Block traffic between 2 vswitches on same ESXi 5 server
I have setup a ESXi5 server with 2 vswitches using separate vmnics.
vmnic0/vswitch0 - 192.168.31.0
vmnic1/vswitch1 - 192.168.1.0
each vswitch has multiple VMs.
I can ping and access across these subnets and i don't want to. I want to block the traffic. How can I accomplish this?
Thank you.
vmnic0/vswitch0 - 192.168.31.0
vmnic1/vswitch1 - 192.168.1.0
each vswitch has multiple VMs.
I can ping and access across these subnets and i don't want to. I want to block the traffic. How can I accomplish this?
Thank you.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
change your subnet mask
can you upload screen shots of your networking?
what are the actual ip addresses and subnet masks you are using?
you have probably got a subnet mask of 255.255.0.0
change it to 255.255.255.0 on both VMs.
change it to 255.255.255.0 on both VMs.
or you could use VLANs.
Have a look here
Pages 13 - 73 Discuss Networking in Detail, iuncluding trunks, VLANs, switches, and load balancing
ESXi Configuration Guide ESXi 4.1
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf
Virtual Networking
http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html
Virtual Networking Concepts
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/IEEE_802.1Q
Sample configuration of virtual switch VLAN tagging (VST Mode)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://blog.scottlowe.org/2006/04/17/vlans-and-port-groups/
How to Setup VLANs
http://www.vladan.fr/great-kb-on-how-to-configure-vlans-on-vswitches-pswitches-and-vms/
VMware ESX Server 3: 802.1Q VLAN Solutions
http://www.vmware.com/pdf/esx3_vlan_wp.pdf
http://kb.vmware.com/kb/1004127
http://kb.vmware.com/kb/1004074
http://kb.vmware.com/kb/1004252
Pages 13 - 73 Discuss Networking in Detail, iuncluding trunks, VLANs, switches, and load balancing
ESXi Configuration Guide ESXi 4.1
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf
Virtual Networking
http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html
Virtual Networking Concepts
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/IEEE_802.1Q
Sample configuration of virtual switch VLAN tagging (VST Mode)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://blog.scottlowe.org/2006/04/17/vlans-and-port-groups/
How to Setup VLANs
http://www.vladan.fr/great-kb-on-how-to-configure-vlans-on-vswitches-pswitches-and-vms/
VMware ESX Server 3: 802.1Q VLAN Solutions
http://www.vmware.com/pdf/esx3_vlan_wp.pdf
http://kb.vmware.com/kb/1004127
http://kb.vmware.com/kb/1004074
http://kb.vmware.com/kb/1004252
ASKER
i change the subnet mask of the 192.168.1.0 to 255.255.0.0 from 255.255.255.0. this stops the traffic to 192.168.1.5 but not the 192.168.1.0 gateway of 192.168.1.1. changing the subnet mask also breaks my firewall access to 192.168.1.0 from the outside so I changed it back.
vswitch0 is on 192.168.31.0 255.255.255.0
vswitch1 is on 192.168.1.0 255.255.255.0
vmware-network.jpg
vswitch0 is on 192.168.31.0 255.255.255.0
vswitch1 is on 192.168.1.0 255.255.255.0
vmware-network.jpg
Nothing on the vSwitches is going to block traffic, because you are using the same network subnet. Because ALL the traffic is on the same network.
Other than using VLANs, or selecting different networks.
e.g.
10.xx.xx.xx
172.xxx.xxx.xxx
This is not a VMware ESXi 5.0 issue.
The job of a vSwitch, is a virtual switch, the same function that a physical switch performs, but inside ESXi. There are no traffic blocking functions.
To isolate traffic, we use VLANs, and VLAN Tagging.
Other than using VLANs, or selecting different networks.
e.g.
10.xx.xx.xx
172.xxx.xxx.xxx
This is not a VMware ESXi 5.0 issue.
The job of a vSwitch, is a virtual switch, the same function that a physical switch performs, but inside ESXi. There are no traffic blocking functions.
To isolate traffic, we use VLANs, and VLAN Tagging.
ASKER
vmnic1 is connected to the DMZ side of an internet facing firewall.
vmnic0 is connected to a switch on the LAN connect to the same firewall.
vmnic0 is connected to a switch on the LAN connect to the same firewall.
but all on the same physical wired network?
ASKER
I change the IP addressing for the vswitch1 to 172.16.1.0 from 192.1681.0
same subnet mask 255.255.255.0
Still the same problem.
the networks are separated at the firewall and at the ESXi and not on the same wire.
or not separate ESXi?
same subnet mask 255.255.255.0
Still the same problem.
the networks are separated at the firewall and at the ESXi and not on the same wire.
or not separate ESXi?
is vmnic0 and vmnic1 connected to the same switch?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
so, a vm on 192.168.1.1 can ping a vm on 172.16.1.1?
ASKER
vmnic0 and vmnic1 are not connected to the same switch.
As I said vmnic1 is connect straight to the firewall and vmnic0 is connect to a Cisco switch that is connect to the firewall.
192.168.31.105 (on vswitch0) can ping 172.16.1.5 (on vswitch1)
As I said vmnic1 is connect straight to the firewall and vmnic0 is connect to a Cisco switch that is connect to the firewall.
192.168.31.105 (on vswitch0) can ping 172.16.1.5 (on vswitch1)
well that is bizarre, because the only way traffic could reach 172.16.1.5 from 192.168.31.105 is if it was routed, via a router, because ESX performs no routing, for traffic to leave one network subnet, and reach another network segment.
is you router performing routing between LANS
there is no link from vswitch0 to vswitch1, if you remove the physical nic from the network, can it still ping, this will show there is no link between switches internally.
is you router performing routing between LANS
there is no link from vswitch0 to vswitch1, if you remove the physical nic from the network, can it still ping, this will show there is no link between switches internally.
ASKER
I will do some more troubleshooting tonight.
The only time the 2 subnets get close to one another (virtually or physically) is at the ESXi server or the firewall.
I will attempt to take the firewall out of the equation.
The only time the 2 subnets get close to one another (virtually or physically) is at the ESXi server or the firewall.
I will attempt to take the firewall out of the equation.
well if the routing is between the switches, it should still route, and be ping-able, if you remove a network cable from the server!
ASKER
agreed. I will check that.
ASKER
sorry for the delay. i need to test a couple of different items.
so it looks to be a firewall issue after all. i haven't found the exact issue will with the firewall but I will.
As all of you pointed out and the documentation which I read, the vswitches are separated just like physical switch which was also proven in the test I did by isolating the ESXi server.
Thanks for all your time and help.
Please share the points with all the experts that helped.
so it looks to be a firewall issue after all. i haven't found the exact issue will with the firewall but I will.
As all of you pointed out and the documentation which I read, the vswitches are separated just like physical switch which was also proven in the test I did by isolating the ESXi server.
Thanks for all your time and help.
Please share the points with all the experts that helped.
I'm glad you've resolved your issue. I believe there's only been one expert on this Question! (me - hanccocka). If this answer has been helpful please assign points.
ASKER
Hanccocka,
Thanks for your help!
Thanks for your help!
that's not a problem.