1

We are a small business and have been successfully running one Hyper-V 2012 R2 vmhost with many Windows Server 2012 VMS that includes a DC, Web Server, CRM Server and SQL Server for a couple of years. For networking we have a Draytek 2860, 2 physical switches and a gigawan.

We don't have an IT Department - yet - and I'm primarily a coder, but I do dab on systems and networking (I planned and did the setup above) but do not have enough know-how to confirm my R&D, so thank you serverfault for existing :)

As we've grown so did our traffic and I'm now finding that during business hours the network performance is being affected by all sorts of traffic, internal and external.

So, this weekend I embarked on a journey to improve the networks reliability and also deploy a DMZ Zone for staging and testing accessible via the internet.

So after much reading about the Router (Draytek 2860), Hyper-V networking and Vlans I've come up with the following setup, that I'm hopeful of integrating successfully today, before everyone's back in the office tomorrow:

Network Setup

'Read from left to right, as if there is a link between columns in the same row.

Please note that:

  • I want the servers on the DMZ to be domain controlled and have access to some IT servers, like the SQL Server.
  • All subnets/vlans will share the same DNS server on the "it & dev" vlan, secondary will be the router, e.g. 191.168.1.1
  • DMZ subnet/vlan only has access to "it & dev" vlan
  • Lan3 is for guests that connect to a separate wireless SSID on the router but should have access to the DMZ subnet, e.g. client that comes in for project demo.
  • My VMHost does have 3 physical NIC's - thinking ahead to this purchase ;)

So the questions/clarifications I'm looking for are:

  • Is separating user traffic from "it & dev" and "user & devices" traffic into a vlan each a sensible approach to improve performance? It makes sense to me, but just looking for confirmation.
  • This routher has inter-lan routing, that from what I can understand is a NAT feature to have inter-lan/vlans routing. But would I still need to use static routes, or the Inter-Lan Routing will suffice for regular traffic?
  • I currently only have one DC1, but am thinking about deploying a second one, do you think it’s a good idea for one to be on the "user & devices" vlan and another on the "it & dev" vlan, or should they always be on the same vlan? Bear in mind that the DMZ will not have access to the "user & devices vlan", only the "it & dev" one. Will it be bad if a server on the DMZ cannot find the secondary DC, because that's on the "user & devices vlan"?
  • I'm not considering storage uyt (SAN’s or something similar yet) but am seriously considering for the File Server, VM’s and internal backups, could you point me in the right direction for a sensible (cost and setup) solution?
  • I'm also thinking about having another physical vmhost, should I separate the vms per vlan? For example having a vmhost for the user vms and another vmhost for the dev and dmz vms?
  • If there's anything, drawback, pitfalls or things I should be aware of whilst implementing this please do let me know.
Pedro Costa
  • 143
  • 6
  • So far, so go, second physical switch implemented, onto vlan configuration :) – Pedro Costa May 08 '16 at 14:56
  • So far so good! Vlans configured, Virtual switches on vmhost as well, am now moving some of the VMS and Workstations to their proper LAN's. My R&D seems to have paid of, but still hoping for some feedback to my questions just for reassurance. – Pedro Costa May 08 '16 at 15:53
  • `As we've grown so did our traffic and I'm now finding that during business hours the network performance is being affected by all sorts of traffic, internal and external.` - That's kind of a vague and meaningless statement. How exactly is the network being affected? What are the symptoms? What have you done to analyze the problem? What kind if data or evidence do you have that the problem is a network problem? You've embarked on implementing a "solution" to a problem that you haven't described, assessed or analyzed. How could we possibly tell you whether or not your plan is "good"? – joeqwerty May 08 '16 at 16:17
  • `So, this weekend I embarked on a journey to improve the networks reliability` - Again, this statement is vague and meaningless. What do you mean by "improve it's reliability"? How is it unreliable? How is implementing VLAN's a solution to a reliability problem? – joeqwerty May 08 '16 at 16:19
  • hi joe, we have regular users and dev users in our office, if we have 3 or 4 of them streaming music, or doing VOIP calls we noticed that file transfering between dev workstations and servers was slower than usual (the whole network is CAT6 at 1GB speed) and since I was about to setup a DMZ for the testing and staging servers I thought I'd go ahead with splitting the network traffic into the subnets/vlans, if you do not agree with this, please explain why? – Pedro Costa May 08 '16 at 17:21
  • Oh and if you could, please have a look at the other questions, I'm sure there's something you could have feedback for, if you'd like ;) – Pedro Costa May 08 '16 at 17:22
  • Which other questions? Also, I'll post something more a little bit later, I'm headed out to lunch. My point in my comments is that you should be taking an "evidence-based" approach to solving your problems. I'm not sure that you've done that and I'm not sure that your plan solves the issues you've described. Again, I'll post my ruminations on this a bit later. – joeqwerty May 08 '16 at 17:27
  • thank you joe, I'll appreciate it for sure :) for example whether having a secondary DC on the user vlan is advisable? even though DMZ traffic will not have access to the user vlan. all seems to be working fine with just inter-lan routing, is static routing needed? etc. see the bottom of the post. – Pedro Costa May 08 '16 at 18:09
  • joe, fyi, "What Draytek calls VLANs everyone else here calls routed subnets." from http://serverfault.com/questions/678987/draytek-vigor-2860-multiple-external-ip-addresses#comment833547_678987 I assume that applies to me, also found a great demo for the router http://eu.draytek.com:12860/ if you go to LAN > VLAN i've setup this up without enabling the vlan tag. So, I assume I'm just using routed subnets. :D – Pedro Costa May 08 '16 at 19:14

0 Answers0