?
Solved

VLAN - dedicated or shared NIC

Posted on 2011-09-20
7
Medium Priority
?
476 Views
Last Modified: 2012-05-12
Hi guys,

The current esx hosts each have 6 physical NICs.
Each of these physical NICs serves a different VLAN. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz, vmnic3 = database, vmnic4 = internal1, vmnic5 = internal2

I am now building a new esx host that has 8 physical NICs but I want to know if I should separate each VLAN physically, or whether it would be better to share on physical NICs. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz/database/internal1/internal2

I believe it is best practice to keep mgmt & vmotion separate, and keeping iscsi is also best kept dedicated.
However I'm unsure about the implications of sharing the data vlans?
Should DMZ be kept separate to the others even though the traffic will traverse the firewall?

Ports are gigabit so bandwidth shouldn't be too much of a concern.

If I share the ports, it allows me to setup redundancy if needed.

I'd appreciate any feedback on the new design
Cheers
0
Comment
Question by:lltc78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 123

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 375 total points
ID: 36566045
You can certainly use VLANs to separate physical network traffic.

Management Network and vMotion it is recommended that they are separate because of the traffic that vMotion can generate, and the same recommendation for the VMKernel (iSCSI) to define and create a storage network.

But some network managers would agrue, that creating VLANs is a bad idea, because it is difficult to monitor to traffic or utilization of the VLAN.

If you want to read more on networking in VMware ESX/ESXi, then I recommend the following:-

I would also recommend reading through the Networking Sections of the following guides to gain a better understanding of Networking in VMware ESX/ESXi.

Pages 13 - 73 Discuss Networking in Detail, including trunks, VLANs, switches, and load balancing

ESXi Configuration Guide ESXi 4.1
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf

Virtual Networking
http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html

Virtual Networking Concepts
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

It's available as a fanastic FREE download here.

http://xangati.com/try-it-free/
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 375 total points
ID: 36568011
The DMZ traffic should have a dedicated NIC that is plugged directly onto the DMZ switch. It should not get mingled with your other network traffic. If you have VMs on separate VLANs such as web servers on one VLAN and database servers on another, it is fine to share them with a trunked NIC.  
0
 

Author Comment

by:lltc78
ID: 36570209
thanks for responses so far but im curious...

i understand about vmotion traffic but why would mgmt traffic be high?

a lot of people say to physically separate dmz, but why? how is it different than separating other vlans?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 123
ID: 36570252
mgmt traffic is not normally high, unless the management interface is being used for backup of the VMs.

Physical Networking is considered for be Secure - er.

Some UK Government Bodies have banned the use of VLANs, because they considered them in-secure!

0
 

Author Comment

by:lltc78
ID: 36570439
Backup will be performed on a dedicated physical NIC...forgot about that one.

The network switch used for this client is just a single switch, so DMZ ports are on the same physical switch as other VLANs. Does this negate the security concern within the esx host since VLAN'ing must already be occuring?

I know that if the dmz switch was a separate physical and probably should be, but it's the clients' and I will assume that will not change even if I recommend.
0
 
LVL 123
ID: 36570513
It's really up to you, what security you implement. Most consider VLANs to be secure, some organisations do not.
0
 

Author Closing Comment

by:lltc78
ID: 36577919
Thanks guys, I've made recommendation to separate DMZ from other vlans physically
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question