We help IT Professionals succeed at work.

Separating Management Network

B Carlsen
B Carlsen asked
on
468 Views
Last Modified: 2017-03-29
Hi,

I would like to separate the Management Network from the VM Network on my ESXi hosts. The idea is that the hosts can only be managed from clients connected on the separated Management Network.

The problem is that when I place vCSA onto the Management Network, it is no longer able to communicate to my Domain Controllers (on the VM Network), and I will lose Active Directory integration. Furthermore, I cannot time synchronize my ESXi hosts, as the Management Network is isolated from any NTP servers.

How do I resolve the issue of separating the Management Network, whilst still ensuring time synchronization, and communication of vCSA with the Domain Controllers?

Thanks in advance,
Comment
Watch Question

Luciano PatrãoICT Senior Infraestructure  Engineer  
CERTIFIED EXPERT

Commented:
Hi,

First how many Network interfaces you have in the ESXi hosts?
Secondly, the management network is nothing related to your VM Network.
Third, all interfaces need to have phisical connection between ports/switches (or routed between subnets) and use the same gateway.

As long as management network and VM Network (DC network) runs in the same network (subnet or routed) all will have connection between them.

What is the subnet of your management network? And what is the subnet of your DCs / NTP servers?

Author

Commented:
Hi Luciano,

I have 3 ESXi hosts in a VSAN cluster. Each host has the VMkernel ports:
- vMotion VMkernel VLAN10
- vSAN VMkernel VLAN20
- Management VMkernel VLAN30

Furthermore, each host has the port groups:
- Management VM Network VLAN30 (VLAN which contains VCSA) 192.168.3.0/24
- VM Network 1 VLAN40 (VLAN which contains DCs / NTP) 172.17.3.0/16
- VM Network 2 VLAN50

Each server has a cable (teamed) for the management network (VLAN30), the VSAN network (VLAN20), and the remaining networks (VLAN10, 40, and 50).

Questions:
1) Do each of the VMkernel networks need to be routed for connection between them?
2) Should the Management VM Network (contains VCSA and later will contain other Management Servers) be on a separate VLAN to the Management VMkernel traffic? Maybe I should have the Management VM Network VLAN on a separate VLAN which can route to the Management VMkernel traffic?

Thanks for the patience, I don't have much experience here.
Andrew Hancock (VMware vExpert PRO / EE Fellow)VMware and Virtualization Consultant
CERTIFIED EXPERT
Fellow
Expert of the Year 2017
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Luciano PatrãoICT Senior Infraestructure  Engineer  
CERTIFIED EXPERT

Commented:
Hi,

Yes we have ESXi hosts with O&M in a different VLANs. What we do is to add the O&M VLAN in to our VM Network, When we need them to be reachable by both.

So if you need to reach DCs / NTP Servers from host, then you need to add VLAN40 into your ESXI hosts management network.

Author

Commented:
Hi Luciano,

Just to confirm, I need to configure inter-VLAN routing between VLAN40 and VLAN30? What do you mean by "add VLAN40 into ESXi hosts"?

Regards,
ICT Senior Infraestructure  Engineer  
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION