VLANs, DNS, VMWare
Hi all, I need some help with VLANs, DNS, VMWare and the equivalent in HyperV. I have just been put in charge or a network with what seems to me a very strange (or could be just wrong setup).
The setup:
I have 3 servers in a VMware cluster. 5 NICs in each node. 1 NIC for every node is connected to physically separate storage network (2 x SANs) and the other 4 NICs (per node) are teamed to a LACP trunk with 10 VLANs (all normal so far). In VMware a Virtual NIC for each VLAN has been created. We have 3 x servers running AD & DNS (one is physical and just connected to VLAN2). The 2 virtual AD / DNS servers have 5 virtual NICs each connected to them, each virtual NIC on a different VLAN. Only 1 reverse lookup is set in DNS and that only covers 1 of the VLANs. The 2 virtual AD /DNS servers are showing a lot of 7005 DNS errors, seem to try and reply to pings using a IP not in the subnet of the machine pinging it and when connecting to the DNS via an RSAT machine you have to connect to the IP as connecting to the name often resolves the wrong IP (for the RSAT machines VLAN) and then of course errors and fails to connect. I can’t see the reason or logic behind a setup like this and took it as an unwritten rule that you should never multi-home a DC
Question 1: Am I missing something or not understanding something?
Question 2: I may not be able to wrap my head around this setup but I am pretty sure it’s the main reason why I get some very strange errors reported and network performance is excuse the un-techie term but rubbish
Question 3: What is the best way to deal with multiple VLANs in a VMWare configuration like this / is there a simple fix?
Question 4: This and other issues I am finding is making me think my best long term solution is to start a new network hosted on HyperV (as I personally find it much easier to work with) and plan a big rework of the whole network. Any advice or different advice on the same setup with HyperV
The setup:
I have 3 servers in a VMware cluster. 5 NICs in each node. 1 NIC for every node is connected to physically separate storage network (2 x SANs) and the other 4 NICs (per node) are teamed to a LACP trunk with 10 VLANs (all normal so far). In VMware a Virtual NIC for each VLAN has been created. We have 3 x servers running AD & DNS (one is physical and just connected to VLAN2). The 2 virtual AD / DNS servers have 5 virtual NICs each connected to them, each virtual NIC on a different VLAN. Only 1 reverse lookup is set in DNS and that only covers 1 of the VLANs. The 2 virtual AD /DNS servers are showing a lot of 7005 DNS errors, seem to try and reply to pings using a IP not in the subnet of the machine pinging it and when connecting to the DNS via an RSAT machine you have to connect to the IP as connecting to the name often resolves the wrong IP (for the RSAT machines VLAN) and then of course errors and fails to connect. I can’t see the reason or logic behind a setup like this and took it as an unwritten rule that you should never multi-home a DC
Question 1: Am I missing something or not understanding something?
Question 2: I may not be able to wrap my head around this setup but I am pretty sure it’s the main reason why I get some very strange errors reported and network performance is excuse the un-techie term but rubbish
Question 3: What is the best way to deal with multiple VLANs in a VMWare configuration like this / is there a simple fix?
Question 4: This and other issues I am finding is making me think my best long term solution is to start a new network hosted on HyperV (as I personally find it much easier to work with) and plan a big rework of the whole network. Any advice or different advice on the same setup with HyperV
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It seems a very complicated setup designed by and idiot, that wanted to make it complex as possible!
Just reading your question, VMware vSphere or Hyper-V your networking infrastructure is key to a successful implementation.
A single network interface per SAN, this is not correct, you would be advised to have at least two for network resilience at least.
This could be accomplished and designed using VLANS or standard network interfaces, with 5 network interfaces per ESXi host, may trunks and VLANS would be the way forward for
1. Management Network
2. VIrtual Machine Network
3. vMotion Network
4. Storage Network
I assume iSCSI ?
as for DNS and AD issues, the hypervisor just hosts these VMs.
I would have a single NIC per VM, and all VMs on the same VLAN (if required).
Storage Network, vMotion Network need to be isolated, Management Network that is up to you, but is often on the same network as virtual machine network. e.g.AD/DNS.
Just reading your question, VMware vSphere or Hyper-V your networking infrastructure is key to a successful implementation.
A single network interface per SAN, this is not correct, you would be advised to have at least two for network resilience at least.
This could be accomplished and designed using VLANS or standard network interfaces, with 5 network interfaces per ESXi host, may trunks and VLANS would be the way forward for
1. Management Network
2. VIrtual Machine Network
3. vMotion Network
4. Storage Network
I assume iSCSI ?
as for DNS and AD issues, the hypervisor just hosts these VMs.
I would have a single NIC per VM, and all VMs on the same VLAN (if required).
Storage Network, vMotion Network need to be isolated, Management Network that is up to you, but is often on the same network as virtual machine network. e.g.AD/DNS.
Hi Andrew, thanks for the pointers on separation of the VLANs I totally agree that is what I would expect to see. The way he had divided VLANs (90% of all traffic is VLAN2) already demonstrated he did not know how to use VLANs (Not that I am an expert but diving by edge switch seems a better method to me). What really concerns me is these multi-homed DC's. the DNS is a mess of duplication causing many issues. This may sound like a dumb question but is the best practice to create a virtual NIC that tags all VLANs, attach it to the DNS server and use AD sites and services to break up the traffic and create reverse lookup zones for each VLAN? I will implement redundancy to the SAN at a later date, getting an operational network with a correctly functioning DNS is my main concern at the moment (and yes iSCSI LUNs from 2 x dell equallogic SANs). to give you a better idea of the VLANs they include Guest wireless, CCTV, Door access, DisplayNET, MainNET, ControlNET, Finance etc. although providing different services they need to share a DNS and I am currently reviewing the running config of the core and edge switches to determine the DHCP \ DNS helpers and inter-VLAN comms (all of which seem to contain past configs never cleared from the setup :( )
No, it's not best practice to have a virtual nic, which has tagged all VLANS.
We would not also dual home a DC.
So keep your DCs with a single NIC, and may perform VLAN routing in the physical switches.
We would not also dual home a DC.
So keep your DCs with a single NIC, and may perform VLAN routing in the physical switches.
Thanks I think I get it now, so you only really need a virtual NIC with one VLAN on it (Preferably the same VLAN as other servers) and you let the IP Helpers on the switches guide traffic from other VLANs to the AD \ DNS. A single forward lookup zone is all you need on the DNS server and multiple reverse lookup zones for the different IP ranges on other VLANs. AD will presumably just handle itself as it will use DNS to communicate (Facilitated by the IP Helpers).
Premium Content
You need an Expert Office subscription to comment.Start Free Trial