Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 127
  • Last Modified:

VM networking best practice and design consideration ?

Hi All,

Can anyone here please share some thought and comments if the below diagram is looks make sense as per VMware best practice design for Rack server ?

VM Network
Do I need to make some trunking in the Cisco 3850 switch to enable the paired network for redundancy & higher throughput ?
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 7
  • 7
3 Solutions
 
bbaoIT ConsultantCommented:
the network design shown in the diagram looks good as soon as the Cisco side's VLAN settings and configuration are well matched and compatible with the HP switch side.

generally speaking, for better performance it is recommend to use trunk instead of individual uplinks. but be aware that ultimately it depends on your virtual network's logic design and bandwidth and security requirements of the VMs running on the physical host.

e.g. If most server to server communication (such as middleware traffic) is on the same physical host, then trunk is not necessary for departmental traffic. if you have signicant web traffic to the server group, that would be a different story.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
FYI, this is will be for Business Intelligence servers, mostly SQL server and SharePoint running in this VMware cluster. Hence I am asking if the VM network can be Trunked or just use normal Active/Active vSwitch policy.
0
 
bbaoIT ConsultantCommented:
where are the AD servers located? on the same physical host where the BI Services are running, or somewhere on another physical server and to be access across the virtual switches and the Cisco switch? If AD services are at different locations, you need multiple Giga links (not trunk) for fault tolerance across different routes in order to keep the essential services always available.

in addition, where are the data sources and targets? e.g. if BI clients need to import bulk of raw data to the BI services for analysis, and/or heaps of BI clients run BI reports across the network, you need a trunks for these clients, from the virtual host to the switch and even from the switch to its linked switches, if any.
1
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Senior IT System EngineerIT ProfessionalAuthor Commented:
It is on the different VMware DRS Cluster. But on the same IP subnet.
Anyway, Do I need to have dedicated IP address that is non-routable between the three hosts configured on the switches for the vMotion ?
0
 
bbaoIT ConsultantCommented:
which three hosts are you referring to? the three physical hosts including the HP server, the Cisco switch and another server hosting AD services? or you mean three VMs running BI, SharePoint and AD services?

BRW, why IP addresses non-routeable? you might have security considerations to restrict the core services but be aware if so you do need a jumpbox to access them for management anyway.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
There will be 3x HP DL 380 servers running the BI & SharePoint VMs.

The other VM infrastructure are on the other physical server clusters.
0
 
bbaoIT ConsultantCommented:
If so, your network structure would make sense more. (your diagram only shows one HP server)

Yes, trunk connections to the switch are required for inter-cluster communication.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Bing,

I never knew that Cisco Switch can be configured "act" like firewall between VLAN.
0
 
bbaoIT ConsultantCommented:
Cisco Switch can be configured "act" like firewall between VLAN.

all Cisco L3 switches can do that, based on ACLs.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah I see,
So what's the difference between that L3 switch and the Firewall like (ASA) if I jsut need to get traffic separation for PCI compliance ?
0
 
bbaoIT ConsultantCommented:
>  if I jsut need to get traffic separation for PCI compliance

what kind of "traffic" and "traffic separation" are you referring to? such as internal traffic or internet facing traffic? traffic separation for internal departments or different organisations (the external boundary for PCI compliance)?
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Internal Traffic not external or DMZ traffic.
0
 
bbaoIT ConsultantCommented:
basically, the biggest difference is no NAT on L3 switches such as 3850, as well as limited support on BGP and PBR, though the btoh do routing at L3. the routing performance as well as IPS support might be another big difference.

therefore, per your scenario the VLAN routing should be done by 3850 instead of ASA. Internal security policy should be implemented by ACLs to control traffic between VLANs on the 3850.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Cool, many thanks Bing for the clarification and explanation.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now