Separating Management Network

B Carlsen
B Carlsen used Ask the Experts™
on
Hi,

I would like to separate the Management Network from the VM Network on my ESXi hosts. The idea is that the hosts can only be managed from clients connected on the separated Management Network.

The problem is that when I place vCSA onto the Management Network, it is no longer able to communicate to my Domain Controllers (on the VM Network), and I will lose Active Directory integration. Furthermore, I cannot time synchronize my ESXi hosts, as the Management Network is isolated from any NTP servers.

How do I resolve the issue of separating the Management Network, whilst still ensuring time synchronization, and communication of vCSA with the Domain Controllers?

Thanks in advance,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Luciano PatrãoICT Senior Infraestructure  Engineer  

Commented:
Hi,

First how many Network interfaces you have in the ESXi hosts?
Secondly, the management network is nothing related to your VM Network.
Third, all interfaces need to have phisical connection between ports/switches (or routed between subnets) and use the same gateway.

As long as management network and VM Network (DC network) runs in the same network (subnet or routed) all will have connection between them.

What is the subnet of your management network? And what is the subnet of your DCs / NTP servers?

Author

Commented:
Hi Luciano,

I have 3 ESXi hosts in a VSAN cluster. Each host has the VMkernel ports:
- vMotion VMkernel VLAN10
- vSAN VMkernel VLAN20
- Management VMkernel VLAN30

Furthermore, each host has the port groups:
- Management VM Network VLAN30 (VLAN which contains VCSA) 192.168.3.0/24
- VM Network 1 VLAN40 (VLAN which contains DCs / NTP) 172.17.3.0/16
- VM Network 2 VLAN50

Each server has a cable (teamed) for the management network (VLAN30), the VSAN network (VLAN20), and the remaining networks (VLAN10, 40, and 50).

Questions:
1) Do each of the VMkernel networks need to be routed for connection between them?
2) Should the Management VM Network (contains VCSA and later will contain other Management Servers) be on a separate VLAN to the Management VMkernel traffic? Maybe I should have the Management VM Network VLAN on a separate VLAN which can route to the Management VMkernel traffic?

Thanks for the patience, I don't have much experience here.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
Questions:
1) Do each of the VMkernel networks need to be routed for connection between them?
2) Should the Management VM Network (contains VCSA and later will contain other Management Servers) be on a separate VLAN to the Management VMkernel traffic? Maybe I should have the Management VM Network VLAN on a separate VLAN which can route to the Management VMkernel traffi

1. Are you hosts on different networks, and need to be routed, if not then NO.

2. Depends how complicated you want to make your network, if you use separate management network VLAN, this will need to be setup for each host, because VCSA needs to communicate with each host, and ALSO how will you also connect to VCSA, to manage it? You will also need access to this VLAN for management from your workstation.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Luciano PatrãoICT Senior Infraestructure  Engineer  

Commented:
Hi,

Yes we have ESXi hosts with O&M in a different VLANs. What we do is to add the O&M VLAN in to our VM Network, When we need them to be reachable by both.

So if you need to reach DCs / NTP Servers from host, then you need to add VLAN40 into your ESXI hosts management network.

Author

Commented:
Hi Luciano,

Just to confirm, I need to configure inter-VLAN routing between VLAN40 and VLAN30? What do you mean by "add VLAN40 into ESXi hosts"?

Regards,
ICT Senior Infraestructure  Engineer  
Commented:
Yes inter-VLAN routing.

Add VLAN40 into ESXI hosts, I mean in the physical network (physical Switch / ports). Sorry for the misleading statement.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial