Multiple VLAN-IDs for VMs?
-
Friday, February 10, 2012 3:38 PM
Hi,
I want to divide our network with VLAN to make it a little more secure and to reduce broadcasting effects.
We use Netgear FS750T2 and GS724Tv3 switches. All server systems are within HyperV 2008 R2. I know that I can use VLAN tagging (802.1Q). My problem is to get the VMs running within VLAN because I need to use more than one VLAN ID per VM. I don't want to add various virtual NICs to the VMs.
I used Google and found answers that multiple VLAN IDs could be given to the VMs via WMI interface, but how is this done? Couldn't get any information which helped me, must say that I'm not skilled with WMI. Other way should be with SCVMM 2008? Is this right or do I get this feature with SCVMM 2012?
Quite confused with all that stuff, I would be thankful for any hints...
MCITP Server Administrator MCTS 2008R2 Server Virtualization
All Replies
-
Friday, February 10, 2012 4:08 PMModerator
Personally, if a single VM (or machine) needs more than 1 VLAN ID, then you might want to rethink how you handle things. Traditional subnetting might be a better way to go. Or a hybrid model.
VLAN tagging is no more secure than any other method if dividing or segmenting traffic (physical segmentation being the tightest). And broadcasting happens for other reasons. You will still have broadcasing in your VLANs, but of course the target numbers of machines is lower.
I find that developing a traditional modle of subnetting is a good first step, especially if you find the tagging to be confusing or complex to set up (which it is, that is why network centric folks have jobs).
Multi-home your VMs or manually apply IP addresses and segment into multiple subnets. This requires no special VLAN tag configurations on your switches. A few extra virtual NICs on your VMs. And some extra routing overhead and router configuration.
Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Disclaimer: Backup, test your backup, try new things. Attempting change is of your own free will. -
Saturday, February 11, 2012 11:13 PM
Hi there,
It very possible i dont quite understand what you are trying to achive here. But you want to connect one vNIC to several VLANs by giving multiple tags. And this is a feature not exposed in the user interface as far as I know. this is where my administrative alarm triggers. You dont want to use "unexposed features" on production servers. its an administrative nightmare for those who are going to troubleshoot/manage/upgrade this machine one time in the future. Just do it with one interface for each vlan, its clean and simple, and everyone who comes after you will have no trouble managing the server.
exotic solutions, are expensive in the end.
-
Monday, February 13, 2012 10:51 AM
Thank you for your answers!
@BrianEh
Regarding subnetting, I will need a Layer 3 - Switch for that or I'll have to implement routing within our firewall by adding new rules? Correct me if I'm wrong here...
@Blinkage
Small conclusion for better understanding: We are a small university and as we grow and get more and more students (and as a consequence more network devices), we need higher security standards. At this time the IPs are set in one subnet, so that every device could reach any other device. Not really a nice feature regarding security and performance... My plan is to divide network, for example a network for servers, a network for students, a network for university employees and so on.
And I think we need to distinguish between "unexposed" and "not supported". In my opinion "unexposed" means a bit tricky / not so easy, but it shouldn't be a real matter for not using it. "Not supported" on productive systems? No, never. Regarding this, I totally agree to you. And for the following admin a good documentation is essential. We all have good documentations, haven't we? ;-)
I found this link and I'll do a few tests to see if it works for me:
http://www.systemspot.net/?p=6
I would be very thankful for more input.
MCITP Server Administrator MCTS 2008R2 Server Virtualization
-
Wednesday, February 22, 2012 1:39 PM
The last link I posted wasn't helpful, the virtual machines need more virtual NICs if they should have more than one VLAN ID.
More hints anyone?
MCITP Server Administrator MCTS 2008R2 Server Virtualization
.png){kind=spacer}
