasy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Jeff,
Thanks for the quick response. I am running W2K3 Enteprise with PAE enabled (supports above 4GB RAM). I would love to use use the SBS as my host but SBS have a limitation of 3GB RAM. Most of our hosts have a minimum of 6-GB RAM. Also, the article you sent are for VS, I am using VMWARE. Another guy in our department did the extensive research between the two and they settled on VMWARE. It's not up to me to choose the Virtualization software.
"to server as application server" was a typo. I meant "to serve as application server".
Yes, I have installed quite a few VMWare machines. Networking between the VMs and the Host is never a problem. However, my questions are related to networking between the VMs residing in different hosts... and on different subnet.
We do not want the VMs to have access to the hosts, only the hosts can have access to the VMs. This gets complicated and I've tried searching different forums but found mixed answers. Perhaps you can point me in the right direction as to make this as simple as simple can be. Thanks.
Thanks for the quick response. I am running W2K3 Enteprise with PAE enabled (supports above 4GB RAM). I would love to use use the SBS as my host but SBS have a limitation of 3GB RAM. Most of our hosts have a minimum of 6-GB RAM. Also, the article you sent are for VS, I am using VMWARE. Another guy in our department did the extensive research between the two and they settled on VMWARE. It's not up to me to choose the Virtualization software.
"to server as application server" was a typo. I meant "to serve as application server".
Yes, I have installed quite a few VMWare machines. Networking between the VMs and the Host is never a problem. However, my questions are related to networking between the VMs residing in different hosts... and on different subnet.
We do not want the VMs to have access to the hosts, only the hosts can have access to the VMs. This gets complicated and I've tried searching different forums but found mixed answers. Perhaps you can point me in the right direction as to make this as simple as simple can be. Thanks.
SBS does not have a limit of 3GB of RAM, it's 4GB. Not sure where you heard that. Also, whether your comment was a typo or not, you cannot use SBS merely as an application server... as my comment stated.
As for one-way TCP/IP access... tht is tricky... because to cut off the round-trip means that sometimes the VM cannot respond to a request which requires a response to continue. You'll have to define what KIND of access you need from the hosts to the virtual machines because of course you always have a VM Control Panel, but if it needs to be automated, that's another story. Post a question to that effect and we can discuss.
Jeff
TechSoEasy
As for one-way TCP/IP access... tht is tricky... because to cut off the round-trip means that sometimes the VM cannot respond to a request which requires a response to continue. You'll have to define what KIND of access you need from the hosts to the virtual machines because of course you always have a VM Control Panel, but if it needs to be automated, that's another story. Post a question to that effect and we can discuss.
Jeff
TechSoEasy
ASKER
3e) If I were to adopt scenario 2, how would I configure the two ISA servers to allow the VMs to communicate with each other.
Please enlight me on the simplest method to configure this network. My mind is already in a maze. Thanks very much.