Solved

VLAN - dedicated or shared NIC

Posted on 2011-09-20
7
474 Views
Last Modified: 2012-05-12
Hi guys,

The current esx hosts each have 6 physical NICs.
Each of these physical NICs serves a different VLAN. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz, vmnic3 = database, vmnic4 = internal1, vmnic5 = internal2

I am now building a new esx host that has 8 physical NICs but I want to know if I should separate each VLAN physically, or whether it would be better to share on physical NICs. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz/database/internal1/internal2

I believe it is best practice to keep mgmt & vmotion separate, and keeping iscsi is also best kept dedicated.
However I'm unsure about the implications of sharing the data vlans?
Should DMZ be kept separate to the others even though the traffic will traverse the firewall?

Ports are gigabit so bandwidth shouldn't be too much of a concern.

If I share the ports, it allows me to setup redundancy if needed.

I'd appreciate any feedback on the new design
Cheers
0
Comment
Question by:lltc78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 121

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 125 total points
ID: 36566045
You can certainly use VLANs to separate physical network traffic.

Management Network and vMotion it is recommended that they are separate because of the traffic that vMotion can generate, and the same recommendation for the VMKernel (iSCSI) to define and create a storage network.

But some network managers would agrue, that creating VLANs is a bad idea, because it is difficult to monitor to traffic or utilization of the VLAN.

If you want to read more on networking in VMware ESX/ESXi, then I recommend the following:-

I would also recommend reading through the Networking Sections of the following guides to gain a better understanding of Networking in VMware ESX/ESXi.

Pages 13 - 73 Discuss Networking in Detail, including trunks, VLANs, switches, and load balancing

ESXi Configuration Guide ESXi 4.1
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf

Virtual Networking
http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html

Virtual Networking Concepts
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

It's available as a fanastic FREE download here.

http://xangati.com/try-it-free/
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 36568011
The DMZ traffic should have a dedicated NIC that is plugged directly onto the DMZ switch. It should not get mingled with your other network traffic. If you have VMs on separate VLANs such as web servers on one VLAN and database servers on another, it is fine to share them with a trunked NIC.  
0
 

Author Comment

by:lltc78
ID: 36570209
thanks for responses so far but im curious...

i understand about vmotion traffic but why would mgmt traffic be high?

a lot of people say to physically separate dmz, but why? how is it different than separating other vlans?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 121
ID: 36570252
mgmt traffic is not normally high, unless the management interface is being used for backup of the VMs.

Physical Networking is considered for be Secure - er.

Some UK Government Bodies have banned the use of VLANs, because they considered them in-secure!

0
 

Author Comment

by:lltc78
ID: 36570439
Backup will be performed on a dedicated physical NIC...forgot about that one.

The network switch used for this client is just a single switch, so DMZ ports are on the same physical switch as other VLANs. Does this negate the security concern within the esx host since VLAN'ing must already be occuring?

I know that if the dmz switch was a separate physical and probably should be, but it's the clients' and I will assume that will not change even if I recommend.
0
 
LVL 121
ID: 36570513
It's really up to you, what security you implement. Most consider VLANs to be secure, some organisations do not.
0
 

Author Closing Comment

by:lltc78
ID: 36577919
Thanks guys, I've made recommendation to separate DMZ from other vlans physically
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question