Networking configuration for ESX or ESXi Part 3

Posted by Artur on May 29, 2012 in ESX, Featured, vSphere, vSphere 4, vSphere 5 |

Today, third part, this time ESX(i) host has 10 pNIC’s (1Gbps) on Standard Switches (vSS)

Scenario #1 – 10 NIC’s (1Gbps – 2 x quad port adapters and 2 on-board ports) – standard Switch for each type of traffic

In scenario I have to design network for 5 different type of traffic. Each of the traffic has different vLAN ID which will help to utilize all NIC’s for more than one traffic, optimize pNIC utilization and have network secured.

mgmt – VLANID 10
vMotion – vLANID 20
VM network – vLANID 30
VM Backup – vLANID 40
DMZ – vLANID 50

When you don’t have Enterprise Plus vSphere license the only way to configure virtual networking is vSS. In a diagram below, mgmt (Service Console or vmk port) and vMotion were placed on common vSwitch0 with active passive approach (in vSphere 4 vMotion can use only on vmnic), Active and Stand by state is set in a portgroups. On physical ports, where both pNICs are connected two vLANs must be trunked (vLAN 10 and 20) cause we need both network available on each port, such as in case of failover – traffic from both networks will carry over one port.

Make sure that connection between physical switches are configured to carry all VMware specific traffic.

Other networks, have their own dedicated vSwitch’es, each vSwitch has at least 2 NICs connected to two physical switches and all vmnics are in Active state (see table below for details). Below configuration follows virtual networking best practices in terms of:

hardware redundancy – 2 physical switches, at least two pNIC per vSwitch,
failover – each virtual network has at least two vmnics available
security – separate vLAN for each traffic (e.g vMotion is not encrypted), vSwitch security options set to Reject
capacity – each network has preserve bandwidth capacity (sending traffic over separate physical NIC)

ESX ESXi networking configuration for 10 nics

vSwitch settings (applicable for all vSwitches)

Promiscuous mode – Reject
MAC address changes – Reject
Forget Transmits – Reject
Load balancing = route based on the originating virtual port ID (default)
Network failover detection – link status only
Notify switches – Yes
Failback – No

vmnic	location	vSwitch	portgroup	state	vLANID	pSwitch
vmnic0	on board	vswitch3	backup VM	active	30	Switch1
vmnic1	on board	vswitch3	backup VM	active	30	Switch2
vmnic2	quad NIC 1	vSwtich0	mgmt/vMotion	active in mgmt passive in vMotion	10, 20	Switch1
vmnic3	quad NIC 1	vSwitch1	DMZ	active	40	Switch1
vmnic4	quad NIC 1	vswitch2	VM network	active	50	Switch1
vmnic5	quad NIC 1	vswitch2	VM network	active	50	Switch1
vmnic6	quad NIC 2	vSwtich0	mgmt/vMotion	active in vMotion passive in mgmt	10, 20	Switch2
vmnic7	quad NIC 2	vSwitch1	DMZ	active	40	Switch2
vmnic8	quad NIC 2	vswitch2	VM network	active	50	Switch2
vmnic9	quad NIC 2	vswitch2	VM network	active	50	Switch2

If you have questions regarding particular case scenario, put question in comments and I will be glad to help you

Next post, further this week, will describes scenario with 10 pNIC but using vSS together with vDS (mixed virtual networking configuration approach)

UPDATE:

Network configuration 10 x 1Gbps for vSphere 5.1

10x1Gbps vSphere 5.1 – vDS

Above is my recommended network configuration for vSphere 5.1 with Enterprise Plus license. As you know one of the cooles new features in vSphere 5.1 is backup possibility of the Virtual Distributed Switches. In case you lost vCenter Database and there is no way to restore it you can easily restore vDS config into new DB – awesome. No risk of loosing network after vCenter DB lost and all network types including mgmt vMotion can run on single Virtual Distributed Switch. All vLAN has to be trunk on all physical switch ports.

