5

What is the best way to force VLAN segregation accross multiple Virtual switches?

I have probably a rather complex setup going in the effort to get essentially 4 separate virtual switches.

The incoming line is a 10Gbe teamed connection in trunk mode which I then add to an external virtual switch and create 4 virtual nics for the management OS each set to access mode in the VLAN I want. Then I have four internal virtual switches created. Four being the number of VLANs I want to segregate out.

Now, I can set each NIC to access mode in the VLAN I want and then create on big bridge. Voila, all of the virtual servers can see the internet and can access the VLAN they need. But, there are a few problems. First, if I set any server to DHCP, then it only gets DHCP from the default vlan instead of whichever VLAN the switch should be assigned to. Second, I can actually assign an IP from any of the VLANs and the server will still communicate, no matter what the switch is supposed to do.

I understand the concepts of what is going on. Because everything is set in access mode it all sends untagged frames so once it finally gets to the bridge, it translates everything into the native (untagged) VLAN. My only problem is, I can't find a way to specify tagged frames. Or, better yet, to create 4 network bridges, one for each VLAN.

Any suggestions?

Naryna
  • 271
  • 1
  • 3
  • 13
  • 1
    I don't get it. You have the trunk connected to your vm host. The trunk has, let's say VLAN 10,20,30 and 40. You can set the vmnetadapter to vlan 10,20,30 or 40 and DHCP will work on those VLANS. I have the exact same configuration. – Daniel Feb 01 '16 at 20:05
  • And what's that bridge you are talking about? Hyper-V does not know about bridges. Use proper terminology. – Daniel Feb 01 '16 at 20:08
  • It is literally a network bridge. Hyper-V does not need to be aware of it as I bridged the network adapters on the host. – Naryna Feb 01 '16 at 20:39
  • Okay, sorry. I was confused. Why do you need that bridge again? – Daniel Feb 01 '16 at 20:41
  • I don't obviously need a bridge, but I'm trying to migrate a VRTX server chassis to a new design. Originally, my boss (thanks to the VRTX switch) had 4 external nics and created 4 external switches, one for each VLAN. I'm now tasked to recreate this with only 2 10Gbe fibre links (which I teamed because it's better). He would by far rather maintain his 4 virtual switch setup and I am trying my best to oblige him despite how difficult it seems to be. – Naryna Feb 01 '16 at 20:46
  • Brandyn, I'm being off-topic for a moment. I suggest you talk to your boss. Look at Aidan's answer, which is the same I was trying to explain before, too (but way better explained ). This way of putting VMs in VLANs is not only simpler and quicker, but less prone to problems. If you are running into trouble now with something that is supposed to be easy, prepare yourself for difficulties in troubleshooting any problems that arise later and the headaches they cause. – Daniel Feb 01 '16 at 20:54
  • @Daniel ... The "the" depends on which Aidan Finn you're talking about. The other one is Dr. AF that is a dev guru also in Ireland. But yeah, this is the MVP one. – Aidan Finn Feb 03 '16 at 08:27

2 Answers2

8

1 switch per VLAN is needless overcomplication. Configure trunk port(s) on your TOR/access switch. Then create 1 vSwitch on your host. Connect the vSwitch NIC(s) to the trunk ports. When you create a VM, edit the vNIC settings and set the VLAN tag/ID/number.

This is both the simplest way to do it, and best practice. The vSwitch, as long as you use MSFT teaming (or follow instructions for unsupported 3rd party teaming), is secure from VLAN hopping.

The only real scenario where you need multiple teams is when you face something on the Internet. In that case you use a second NIC/team, not for security, but for DDOS.

Aidan Finn
  • 211
  • 1
  • 3
  • 1
    Exactly. I don't understand why Brandyn is doing all that stuff. Especially the network bridge confuses me. Aidan is right. By the way, are you *the* Aidan Finn? MVP Aidan Finn? Great to see you here :) – Daniel Feb 01 '16 at 20:43
  • While I agree this is ideal, it's sort of a last resort scenario. I'm trying to maintain my bosses original design with every avenue I can find. – Naryna Feb 01 '16 at 20:49
  • @Daniel: My reaction as well. Great to see an MVP here. – joeqwerty Feb 01 '16 at 20:50
1

While I highly urge anyone to use Aidan's answer if at all possible. The final solution I found allowed me to preserve the original design of the server and still make it all work. Going off the aritcle provided here https://community.mellanox.com/docs/DOC-1845 it became apparent that I was able to add interfaces to my team.

I added a team interface for each VLAN and created an external switch for each team interface. I could swap between the new switches created and get DHCP perfectly.

Naryna
  • 271
  • 1
  • 3
  • 13