Solved

VMware, watchguard, vlan, switching question

Posted on 2013-11-11
12
872 Views
Last Modified: 2013-11-12
I have a basic private cloud infrastructure setup in a vmware environment. My firewall is a XTMv and with an external and a trusted and our remote backup server is on the trusted. I'm not sure how the provider configured the switching for the external NIC but obviously the Trusted is on a vswitch with the backup server VM.

I want to expand on this setup. My idea was to add another NIC to the XTMv, which will give us an optional interface. Then, I was going to set that optional interface to "VLAN."

Once I do this I would setup VLAN 2,3,4,5, etc.
So, if I set it up this way, I'm assuming I'll need a new vSwitch, which is where the XTMv Optional NIC will reside on and then I'll have create a new "VM network" VLAN on that vSwitch which is where the VM will reside.

So, for example.. if I setup the firewall with Optional-1 VLAN 2, then I will create "VLAN 2" inside the new vSwitch I just created and I should be able to get from the VM on this VLAN 2 VMNetwork I've created, right?

Looking for someone to tell me if this should work, or won't work and why and perhaps some suggestions on how to make it work.
0
Comment
Question by:Metaltree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 120
ID: 39641029
To isolate traffic, you can setup a new vSwitch, with different virtual machine portgroups, with different VLAN Tag numbers, so ESXi can add the Tag virtual machine portgroups.

This is all possible, but your XTMv  needs to be able to understand the 802.1Q tags on the traffic.
0
 
LVL 5

Author Comment

by:Metaltree
ID: 39641642
>>This is all possible, but your XTMv  needs to be able to understand the 802.1Q tags on the traffic.

What I said I was originally going to do is possible? Or what you said is possible?

>>To isolate traffic, you can setup a new vSwitch, with different virtual machine portgroups, with different VLAN Tag numbers, so ESXi can add the Tag virtual machine portgroups.

What do you mean by "portgroups" like a new VMNetwork ?

So all new portgroups, or VLANs, would point to the same gateway? How does the routing work in that situation?
0
 
LVL 120
ID: 39641660
This is technically possible.

Yes, VMNetwork is an example of a virtual machine port group , the correct term is a virtual machine port group.

VMware ESXi provides NO ROUTING between networks, e.g. VLANs.

So you would need to create your own virtual router, to route between networks and/or VLANs, or use an additional router.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 5

Author Comment

by:Metaltree
ID: 39641685
The XTMv can handle the routing with the virtual optional interfaces, so in essence we are actually saying the same thing, the only difference is I'm putting your suggestions behind the XTMv virtual interface, right?

So, here is an example..

1. I have two VMs - Machine1 and Machine 2.
2. I have an Optional interface, which is split into 2 virtual interfaces. ("VIF-1" and "VIF-2")
3. I have a new vSwitch. These machines and interfaces listed above are on this vSwitch.
4. I put VIF1 on VLAN20 and VIF2 on VLAN30
5. I create a Virtual Machine port group for VLAN 20. I then make sure that Machinei1 is on this virtual machine port group. I do the same for VLAN30 and Machine2

This should allow me to IP the gateway for VIF1 and VIF2 on their respective VLANs and the VMs on this vSwitch in virtual machine port groups with the same VLAN ID, should be able to communicate with the IP on its respective gateway?
0
 
LVL 120
ID: 39641735
That's correct.

I would be tempted to try this first without the VLANs, (as this can often add a layer of complication, if VLAN Tagging is not working!)
0
 
LVL 5

Author Comment

by:Metaltree
ID: 39641742
How could I do this without using VLANs?
0
 
LVL 120
ID: 39641772
different IP Address ranges, two nics and a vSwitch.
0
 
LVL 5

Author Comment

by:Metaltree
ID: 39641810
I'm assuming you mean just give each machine its own NIC straight up and make sure to use different IPs? If I did that, I would need an optional interface for each network right? The problem is routing, right? Because if I only have 1 optional interface which isn't split into 2 VLANs, then I only have 1 IP on that interface, which means only 1 of those networks can get to that gateway. So Just giving each VM its own NIC on different address ranges doesn't really solve the problem to get out to the internet.

This is on a hosted infrastructure and needs to be scalable, so doing without VLANs isn't really an option unless I want to keep spinning up new XTMv devices every time I run out of optional interfaces, If what i'm assuming above is correct

Is that what you meant?  If so, how does both networks get OUT if I only have 1 optional interface?
0
 
LVL 120
ID: 39641826
Okay, just make sure VLANs are working correctly, many issues occur outside the VMware environment, because devices to not understand the tags, or configurations of VLANs have been done incorrectly.

All ESXi does, is add the numbered tag to the traffic on the virtual machine portgroup, it does nothing clever.

Many faults recorded on EE, due to lack of correct VLAN config, on external devices.
0
 
LVL 5

Author Comment

by:Metaltree
ID: 39641891
So I just thought of something. As long as all of this is on the same vSwitch, I should not have to include the optional interface in the VMNetwork correct? Because obviously that NIC can only be in one VMNetwork, so this all would go out the window.

So assuming i'm using "VLAN 10" and I have a VMNetwork created with the VLANID of 10 and I have Machine1 on this VMNetwork, as long as its on the same vswitch it should be able to hit the optional interface with VLAN10, right?
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 39641906
That's correct.
0
 
LVL 5

Author Closing Comment

by:Metaltree
ID: 39642788
It's working :) We ended up actually creating a new vswitch and we isolated the optional port and new VMs to that vswitch. We tagged our VLAN IDs on the switchport that is "plugged" into the optional interface.

I then created subinterfaces on the watchguard optional interface with said VLAN IDs, and it worked :)
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SonicWall Max Connection Setting 7 37
How to fid Policy on particular IP Address 5 46
Personal Secured Home Networking 2 43
VMDK convert to VHD question 3 20
When converting a physical machine to a virtual machine using VMware vCenter Converter Standalone or vCenter Converter Enterprise, if an adapter type is not selected during the initial customization the resulting virtual machine may contain an IDE d…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question