- Integrated Systems
- About Us
- Integrated Systems
- About Us
05-08-2012 09:33 AM
Question regarding HP Blade networking, VMware, and DMZ
Forgive me, I am trying to figure out why things are the way they are from a previous administrator who documented nothing. Additionally, I have been given a tight deadline in a truly lovely fashion without time to get acquainted with the current config. I am admittedly a little weak on Blade networking, though strong in VMware.
I have 4 VMware Blade servers on the left side of the chassis, and 4 non-VMware (regular) Blade servers on the right side of the chassis. There are two Shared Uplink Sets (Left and Right) which correspond to the two Ethernet switches on the back of the chassis.
There are the following VLANs, with the "right" ones being assigned to the SUS-Right and the "left" ones being assigned to the SUS-Left:
1) My understanding of the Shared Uplink Set is that it permits trunked lines to be aggregated as uplinks, allows internal switch networking, and can not be stretched across switches (i.e. can't include right-and-left ports.) Is this a good understanding?
2) I want to create a virtualized DMZ, so I have run two non-trunked DMZ lines, one right and one left. Since Shared Uplink Sets can't stretch across switches (?) and seem to do best with trunked lines, I have simply created one "DMZ" network and added these two ports (left AND right, since I will never want the non-VMware servers to have access to it) to it, setting it to Private Network. Is this appropriate, wrong, or are there better methods?
3) Any additional points you may wish to emphasize would be appreciated.
06-01-2012 05:53 PM
Re: Question regarding HP Blade networking, VMware, and DMZ
Both SUS and Normal Network support adding uplink connections from both the left and right sides.
However if you add connections from both sides, we will treat these as Active/Passive and only connections from 1 module will be active at any given time (VC will attempt to use the ones with the most available uplink bandwidth)
If you want to use port aggregation (LACP), you need to make sure you have a separate LACP Group (aka EtherChannel for the Cisco guys) for each VC module. so if you have 2 left and 2 right, you need 2 different Ether Channels up top to support this config.
The way you have it setup now is what we call Active/Active mode.
Internally VC thinks VLAN1-Rigth and -Left are actually different networks, which is why we can go Active/Active.
"Non Trunked lines" I assume you mean no VLAN Tagging.
If so then you Define a Network and assign the uplink port(s) directly to it with no SUS. SUS implies VLAN Tagging.
Same rules as above apply here. 1 port from each VC module into a single Network = Active/Passive mode on the uplinks. If you don't need the bandwidth this is probably OK.
I dont think Private mode however does not mean what you think it does.
Private mode prevents 2 blade server in the same enclosure/stack from talking to each other when assigned to the same Network. So for instance you have a web farm with a load balancer and there is no need for the servers to see each other, enable Private mode.
If you want to make sure that no one ever mixes the DMZ Network and one of your VLANX networks into the same Server Profile, this feature is called Network Access Groups and was added in VC 3.30.
You would need to create a new NAG called DMZ, add the DMZ'd network to this new NAG and remove it from "Default".
Then when creating the server profile for the DMZ'd server, you pick the DMZ NAG from the drop down right next to the Profile Name field.
Hope this helps clear things up.
Here is a little glossary for anyone still confused.
SUS = dot1q trunk mode. Implies VLAN Tagging will be used on the upstream switch.
Ethernet Network assigned to Uplink Port = "Access" mode. Implies NO VLAN Tagging used.
Both SUS and EN support LACP based Link Aggregation if you leave that drop down box set to "Auto"
[x] Default Network = if we are expecting VLAN Tagged frames on an uplink and we receive a frame without a VLAN Tag, which network inside VC do we associate those frames with. Note that outbound traffic will always be tagged appropriately.
[x] Private = Servers on the same Network cannot communicate inside the VC module. Rarely used.
[x] Smart Link = Auto disable apropriate downlink ports when an uplink port goes offline. Only really useful in Active/Active configs.
[x] VLAN Tunneling = When you configure a EN to directly use an uplink port, you get this additional box which is essentially Q-in-Q tagging. You can use dot1q tagging on the uplink port and VC will treat everything inside as a single network and pass it down to the server. This allows you to bypass the limitations on the number of VLANs supported in Mapped mode (though with Flex-10 and Flex-Fabric those limits were greatly increased in 3.30)
Multiple Networks = dot1q on a downlink defined in the Server Profile