• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 479
  • Last Modified:

VLAN - dedicated or shared NIC

Hi guys,

The current esx hosts each have 6 physical NICs.
Each of these physical NICs serves a different VLAN. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz, vmnic3 = database, vmnic4 = internal1, vmnic5 = internal2

I am now building a new esx host that has 8 physical NICs but I want to know if I should separate each VLAN physically, or whether it would be better to share on physical NICs. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz/database/internal1/internal2

I believe it is best practice to keep mgmt & vmotion separate, and keeping iscsi is also best kept dedicated.
However I'm unsure about the implications of sharing the data vlans?
Should DMZ be kept separate to the others even though the traffic will traverse the firewall?

Ports are gigabit so bandwidth shouldn't be too much of a concern.

If I share the ports, it allows me to setup redundancy if needed.

I'd appreciate any feedback on the new design
Cheers
0
lltc78
Asked:
lltc78
  • 3
  • 3
2 Solutions
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You can certainly use VLANs to separate physical network traffic.

Management Network and vMotion it is recommended that they are separate because of the traffic that vMotion can generate, and the same recommendation for the VMKernel (iSCSI) to define and create a storage network.

But some network managers would agrue, that creating VLANs is a bad idea, because it is difficult to monitor to traffic or utilization of the VLAN.

If you want to read more on networking in VMware ESX/ESXi, then I recommend the following:-

I would also recommend reading through the Networking Sections of the following guides to gain a better understanding of Networking in VMware ESX/ESXi.

Pages 13 - 73 Discuss Networking in Detail, including trunks, VLANs, switches, and load balancing

ESXi Configuration Guide ESXi 4.1
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf

Virtual Networking
http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html

Virtual Networking Concepts
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

It's available as a fanastic FREE download here.

http://xangati.com/try-it-free/
0
 
kevinhsiehCommented:
The DMZ traffic should have a dedicated NIC that is plugged directly onto the DMZ switch. It should not get mingled with your other network traffic. If you have VMs on separate VLANs such as web servers on one VLAN and database servers on another, it is fine to share them with a trunked NIC.  
0
 
lltc78Author Commented:
thanks for responses so far but im curious...

i understand about vmotion traffic but why would mgmt traffic be high?

a lot of people say to physically separate dmz, but why? how is it different than separating other vlans?
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
mgmt traffic is not normally high, unless the management interface is being used for backup of the VMs.

Physical Networking is considered for be Secure - er.

Some UK Government Bodies have banned the use of VLANs, because they considered them in-secure!

0
 
lltc78Author Commented:
Backup will be performed on a dedicated physical NIC...forgot about that one.

The network switch used for this client is just a single switch, so DMZ ports are on the same physical switch as other VLANs. Does this negate the security concern within the esx host since VLAN'ing must already be occuring?

I know that if the dmz switch was a separate physical and probably should be, but it's the clients' and I will assume that will not change even if I recommend.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It's really up to you, what security you implement. Most consider VLANs to be secure, some organisations do not.
0
 
lltc78Author Commented:
Thanks guys, I've made recommendation to separate DMZ from other vlans physically
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now