Solved

Assistance with basic VMWare networking

Posted on 2014-10-11
7
187 Views
Last Modified: 2014-10-13
I inherited a small network and the installation of the 1st VMware host. I have a fair understanding of both VSphere and networking, but want to get this project right quickly.
Small network, 1 main subnet, (192.168.10.x\24) for production LAN, video system on (192.168.150.x\24). I have a, cisco router,  12port Cisco GB switch, 3 cisco 3550, and 2 HP procurve switches. Network design goes like this:
ISP>firewall>router>12portCisco>trunked to the 5 access layer switches9cisco&HP). I have 192.168.100.x\24 for management traffic.
The VM host will house a point of sale server with 2 nic's, 1 productionLAN (192.168.10.x\24, 1 internal for PoS terminals. These PoS terminals will be on their own subnet(192.168.40.x\24).

Now the questions: what is the best design for setting up the VM networking, and also the physical cabling to the production LAN? I have 6 physical nic's on the VM host. The Pos operating system is Server2008R2, with 2 nic's (LAN and Pos)

In the VM, I have virtual switches, 1 only for management (vSwitch0) and 1 for production(vSwitch1). Is that best practice?
Do I I need 2 port groups within vSwitch1? one for LAN and 1 for PoS?
Finally, do I only need 1 vmNic assigned to this switch?  and I need that physically cabled to a trunked port on the  12port Cisco?
If not, what is the correct structure? and what would be considered best practice?

I know this is long, but thank you in advance,

Chris
0
Comment
Question by:crseymour
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 500 total points
ID: 40375604
Looks like you have a pretty good handle on things already. One recommendation I have would be to implement a separate vSwitch AND VLAN for the POS environment, to better handle PCI compliance. Use a different physical NIC then, and use a second firewall to allow 'Net traffic, but keep that segment isolated from the rest oif the LAN traffic. By keeping separate vSwitch as well, evewrything is pretty clean. You can then use 2 physical ports for management segment, and 1 for each other segment.
0
 

Author Comment

by:crseymour
ID: 40375616
Thank you Bill,
I like the PCI compliancy reasoning for using a 2nd vSwitch. Funny, I tried setting this up my way and I could not get full connectivity, so I set up a 2nd vSwitch so that the PoS workstations could talk to the PoS Server for testing. However, I still can't ping across subnets; I think I forgot to configure the port on a cisco 3550  for vLAN 40, though. That port I'm using to feed the PoS workstation switch. I was just going to daisy chain that switch of the access layer 3550 switch. I need to talk between subnets so the PoS server interfaces with a server on the main LAN.

Thanks again.
0
 
LVL 28

Expert Comment

by:Bill Bach
ID: 40375620
Sorry, but I'm not a cisco guy. Does the 3550 support routing?  Don't forget to set up a route to link the two.
Personally, I have three ports on my PCI VLAN, one for the VM's (and vSwitch), one for the firewall, and a third port for accessing the segment via a laptop for emergency use or for port mirroring.  The separate firewall protects the PCI data, which makes it easy -- just have the firewall route traffic, and allow specific connections ONLY.
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:crseymour
ID: 40376851
Thanks again Bill and sorry about the delayed reply. Yes it does support routing, but  my cisco skills haven't been used in awhile.
I think I'm forgetting the route linking the 2. Are you talking about a static route on the router? or setting up Routing and Remote Access on the server?
0
 
LVL 28

Expert Comment

by:Bill Bach
ID: 40377190
Yes -- set up a static route.  The network needs some way to route traffic from the "protected" VLAN to the "open" VLAN.  However, setting up a route between two networks really does nothing more than limit the broadcast traffic to each segment -- communications would be wide open.  You must also enable the firewall between the two networks to REALLY be secured.
0
 

Author Comment

by:crseymour
ID: 40377235
Thank you again.
I think that should solve this.

Chris
0
 

Author Closing Comment

by:crseymour
ID: 40377276
Excellent help
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question