VLAN - dedicated or shared NIC

Posted on 2011-09-20
Medium Priority
Last Modified: 2012-05-12
Hi guys,

The current esx hosts each have 6 physical NICs.
Each of these physical NICs serves a different VLAN. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz, vmnic3 = database, vmnic4 = internal1, vmnic5 = internal2

I am now building a new esx host that has 8 physical NICs but I want to know if I should separate each VLAN physically, or whether it would be better to share on physical NICs. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz/database/internal1/internal2

I believe it is best practice to keep mgmt & vmotion separate, and keeping iscsi is also best kept dedicated.
However I'm unsure about the implications of sharing the data vlans?
Should DMZ be kept separate to the others even though the traffic will traverse the firewall?

Ports are gigabit so bandwidth shouldn't be too much of a concern.

If I share the ports, it allows me to setup redundancy if needed.

I'd appreciate any feedback on the new design
Question by:lltc78
  • 3
  • 3
LVL 126

Accepted Solution

Andrew Hancock (VMware vExpert / EE MVE^2) earned 375 total points
ID: 36566045
You can certainly use VLANs to separate physical network traffic.

Management Network and vMotion it is recommended that they are separate because of the traffic that vMotion can generate, and the same recommendation for the VMKernel (iSCSI) to define and create a storage network.

But some network managers would agrue, that creating VLANs is a bad idea, because it is difficult to monitor to traffic or utilization of the VLAN.

If you want to read more on networking in VMware ESX/ESXi, then I recommend the following:-

I would also recommend reading through the Networking Sections of the following guides to gain a better understanding of Networking in VMware ESX/ESXi.

Pages 13 - 73 Discuss Networking in Detail, including trunks, VLANs, switches, and load balancing

ESXi Configuration Guide ESXi 4.1

Virtual Networking

Virtual Networking Concepts

One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

It's available as a fanastic FREE download here.

LVL 43

Assisted Solution

kevinhsieh earned 375 total points
ID: 36568011
The DMZ traffic should have a dedicated NIC that is plugged directly onto the DMZ switch. It should not get mingled with your other network traffic. If you have VMs on separate VLANs such as web servers on one VLAN and database servers on another, it is fine to share them with a trunked NIC.  

Author Comment

ID: 36570209
thanks for responses so far but im curious...

i understand about vmotion traffic but why would mgmt traffic be high?

a lot of people say to physically separate dmz, but why? how is it different than separating other vlans?
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 126
ID: 36570252
mgmt traffic is not normally high, unless the management interface is being used for backup of the VMs.

Physical Networking is considered for be Secure - er.

Some UK Government Bodies have banned the use of VLANs, because they considered them in-secure!


Author Comment

ID: 36570439
Backup will be performed on a dedicated physical NIC...forgot about that one.

The network switch used for this client is just a single switch, so DMZ ports are on the same physical switch as other VLANs. Does this negate the security concern within the esx host since VLAN'ing must already be occuring?

I know that if the dmz switch was a separate physical and probably should be, but it's the clients' and I will assume that will not change even if I recommend.
LVL 126
ID: 36570513
It's really up to you, what security you implement. Most consider VLANs to be secure, some organisations do not.

Author Closing Comment

ID: 36577919
Thanks guys, I've made recommendation to separate DMZ from other vlans physically

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
In this article will go through how to backup a vPostgres DB from a broken vCenter Appliance and restore to a new vCenter Appliance.
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question