Network configuration 10 x 1Gbps for vSphere 5.x and vSphere 4.x

10x1Gbps vSphere 5.x and vSphere 4.X – mixed – vSS and vDS

My recommended network configuration for vSphere 5.X and vSphere 4.X with Enterprise Plus license. In above config vMotion and mgmt run on Virtual Standard Switch and Active/Passive vmnic configuration, where Storage, VM and FT traffic utilize Virtual Distributed Switch. The reason of heaving mgmt traffic on vSS is, in case of vCenter database lost you wont loose possibility to change ESXi/ESX host networking (N/A on vSphere 5.1 and above).

See links below for different networking configuration

ESX and ESXi networking configuration for 4 NICs on standard and distributed switches

ESX and ESXi networking configuration for 6 NICs on standard and distributed switches

ESX and ESXi networking configuration for 10 NICs on standard and distibuted switches

ESX and ESXi networking configuration for 4 x10 Gbps NICs on standard and distributed switches

ESX and ESXi networking configuration for 2 x 10 Gbps NICs on standard and distributed switches

Pingback: Network configuratioon on ESx or ESXi server with 4 NIC's | VMwaremine - Mine of knowledge about virtualization
http://blog.vmpros.nl sanderdaems

What about the “DMZ” network, if you need a fully NEN certified DMZ network?

In that situation you need a separate PCI NIC adapter (separate bus) to split the network traffic, in case you combine 1 dual/quart port adapter with LAN/DMZ connections it’s “possible” to sniff the traffic/packets. To configure this redundant you need to add a second physical NIC adapter in the host to connect the physical DMZ network switches.

If you don’t need a NEN certified DMZ and you mean “DMZ” as a different subnet with VLAN ID.. why don’t you add the two DMZ network adapters to the LAN vSwitch for more bandwidth/redundancy and trunk the VLAN ID’s together?
- http://www.vmwaremine.com Artur
  
  I’m not security guru yet, unfortunately, I don’t know what NEN is. But is always good to know how to improve design, if I would place DMZ (to be NEN certified) on to on board NIC – will my design fill out NEN requirements ?
StanJ

Hey Artur. I have also one proposal. As you also marked the topic as vSphere 5 related (upgrade expected) I would recommend you to move also one NIC port from the VM network to the Mgmt/vMotion group. This decision ofc depends on number of expected VMs (related to expected nr of vmotion migrations). You will have in this case environment more prepared for vSphere 5 from vmotion perspective and 3 NICs should be standardly enough for Prod traffic.
Hi Sander, I’m also not familiar with NEN security certification. Can you briefly describe it or dirrect us to some documentation? Also if I understood properly what you are proposing require two NICs (to have redundancy).
Pingback: VMware vSphere network configuration | VMwaremine - Mine of knowledge about virtualization
http://gravatar.com/gopikeerthy Gopinath

hello

I have 2 pswitches Cisco 6500 series as core switches, and i have vsphere 5 with enterprise plus license. I have one esxi host with 4 PNICS, the 2 core switches are interconnected via etherchannel trunk and we are not using stacking and stack cable.

Scenario-1
in the esxi host, i have created 1 vswitch and 4 pnics are attached to it. 2 pnics are connected to the pswitch1 and other 2 pnics are connected to the pswitch2.
the vswitch teaming policy is selected as (Load balancing = route based on the originating virtual port ID (default)). 5 virtual machines are connected to one VM port group,and running inside the vswitch

1 – will this work ?
2 – will i get the pswitch redundancy?
3 – any duplicate mac address issue occurs inside the 2 core switch?
4 – any packet drops occur in the event of one physical switch failure?

scenario-2
the same setup as above, now i need to use a distributed switch with LBT teaming policy.

1 – will this work ?
2 – will i get the pswitch redundancy?
3 – any duplicate mac address issue occurs inside the 2 core switch?
4 – any packet drops occur in the event of one physical switch failure?

