Solved

VLAN - dedicated or shared NIC

Posted on 2011-09-20
7
466 Views
Last Modified: 2012-05-12
Hi guys,

The current esx hosts each have 6 physical NICs.
Each of these physical NICs serves a different VLAN. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz, vmnic3 = database, vmnic4 = internal1, vmnic5 = internal2

I am now building a new esx host that has 8 physical NICs but I want to know if I should separate each VLAN physically, or whether it would be better to share on physical NICs. ie: vmnic0 = mgmt & vmotion, vmnic1 = iscsi, vmnic2 = dmz/database/internal1/internal2

I believe it is best practice to keep mgmt & vmotion separate, and keeping iscsi is also best kept dedicated.
However I'm unsure about the implications of sharing the data vlans?
Should DMZ be kept separate to the others even though the traffic will traverse the firewall?

Ports are gigabit so bandwidth shouldn't be too much of a concern.

If I share the ports, it allows me to setup redundancy if needed.

I'd appreciate any feedback on the new design
Cheers
0
Comment
Question by:lltc78
  • 3
  • 3
7 Comments
 
LVL 118

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 125 total points
ID: 36566045
You can certainly use VLANs to separate physical network traffic.

Management Network and vMotion it is recommended that they are separate because of the traffic that vMotion can generate, and the same recommendation for the VMKernel (iSCSI) to define and create a storage network.

But some network managers would agrue, that creating VLANs is a bad idea, because it is difficult to monitor to traffic or utilization of the VLAN.

If you want to read more on networking in VMware ESX/ESXi, then I recommend the following:-

I would also recommend reading through the Networking Sections of the following guides to gain a better understanding of Networking in VMware ESX/ESXi.

Pages 13 - 73 Discuss Networking in Detail, including trunks, VLANs, switches, and load balancing

ESXi Configuration Guide ESXi 4.1
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf

Virtual Networking
http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html

Virtual Networking Concepts
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

It's available as a fanastic FREE download here.

http://xangati.com/try-it-free/
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 36568011
The DMZ traffic should have a dedicated NIC that is plugged directly onto the DMZ switch. It should not get mingled with your other network traffic. If you have VMs on separate VLANs such as web servers on one VLAN and database servers on another, it is fine to share them with a trunked NIC.  
0
 

Author Comment

by:lltc78
ID: 36570209
thanks for responses so far but im curious...

i understand about vmotion traffic but why would mgmt traffic be high?

a lot of people say to physically separate dmz, but why? how is it different than separating other vlans?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 118
ID: 36570252
mgmt traffic is not normally high, unless the management interface is being used for backup of the VMs.

Physical Networking is considered for be Secure - er.

Some UK Government Bodies have banned the use of VLANs, because they considered them in-secure!

0
 

Author Comment

by:lltc78
ID: 36570439
Backup will be performed on a dedicated physical NIC...forgot about that one.

The network switch used for this client is just a single switch, so DMZ ports are on the same physical switch as other VLANs. Does this negate the security concern within the esx host since VLAN'ing must already be occuring?

I know that if the dmz switch was a separate physical and probably should be, but it's the clients' and I will assume that will not change even if I recommend.
0
 
LVL 118
ID: 36570513
It's really up to you, what security you implement. Most consider VLANs to be secure, some organisations do not.
0
 

Author Closing Comment

by:lltc78
ID: 36577919
Thanks guys, I've made recommendation to separate DMZ from other vlans physically
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now