3

Just bought an ASA 5505 and a separate gigabit switch, along with a Dell R610 virtualization server to replace existing bare metal web server.

There will be 2 physical machines, R610 running ESXi 4.1 & a backup server (old SC 1435).

R610 has 2X dual port NICs, all will be connected to the switch, as will backup server, and switch will be connected to the ASA, so:

uplink >> ASA >> switch >> 2 servers

What I am confused about is what to do with the 30 IP block I have.

Data center engineer who will do the ASA setup suggested:

****************
66.xxx.47.96/27
Network:  66.xxx.47.96
Gateway: 66.xxx.47.97
Firewall: 66.xxx.47.98
Switch: 66.xxx.47.99
Name Server 1: 66.xxx.47.100
Name Server 2: 66.xxx.47.101
Backup Server: 66.xxx.47.102
First Usable for production server: 66.xxx.47.103
Last Usable for production server: 66.xxx.47.126
Broadcast: 66.xxx.47.127
****************

I am thinking for ESXi server that NIC1 port1 will be for console manager; NIC1 port2 for devel VMs; NIC2 port1 for LAMP production VMs (i.e. existing bare metal web server) and NIC2 port2 for Rails/Grails VMs

Current web server only uses 6 IPs, so obviously I have some flexibility.

I just don't want to route myself into a corner, how would you allocate the .103~.126 IPs to ESXi 4 NIC ports?? Also, if the Name servers are outside of ESXi's listening range, how will DNS requests get routed to target VM on ESXi?

Ideas much appreciated...

Thanks!

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
virtualeyes
  • 675
  • 3
  • 12
  • 28

1 Answers1

2

Why on earth would you put your switches etc on the public internet? That smells of crazyness.

I strongly suggest you have two VLANs - one for your internal traffic (a 192.168.x.x for example) and then a DMZ for your public traffic (your 66.x.47.x range).

From a security standpoint it makes no sense to put your backup servers and your switch on the public network. It's just asking for trouble.

ESXi supports VLAN Tagging for vNICs so it shouldn't be a problem to just assign two vNICs to your virtual machines and have one on the private network and one on the public. Then just assign your public IP addresses to the virtual machines that need them.

What you will want at the end of the day is something that looks like this:

alt text
(source: stackoverflow.com)

As for requests that ESXi doesn't "know" about, then will be routed through your default gateway as per usual. Your gateway should be smart enough to know that those IP addresses are on its own network (A Cisco ASA properly configured is very smart), so it will route them back in to you (preferably on the vLAN with the public IP addresses). This is no different to any other network and is not specific to just ESXi.

Glorfindel
  • 1,213
  • 4
  • 15
  • 22
Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • If there is a firewall in between, the switch and SAN are not on "the public internet" they just have non-NATed IPs. There is still an ACL between the clients and the network gear. – MDMarra Jul 23 '10 at 21:57
  • Right @MarkM, the switch is behind the firewall, data center engineer must have missed that, obviously the switch does not need a public IP. @Farseeker, thanks for the feedback, coming from a simple bare metal LAMP setup, ESXi is a bit over the top (in a good way); I'm just looking for a sensible way to route external traffic to target VMs and how to allocate this 30 IP block in a way that I don't have to juggle IP ranges in future. I guess it's a common problem, a single subnet, multiple services and servers. – virtualeyes Jul 23 '10 at 23:23