vDCA550-Objective 2.3-4-Configure port groups to properly isolate network traffic (Part 1)

VMware recommends that each type of network traffic in vSphere be separated by VLANs. To achieve this, the design typically allocates separate VLANs for management, vMotion, VMs, IPStorage, FT PortGroups. Typically, VMs are not placed on a single VLAN, but instead might use multiple VLANs.

 The implementation requires that the VLANs be created within the physical network. Additionally, each virtual port group might require specific configuration.

There are three type of VLAN tagging supported in vSphere.

  1. Virtual guest tagging (VGT) – requires VLAN driver support in the guest OS. In this case VLAN is configure in the Guest OS Network Card.
  2. Virtual Switch tagging (VST) – This is commonly used in Virtual Infrastructure, it requires VLAN trunking on physical switch. Than these Trunk Ports (Group of VLANs) are used on Virtual Switch.
  3. External switch tagging (EST) – less flexible and requires more physical NICs. In “EST” all the configuration are required on Physical Switch side. No configuration is required on Virtual Switch infrastructure.

The most common and flexible way to provide virtual isolation between port groups is to configure each physical switch port with “VST” method then theses VLAN can be configured on Portgroup to isolate the traffic.

Example 1 (vSS):

Network administrator configured the physical Switch Ports as a trunked for VLAN 10-15. vSphere administration tasks is to create isolated infrastructure for “IP-Storage, vMotion and VM” traffic on “vSS” named “vSwitch1” with following configuration.

  1. Create Portgroup named “IP-Storage” for Management traffic and isolated with “VLAN10” on uplinks “vmnic2 active/vmnic3 standby”.
  2. Create Portgroup named “vMotion” for vMotion traffic and isolate with “VLAN11” on uplink “vmnic1”
  3. Create Portgroup named “VM-3” for VM traffic and isolate with “VLAN12” on uplink “vmnic3 active/vmnic2 standby”

I assume you knew how to create a stand switch (vSS) and Portgroups.

If you don’t know how to create vSS and Portgroup. Please visit my Post “VCAP-55-Objective2.1-1-and 2.1-2

Solution:

vSwitch1 Topology Diagram

As you can see below I have vSwitch1 with three uplink vmnic1, 2, 3 as in active/active state. There is no portgroup created yet.

vDCA550-Obj-2-3-ConfPortGroupIsolation-01

IP-Storage PG Configuration.

In PG Creation Wizard Choose Connection Type-> Choose “vKernel Network adapter”

vDCA550-Obj-2-3-ConfPortGroupIsolation-02

Enter the PG Name IP-Storage and VLAN10 on vSwitch1 as shown below.

vDCA550-Obj-2-3-ConfPortGroupIsolation-03

In Teaming and failover Settings-> Click “Override” Checkbox and set vmnic2 as active vmnic3 as standby and move vmnic1 as unused.

vDCA550-Obj-2-3-ConfPortGroupIsolation-04

IP-Storage PG Topology

Here is topology diagram looks like of IP-Storage PG

vDCA550-Obj-2-3-ConfPortGroupIsolation-05

vMotion PG Configuration.

In PG Creation Wizard Choose Connection Type-> Choose “vKernel Network adapter”

vDCA550-Obj-2-3-ConfPortGroupIsolation-02

Enter PG Name “vMotion” and “VLAN ID 11”. Make sure while creating PG. you have checked “vMotion traffic” in Available Services section

vDCA550-Obj-2-3-ConfPortGroupIsolation-06

In teaming and failover section. Check Override checkbox and place vmnic1 as active and move vmnic2, 3 in unused adapters list.

vDCA550-Obj-2-3-ConfPortGroupIsolation-07

vMotion PG Topology

vDCA550-Obj-2-3-ConfPortGroupIsolation-08

VM-3 PG Configuration.

In PG Creation Wizard Choose Connection Type-> Choose “Virtual Machine PortGroup for Standard Switch”

vDCA550-Obj-2-3-ConfPortGroupIsolation-09

Enter the PG Name VM-3 and VLAN12 on vSwitch1 as shown below.

vDCA550-Obj-2-3-ConfPortGroupIsolation-10

In teaming and failover section. Check Override checkbox and place vmnic3 as active, vmnic2 as standby and move vmnic1 in unused adapters list.

vDCA550-Obj-2-3-ConfPortGroupIsolation-11

VM-3 PG Topology

vDCA550-Obj-2-3-ConfPortGroupIsolation-12

Final “vSwitch1” Topology Diagram with PG “IP-Storage, vMotion, VM-3”

From WebClinet:

vDCA550-Obj-2-3-ConfPortGroupIsolation-13

From Classic Client:

vDCA550-Obj-2-3-ConfPortGroupIsolation-14

Thats it for today. This post will continue and you will find its part 2 here.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s