Seperate management network for System Center Virtual Machine Manager in a virtual network?

Posted on 2010-01-04
Last Modified: 2013-11-08
I was looking through one of Dell's whitepapers on Hyper-v and saw a diagram that showed a seperate Poweredge server being used as a management server which was on a completely seperate network.  Basically how we will be setting up our network is:

2 Host machines connected through 2 Dell switches to our Equallogic PS6000E SAN - 1st network for IOPS.

Also those 2 host machines will be connected to our LAN through 2 other NIC's. - 2nd network for connectivity to our clients and other servers.

In Dell's article they have a third network setup that looks like it hooks up to the 2 Dell switches working with the SAN and the host machines.  Is this best practice to have a third network setup for the management software?  Also what are the advantages of having it setup this way?  If you don't setup a third network, would you then just setup the management server to the LAN?  Or how do you connect using a SCVMM server.  I have attached an image of the network layout I am talking about looks like, the management network is what I am curious about.

Thanks in advance!
Question by:SuperRhino
    LVL 35

    Expert Comment

    by:Jian An Lim
    this picture looks interesting especially the AD DNS and DHCP is set in the management station.

    does this means you need 2 AD structure? 1 for management and 1 for physical network?

    it is very hard to say whether you want to put your VMM in the phsyical network.
    the benefit is to easy manage but you are tradeoff with security .

    but is the security worth to take care off? will is easier for user to rdp into your vmm and start playing it?

    is it a requirement for the company?
    we can have a lot of discussion but end of the day, it is reallya business decision to put them together or not.

    IN Vmware, it is easier to put them seperate as they are not requirement for putting a AD structure to support it.

    I might not answer any of your question, but just trying to do some brain storm and get some clearer picture

    LVL 17

    Accepted Solution

    This is based on the microsoft best practices for SCVMM. In a large enviroment it is useful to have a management network to connect the hosts and scvmm server to allow configuration tasks to be completed without affecting the production network/s. This is not mandatory and uses seperate nics etc (or VLANs). It is better for security as users on the production networks cannot connect to the hosts or scvmm and internet access is not required.

    If you do not have the equipment/licenses etc for this then you can install SCVMM onto any physical or virtual machine and use firewalls to limit access to specific machines/ip addresses. With multiple VM's on a host separating the network traffic helps (management, normal data, iscsi etc)

    Hope this helps
    LVL 5

    Assisted Solution

    The idea behind a management NIC is to offload VMM traffic for the most part. It is also helpfull for security in some cases but that depends on your infrastructure (VLAN's, firewalls, etc..). I suppose someone could get access to VMM on the same LAN but if they can access that, I'd be more concerned about what else thye can access.

    Assume you are migrating a VM from one HV server to another or deploying a new VM from a library, you're going to use a majority of the NIC's capabilities transferring the data. If you are using one NIC it could get saturated reducing throughput for the VM's. I've seen this happen especially on a SATA 7.5K SAN, it's not pretty.

    I don't think that diagram is very good. It really looks like they put the management connections on the wrong switches but maybe they had a reason for this.

    I'd put the management station/VMM on the LAN but use a seperate NIC by unchecking the box to share the NIC for management when setting up the Hyper-V network settings.

    LVL 5

    Expert Comment

    Just to add, after looking at the diagram more, it does look usefull for an extremely large environment of many Hyper-V servers, IScsi SANs, backups, etc.

    In a smaller environment with no severe security requirements, I personally would stick with a dedicated management NIC in the LAN.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now