Solved

VM networking best practice and design consideration ?

Posted on 2016-11-29
14
91 Views
Last Modified: 2017-01-02
Hi All,

Can anyone here please share some thought and comments if the below diagram is looks make sense as per VMware best practice design for Rack server ?

VM Network
Do I need to make some trunking in the Cisco 3850 switch to enable the paired network for redundancy & higher throughput ?
0
Comment
  • 7
  • 7
14 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 500 total points
ID: 41906787
the network design shown in the diagram looks good as soon as the Cisco side's VLAN settings and configuration are well matched and compatible with the HP switch side.

generally speaking, for better performance it is recommend to use trunk instead of individual uplinks. but be aware that ultimately it depends on your virtual network's logic design and bandwidth and security requirements of the VMs running on the physical host.

e.g. If most server to server communication (such as middleware traffic) is on the same physical host, then trunk is not necessary for departmental traffic. if you have signicant web traffic to the server group, that would be a different story.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41906792
FYI, this is will be for Business Intelligence servers, mostly SQL server and SharePoint running in this VMware cluster. Hence I am asking if the VM network can be Trunked or just use normal Active/Active vSwitch policy.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 500 total points
ID: 41906858
where are the AD servers located? on the same physical host where the BI Services are running, or somewhere on another physical server and to be access across the virtual switches and the Cisco switch? If AD services are at different locations, you need multiple Giga links (not trunk) for fault tolerance across different routes in order to keep the essential services always available.

in addition, where are the data sources and targets? e.g. if BI clients need to import bulk of raw data to the BI services for analysis, and/or heaps of BI clients run BI reports across the network, you need a trunks for these clients, from the virtual host to the switch and even from the switch to its linked switches, if any.
1
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41907875
It is on the different VMware DRS Cluster. But on the same IP subnet.
Anyway, Do I need to have dedicated IP address that is non-routable between the three hosts configured on the switches for the vMotion ?
0
 
LVL 37

Expert Comment

by:bbao
ID: 41908124
which three hosts are you referring to? the three physical hosts including the HP server, the Cisco switch and another server hosting AD services? or you mean three VMs running BI, SharePoint and AD services?

BRW, why IP addresses non-routeable? you might have security considerations to restrict the core services but be aware if so you do need a jumpbox to access them for management anyway.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41908126
There will be 3x HP DL 380 servers running the BI & SharePoint VMs.

The other VM infrastructure are on the other physical server clusters.
0
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 41908161
If so, your network structure would make sense more. (your diagram only shows one HP server)

Yes, trunk connections to the switch are required for inter-cluster communication.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41908176
Thanks Bing,

I never knew that Cisco Switch can be configured "act" like firewall between VLAN.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41908226
Cisco Switch can be configured "act" like firewall between VLAN.

all Cisco L3 switches can do that, based on ACLs.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41908243
Ah I see,
So what's the difference between that L3 switch and the Firewall like (ASA) if I jsut need to get traffic separation for PCI compliance ?
0
 
LVL 37

Expert Comment

by:bbao
ID: 41908265
>  if I jsut need to get traffic separation for PCI compliance

what kind of "traffic" and "traffic separation" are you referring to? such as internal traffic or internet facing traffic? traffic separation for internal departments or different organisations (the external boundary for PCI compliance)?
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41908471
Internal Traffic not external or DMZ traffic.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41909469
basically, the biggest difference is no NAT on L3 switches such as 3850, as well as limited support on BGP and PBR, though the btoh do routing at L3. the routing performance as well as IPS support might be another big difference.

therefore, per your scenario the VLAN routing should be done by 3850 instead of ASA. Internal security policy should be implemented by ACLs to control traffic between VLANs on the 3850.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41909483
Cool, many thanks Bing for the clarification and explanation.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question