1

How can I isolate traffic between vSphere hosts, for a test environment, while maintaining the same IP address configuration as the current guest OS's?

I have two ESXi 5.0 hosts on my LAN. Each hosts several guest OS's -- Windows/Linux. Our shop is using Samba AD on Fedora. Two domain controllers and a FileServer. Windows boxes run SQL. We have Cisco switches 2960, 3560 version 12.4.

DC1 -- 192.168.200.20
DC2 -- 192.168.200.21
FS1 -- 192.168.200.22

We want to upgrade our Samba domain controller to the latest version, to take advantage of GPO goodness. Current plan is to clone the existing linux servers, and bring them up on the isolated network.

Two servers, DC1 & FS1, run on ESX1. DC2 and the new, from scratch DC will run on ESX2. The plan is to join the domain with the new DC, then upgrade to PDC, and spin down DC1. We want to test this beforehand. My boss would like to keep everything identical, including IP addresses.

How can I isolate the test network across the ESXi hosts? Both vSphere hosts have an isolated network. If I connect the physical NICs on the isolated network to the Cisco 3560, on a separate VLAN, will this be enough? The 3560 currently performs InterVLAN routing. Would PVLAN do this?

EDIT: The two vSphere hosts will each have two test guests.

ESX1 -- 192.168.200.11
ESX2 -- 192.168.200.12

user202688
  • 13
  • 1
  • 4

1 Answers1

2

Here's one way to do it:

  1. Create an isolated vSwitch on the new host. If you don't bind this vSwitch to a physical adapter then the VM's connected to this vSwitch will be able to communicate with each other but not with the physical network or with other hosts and VM's.

  2. Clone or copy your existing VM's.

  3. Move the VM clones/copies to the new host.

  4. Connect each VM to the isolated vSwitch.

  5. Test.

Once you've confirmed that your upgrades, etc. are successful with the cloned VM's you can proceed to implement it in production.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • My problem is that I will have two clones on each ESXi host. They will not all be on the same host. The two hosts are 192.168.200.11 and 192.168.200.12. Is it possible to isolate the clones from the LAN but allow them to communicate with each other, across the LAN? – user202688 Dec 16 '13 at 20:56
  • 1. Why not put all of the clones on one host to make testing easier? 2. If you can't put all of the clones on one host then you can use a VLAN to isolate the clone VM's on the physical network. – joeqwerty Dec 16 '13 at 21:47
  • That would be my preference. Not my call though. One of the constraints is that they would like to keep the same IP assignment on the clones, as they do on the production OS's. Will just putting the clones on a separate VLAN isolate the traffic sufficiently? If the production VLAN and the test VLAN both have hosts with the same IP assignment, will this not cause issues? It's the issue of the same IP assignment that is troubling me. If the clones could get different IP addresses, this wouldn't be such a problem. – user202688 Dec 16 '13 at 22:14
  • If all of the clones were on the same host, all connected to an isolated vSwitch, then duplicate ip addresses aren't a problem as the isolated vSwitch doesn't have access to the physical network. If you must connect the clone VM's to the physical network then I'm fairly certain that the switch will confine ARP requests to the member ports of each VLAN, so using the same ip addresses on the clones shouldn't be an issue. – joeqwerty Dec 16 '13 at 22:31
  • Fair enough. I understand regarding the vSwitch and the isolated network. I will test the separate VLAN/same IP issue. Cheers. – user202688 Dec 16 '13 at 22:52