Separating Management Network

Hi,

I would like to separate the Management Network from the VM Network on my ESXi hosts. The idea is that the hosts can only be managed from clients connected on the separated Management Network.

The problem is that when I place vCSA onto the Management Network, it is no longer able to communicate to my Domain Controllers (on the VM Network), and I will lose Active Directory integration. Furthermore, I cannot time synchronize my ESXi hosts, as the Management Network is isolated from any NTP servers.

How do I resolve the issue of separating the Management Network, whilst still ensuring time synchronization, and communication of vCSA with the Domain Controllers?

Thanks in advance,
B CarlsenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Hi,

First how many Network interfaces you have in the ESXi hosts?
Secondly, the management network is nothing related to your VM Network.
Third, all interfaces need to have phisical connection between ports/switches (or routed between subnets) and use the same gateway.

As long as management network and VM Network (DC network) runs in the same network (subnet or routed) all will have connection between them.

What is the subnet of your management network? And what is the subnet of your DCs / NTP servers?
0
B CarlsenAuthor Commented:
Hi Luciano,

I have 3 ESXi hosts in a VSAN cluster. Each host has the VMkernel ports:
- vMotion VMkernel VLAN10
- vSAN VMkernel VLAN20
- Management VMkernel VLAN30

Furthermore, each host has the port groups:
- Management VM Network VLAN30 (VLAN which contains VCSA) 192.168.3.0/24
- VM Network 1 VLAN40 (VLAN which contains DCs / NTP) 172.17.3.0/16
- VM Network 2 VLAN50

Each server has a cable (teamed) for the management network (VLAN30), the VSAN network (VLAN20), and the remaining networks (VLAN10, 40, and 50).

Questions:
1) Do each of the VMkernel networks need to be routed for connection between them?
2) Should the Management VM Network (contains VCSA and later will contain other Management Servers) be on a separate VLAN to the Management VMkernel traffic? Maybe I should have the Management VM Network VLAN on a separate VLAN which can route to the Management VMkernel traffic?

Thanks for the patience, I don't have much experience here.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Questions:
1) Do each of the VMkernel networks need to be routed for connection between them?
2) Should the Management VM Network (contains VCSA and later will contain other Management Servers) be on a separate VLAN to the Management VMkernel traffic? Maybe I should have the Management VM Network VLAN on a separate VLAN which can route to the Management VMkernel traffi

1. Are you hosts on different networks, and need to be routed, if not then NO.

2. Depends how complicated you want to make your network, if you use separate management network VLAN, this will need to be setup for each host, because VCSA needs to communicate with each host, and ALSO how will you also connect to VCSA, to manage it? You will also need access to this VLAN for management from your workstation.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Hi,

Yes we have ESXi hosts with O&M in a different VLANs. What we do is to add the O&M VLAN in to our VM Network, When we need them to be reachable by both.

So if you need to reach DCs / NTP Servers from host, then you need to add VLAN40 into your ESXI hosts management network.
0
B CarlsenAuthor Commented:
Hi Luciano,

Just to confirm, I need to configure inter-VLAN routing between VLAN40 and VLAN30? What do you mean by "add VLAN40 into ESXi hosts"?

Regards,
0
Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Yes inter-VLAN routing.

Add VLAN40 into ESXI hosts, I mean in the physical network (physical Switch / ports). Sorry for the misleading statement.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
vSphere

From novice to tech pro — start learning today.