Solved

VM networking best practice and design consideration ?

Posted on 2016-11-29
14
29 Views
Last Modified: 2016-12-01
Hi All,

Can anyone here please share some thought and comments if the below diagram is looks make sense as per VMware best practice design for Rack server ?

VM Network
Do I need to make some trunking in the Cisco 3850 switch to enable the paired network for redundancy & higher throughput ?
0
Comment
  • 7
  • 7
14 Comments
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 500 total points
Comment Utility
the network design shown in the diagram looks good as soon as the Cisco side's VLAN settings and configuration are well matched and compatible with the HP switch side.

generally speaking, for better performance it is recommend to use trunk instead of individual uplinks. but be aware that ultimately it depends on your virtual network's logic design and bandwidth and security requirements of the VMs running on the physical host.

e.g. If most server to server communication (such as middleware traffic) is on the same physical host, then trunk is not necessary for departmental traffic. if you have signicant web traffic to the server group, that would be a different story.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
FYI, this is will be for Business Intelligence servers, mostly SQL server and SharePoint running in this VMware cluster. Hence I am asking if the VM network can be Trunked or just use normal Active/Active vSwitch policy.
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 500 total points
Comment Utility
where are the AD servers located? on the same physical host where the BI Services are running, or somewhere on another physical server and to be access across the virtual switches and the Cisco switch? If AD services are at different locations, you need multiple Giga links (not trunk) for fault tolerance across different routes in order to keep the essential services always available.

in addition, where are the data sources and targets? e.g. if BI clients need to import bulk of raw data to the BI services for analysis, and/or heaps of BI clients run BI reports across the network, you need a trunks for these clients, from the virtual host to the switch and even from the switch to its linked switches, if any.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
It is on the different VMware DRS Cluster. But on the same IP subnet.
Anyway, Do I need to have dedicated IP address that is non-routable between the three hosts configured on the switches for the vMotion ?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
which three hosts are you referring to? the three physical hosts including the HP server, the Cisco switch and another server hosting AD services? or you mean three VMs running BI, SharePoint and AD services?

BRW, why IP addresses non-routeable? you might have security considerations to restrict the core services but be aware if so you do need a jumpbox to access them for management anyway.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
There will be 3x HP DL 380 servers running the BI & SharePoint VMs.

The other VM infrastructure are on the other physical server clusters.
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
Comment Utility
If so, your network structure would make sense more. (your diagram only shows one HP server)

Yes, trunk connections to the switch are required for inter-cluster communication.
1
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Thanks Bing,

I never knew that Cisco Switch can be configured "act" like firewall between VLAN.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
Cisco Switch can be configured "act" like firewall between VLAN.

all Cisco L3 switches can do that, based on ACLs.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Ah I see,
So what's the difference between that L3 switch and the Firewall like (ASA) if I jsut need to get traffic separation for PCI compliance ?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
>  if I jsut need to get traffic separation for PCI compliance

what kind of "traffic" and "traffic separation" are you referring to? such as internal traffic or internet facing traffic? traffic separation for internal departments or different organisations (the external boundary for PCI compliance)?
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Internal Traffic not external or DMZ traffic.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
basically, the biggest difference is no NAT on L3 switches such as 3850, as well as limited support on BGP and PBR, though the btoh do routing at L3. the routing performance as well as IPS support might be another big difference.

therefore, per your scenario the VLAN routing should be done by 3850 instead of ASA. Internal security policy should be implemented by ACLs to control traffic between VLANs on the 3850.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Cool, many thanks Bing for the clarification and explanation.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now