Please help me, i am really confused with this.
- http://vmwaremine.com Artur
  
  Hi,
  thanks for comment
  
  Both scenarios will work without any problems, you will have full redundancy, I suggest to use LBT, is really cool feature and works fantastic.
  Answers:
  1 – yes
  2 – yes
  3 – no
  4 – no
  
  Cheers
  Artur
http://gravatar.com/gopikeerthy Gopinath

Great Help !!! Thanks for your timely help.

I am designing Vsphere 5, with HP 3PAR and HP C7000 blade center for a bank. The network consultant told there will be a packet drop in this design, so i confused.

Thanks for your advice and quick response.
- http://vmwaremine.com Artur
  
  wait wait you haven’t mention that this is for blades do you have Virtual connect or pass-through adapters ? 10Gb or 1Gb NIC’s ?
  - http://gravatar.com/gopikeerthy Gopinath
    
    With same scenario of first post, assume if there is 2 Top of rack switches connected between ESXi hosts and core switch,
    
    I will connect the esx hosts pnics to the top of rack switches/HP virtual connect and the top of rack switches/HP virtual connect to the core switch in mesh topology. The uplinks from the VC to the Top of rack and the uplinks from top of rack to core switch are configured as ether channel trunks.
    
    1 – First case, The esx host (blade) is connected to the > HP Virtual connect > then top of rack > then to the core switch
    
    a- In this case, i believe there wont be any issue, just like the very first post ?
    
    b- Do I need to enable the STP and portfast in all switches (top of rack, VC and core switch)?
    
    2 – In the second case, the normal one – ESX > connected to top of rack > then connected to the core switch.
    
    a- In this case, i believe there wont be any issue, just like the very first post ?
    
    b- Do I need to enable the STP and portfast in all switches (top of rack, and core switch)?
    
    so please let me know the above and what are the other things to consider also?
    
    Thanks
    Gopi
http://gravatar.com/gopikeerthy Gopinath

One more doubt,

With same scenario of above, if there is 2 Top of rack switches connected between ESXi hosts and core switch,

I will connect the esx hosts pnics to the top of rack switches and the top of rack switches to the core switch in mesh topology.

1- In this case, i believe there wont be any issue, just like the previous post ?

2- Do I need to enable the STP and portfast in all switches (top of rack and core switch)?

thanks
Gopi
Ken

Thank you for this informative post. Just one quick question, I thought we can not have two active connection to to pswitch from one vswitch, like the one on vm backup. I tried this without luck.

Can you explain in couple of sentences please.

Thank you in advance
Ben

Hi, I am wondering why for vSwitch0 and vSwitch1, the vmnic(s) are not being used in a running number way?
As in, vSwitch0 – vmnic2 and vmnic 3, while vSwitch1 – vmnic6 and vmnic7.

Could you please enlight me on this part? Thank you!
- artur_ka
  
  Hi Ben, it is due to hardware redundancy:
  on board NIC’s – vmnic0, vmnic1
  first quad port – vmnic2, vmnic3, vmnic4, vmnic5
  second q port – vmnic6, vmnic7, vmnic8, vmnic9
  
  If you have any additional question feel free to ask
Harry

How will be network configuration with 10 NICs (1Gbps) with Enterprise Plus license
- artur_ka
  
  I will post 10 NIC and E+ configuration by the end of the day tomorrow, stay tuned
  - Harry
    
    Hi,
    You still not posted the configuration.
    - http://vmwaremine.com Artur
      
      Hi Harry,
      Sorry for delay, diagrams are ready since last Friday. I will update post today
    - artur_ka
      
      Post updated
Chuck

Lets say in the VM LAN I had 3 port groups would I want to use the Active/Standby approach or just leave all vmnics as active??
- artur_ka
  
  if you have Enterprise Plus license – keep Active/Active with vDS and NIOC but if you don’t have it then depends on priority and bandwidth requirements for each PG I would use ActiveStandby to prioritize it, if all traffics have same priority stay with Active/Active.