Albert Widjaja
asked on
VM networking best practice and design consideration ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is on the different VMware DRS Cluster. But on the same IP subnet.
Anyway, Do I need to have dedicated IP address that is non-routable between the three hosts configured on the switches for the vMotion ?
Anyway, Do I need to have dedicated IP address that is non-routable between the three hosts configured on the switches for the vMotion ?
which three hosts are you referring to? the three physical hosts including the HP server, the Cisco switch and another server hosting AD services? or you mean three VMs running BI, SharePoint and AD services?
BRW, why IP addresses non-routeable? you might have security considerations to restrict the core services but be aware if so you do need a jumpbox to access them for management anyway.
BRW, why IP addresses non-routeable? you might have security considerations to restrict the core services but be aware if so you do need a jumpbox to access them for management anyway.
ASKER
There will be 3x HP DL 380 servers running the BI & SharePoint VMs.
The other VM infrastructure are on the other physical server clusters.
The other VM infrastructure are on the other physical server clusters.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Bing,
I never knew that Cisco Switch can be configured "act" like firewall between VLAN.
I never knew that Cisco Switch can be configured "act" like firewall between VLAN.
Cisco Switch can be configured "act" like firewall between VLAN.
all Cisco L3 switches can do that, based on ACLs.
ASKER
Ah I see,
So what's the difference between that L3 switch and the Firewall like (ASA) if I jsut need to get traffic separation for PCI compliance ?
So what's the difference between that L3 switch and the Firewall like (ASA) if I jsut need to get traffic separation for PCI compliance ?
> if I jsut need to get traffic separation for PCI compliance
what kind of "traffic" and "traffic separation" are you referring to? such as internal traffic or internet facing traffic? traffic separation for internal departments or different organisations (the external boundary for PCI compliance)?
what kind of "traffic" and "traffic separation" are you referring to? such as internal traffic or internet facing traffic? traffic separation for internal departments or different organisations (the external boundary for PCI compliance)?
ASKER
Internal Traffic not external or DMZ traffic.
basically, the biggest difference is no NAT on L3 switches such as 3850, as well as limited support on BGP and PBR, though the btoh do routing at L3. the routing performance as well as IPS support might be another big difference.
therefore, per your scenario the VLAN routing should be done by 3850 instead of ASA. Internal security policy should be implemented by ACLs to control traffic between VLANs on the 3850.
therefore, per your scenario the VLAN routing should be done by 3850 instead of ASA. Internal security policy should be implemented by ACLs to control traffic between VLANs on the 3850.
ASKER
Cool, many thanks Bing for the clarification and explanation.
ASKER