Solved

Assistance with basic VMWare networking

Posted on 2014-10-11
7
175 Views
Last Modified: 2014-10-13
I inherited a small network and the installation of the 1st VMware host. I have a fair understanding of both VSphere and networking, but want to get this project right quickly.
Small network, 1 main subnet, (192.168.10.x\24) for production LAN, video system on (192.168.150.x\24). I have a, cisco router,  12port Cisco GB switch, 3 cisco 3550, and 2 HP procurve switches. Network design goes like this:
ISP>firewall>router>12portCisco>trunked to the 5 access layer switches9cisco&HP). I have 192.168.100.x\24 for management traffic.
The VM host will house a point of sale server with 2 nic's, 1 productionLAN (192.168.10.x\24, 1 internal for PoS terminals. These PoS terminals will be on their own subnet(192.168.40.x\24).

Now the questions: what is the best design for setting up the VM networking, and also the physical cabling to the production LAN? I have 6 physical nic's on the VM host. The Pos operating system is Server2008R2, with 2 nic's (LAN and Pos)

In the VM, I have virtual switches, 1 only for management (vSwitch0) and 1 for production(vSwitch1). Is that best practice?
Do I I need 2 port groups within vSwitch1? one for LAN and 1 for PoS?
Finally, do I only need 1 vmNic assigned to this switch?  and I need that physically cabled to a trunked port on the  12port Cisco?
If not, what is the correct structure? and what would be considered best practice?

I know this is long, but thank you in advance,

Chris
0
Comment
Question by:crseymour
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 500 total points
ID: 40375604
Looks like you have a pretty good handle on things already. One recommendation I have would be to implement a separate vSwitch AND VLAN for the POS environment, to better handle PCI compliance. Use a different physical NIC then, and use a second firewall to allow 'Net traffic, but keep that segment isolated from the rest oif the LAN traffic. By keeping separate vSwitch as well, evewrything is pretty clean. You can then use 2 physical ports for management segment, and 1 for each other segment.
0
 

Author Comment

by:crseymour
ID: 40375616
Thank you Bill,
I like the PCI compliancy reasoning for using a 2nd vSwitch. Funny, I tried setting this up my way and I could not get full connectivity, so I set up a 2nd vSwitch so that the PoS workstations could talk to the PoS Server for testing. However, I still can't ping across subnets; I think I forgot to configure the port on a cisco 3550  for vLAN 40, though. That port I'm using to feed the PoS workstation switch. I was just going to daisy chain that switch of the access layer 3550 switch. I need to talk between subnets so the PoS server interfaces with a server on the main LAN.

Thanks again.
0
 
LVL 28

Expert Comment

by:Bill Bach
ID: 40375620
Sorry, but I'm not a cisco guy. Does the 3550 support routing?  Don't forget to set up a route to link the two.
Personally, I have three ports on my PCI VLAN, one for the VM's (and vSwitch), one for the firewall, and a third port for accessing the segment via a laptop for emergency use or for port mirroring.  The separate firewall protects the PCI data, which makes it easy -- just have the firewall route traffic, and allow specific connections ONLY.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:crseymour
ID: 40376851
Thanks again Bill and sorry about the delayed reply. Yes it does support routing, but  my cisco skills haven't been used in awhile.
I think I'm forgetting the route linking the 2. Are you talking about a static route on the router? or setting up Routing and Remote Access on the server?
0
 
LVL 28

Expert Comment

by:Bill Bach
ID: 40377190
Yes -- set up a static route.  The network needs some way to route traffic from the "protected" VLAN to the "open" VLAN.  However, setting up a route between two networks really does nothing more than limit the broadcast traffic to each segment -- communications would be wide open.  You must also enable the firewall between the two networks to REALLY be secured.
0
 

Author Comment

by:crseymour
ID: 40377235
Thank you again.
I think that should solve this.

Chris
0
 

Author Closing Comment

by:crseymour
ID: 40377276
Excellent help
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now