Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Assistance with basic VMWare networking

Posted on 2014-10-11
7
186 Views
Last Modified: 2014-10-13
I inherited a small network and the installation of the 1st VMware host. I have a fair understanding of both VSphere and networking, but want to get this project right quickly.
Small network, 1 main subnet, (192.168.10.x\24) for production LAN, video system on (192.168.150.x\24). I have a, cisco router,  12port Cisco GB switch, 3 cisco 3550, and 2 HP procurve switches. Network design goes like this:
ISP>firewall>router>12portCisco>trunked to the 5 access layer switches9cisco&HP). I have 192.168.100.x\24 for management traffic.
The VM host will house a point of sale server with 2 nic's, 1 productionLAN (192.168.10.x\24, 1 internal for PoS terminals. These PoS terminals will be on their own subnet(192.168.40.x\24).

Now the questions: what is the best design for setting up the VM networking, and also the physical cabling to the production LAN? I have 6 physical nic's on the VM host. The Pos operating system is Server2008R2, with 2 nic's (LAN and Pos)

In the VM, I have virtual switches, 1 only for management (vSwitch0) and 1 for production(vSwitch1). Is that best practice?
Do I I need 2 port groups within vSwitch1? one for LAN and 1 for PoS?
Finally, do I only need 1 vmNic assigned to this switch?  and I need that physically cabled to a trunked port on the  12port Cisco?
If not, what is the correct structure? and what would be considered best practice?

I know this is long, but thank you in advance,

Chris
0
Comment
Question by:crseymour
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 500 total points
ID: 40375604
Looks like you have a pretty good handle on things already. One recommendation I have would be to implement a separate vSwitch AND VLAN for the POS environment, to better handle PCI compliance. Use a different physical NIC then, and use a second firewall to allow 'Net traffic, but keep that segment isolated from the rest oif the LAN traffic. By keeping separate vSwitch as well, evewrything is pretty clean. You can then use 2 physical ports for management segment, and 1 for each other segment.
0
 

Author Comment

by:crseymour
ID: 40375616
Thank you Bill,
I like the PCI compliancy reasoning for using a 2nd vSwitch. Funny, I tried setting this up my way and I could not get full connectivity, so I set up a 2nd vSwitch so that the PoS workstations could talk to the PoS Server for testing. However, I still can't ping across subnets; I think I forgot to configure the port on a cisco 3550  for vLAN 40, though. That port I'm using to feed the PoS workstation switch. I was just going to daisy chain that switch of the access layer 3550 switch. I need to talk between subnets so the PoS server interfaces with a server on the main LAN.

Thanks again.
0
 
LVL 28

Expert Comment

by:Bill Bach
ID: 40375620
Sorry, but I'm not a cisco guy. Does the 3550 support routing?  Don't forget to set up a route to link the two.
Personally, I have three ports on my PCI VLAN, one for the VM's (and vSwitch), one for the firewall, and a third port for accessing the segment via a laptop for emergency use or for port mirroring.  The separate firewall protects the PCI data, which makes it easy -- just have the firewall route traffic, and allow specific connections ONLY.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:crseymour
ID: 40376851
Thanks again Bill and sorry about the delayed reply. Yes it does support routing, but  my cisco skills haven't been used in awhile.
I think I'm forgetting the route linking the 2. Are you talking about a static route on the router? or setting up Routing and Remote Access on the server?
0
 
LVL 28

Expert Comment

by:Bill Bach
ID: 40377190
Yes -- set up a static route.  The network needs some way to route traffic from the "protected" VLAN to the "open" VLAN.  However, setting up a route between two networks really does nothing more than limit the broadcast traffic to each segment -- communications would be wide open.  You must also enable the firewall between the two networks to REALLY be secured.
0
 

Author Comment

by:crseymour
ID: 40377235
Thank you again.
I think that should solve this.

Chris
0
 

Author Closing Comment

by:crseymour
ID: 40377276
Excellent help
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question