多个vlan间网络流量分流

  • 2014年2月17日
  • 5回复
  • 1907的浏览量
shuguet
Userlevel 4
徽章 + 20
大家好,

我想知道是否有可能为每个不同的流量类型有不同的vlan ID/子网范围:
—Hypervisor管理(ESXi)
- Nutanix集群管理
—Nutanix集群复制/ AutoPath

最好的方法是在不同的vlan上设置复制和AutoPath。

这里的基本原理是遵循客户关于DMZ虚拟化的内部安全策略。
我们可以使用VLAN,不强制使用不同的物理端口,但是安全团队(世界银行)担心ESXi和Nutanix在同一个VLAN上。

Sylvain。
Sylvain Huguet - 2x Nutanix技术冠军2015-2016,法国Nutanix连接章节冠军,法国VMUG领袖,6x VMware vExpert 2011 -2016
    \n
    \nI was wondering if it's possible to have different VLANs ID\/Subnet range for each of the different traffic type bellow:
    \n - Hypervisor Management (ESXi)
    \n - Nutanix Cluster administration
    \n - Nutanix Cluster replication \/ AutoPath
    \n
    \nAnd the very best would be to even have replication & AutoPath on different VLANs.
    \n
    \nThe rationale here is to comply with customer internal security policies regarding DMZ virtualization.
    \nWe are allowed to use VLANs and are not forced to use differents physical ports, but the security team (worldwide bank) is concerned about the ESXi & Nutanix being on the same VLAN.
    \n
    \nSylvain.","quoteUsername":"shuguet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

    5回复

    mluksch
    Userlevel 2
    徽章 + 10
    嗨shuguet,

    将HV/ESXi管理流量放在一个单独的VLAN上应该没有问题(它甚至在安装指南中提到)

    至于“Nutanix集群管理”和“复制流量”,我不认为它目前支持。

    为什么?
    如果在Hypervisor(vSwitch)级别上进行vlan拆分,你需要在你的CVM中有一个第三/第四个vNIC(为额外的网络配置额外的ip)
    这当然是没有问题的Linux CVM运行,但我看不到任何配置支持不同的Nutanix服务。

    如果你在CVM内部“转发”带vlan标签的流量,并在VM内部进行分裂,它仍然是相同的问题。
    我看到的唯一(理论上的)方法是在CVM内部配置一个10g-bond-的openvswitchv网卡作为上行链路(携带带标签的流量)和主要Nutanix CVM IP驻留的本地VLAN。此外,还有一些“openflow/openvswitch-rule”的魔法(这里就有点棘手了:P)以不同的方式标记,例如复制流量。

    荒谬的:-)

    编辑:您可以在意见箱/产品功能-类别。
    \n
    \nputting the HV\/ESXi mgmt traffic on a seperate VLAN should be no problem (its even mentioned in the install guide)
    \n
    \nas for the \"Nutanix Cluster Administration\" and the \"replication traffic\" i don't see it supported currently.
    \n
    \nWhy?<\/u>
    \nIf doing the VLAN-Splitup on the Hypervisor(vSwitch)-Level, you would need a 3rd\/4th vNIC in your CVM (to configure the additional IPs for the additional networks)
    \nWhich would be of course no problem for the Linux the CVM runs in, but i can't see any configuration support for the different Nutanix Services.
    \n
    \nIf you \"forward\" the vlan tagged traffic inside the CVM, and do the split-up inside the VM, it would still be the same Problem.
    \nThe only (theoretical) way i see is to configure an openvswitch inside the CVM with 10g-bond-v<\/b><\/u>NICs as uplink (carrying tagged traffic) and a native VLAN of the primrary Nutanix CVM IP residency. In addition there is some \"openflow\/openvswitch-rule\"-magic (here it gets tricky :P<\/i>) which tags e.g. replication traffic differently.
    \n
    \nabsurd :-)
    \n
    \nEdit: you may post into the Suggestion Box \/ Product Features - category..","quoteUsername":"mluksch","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
    shuguet
    Userlevel 4
    徽章 + 20
    是啊,我在想也许作为一个高级配置,有支持帮助之类的。
    我很清楚UI的技术限制,但正如您所指出的,Linux VM更愿意使用更多的vNIC。

    这只是一个添加选项的问题,所以如果现在不可能,我将接受你的建议,并在建议部分张贴。

    Sylvain。
    Sylvain Huguet - 2x Nutanix技术冠军2015-2016,法国Nutanix连接章节冠军,法国VMUG领袖,6x VMware vExpert 2011 -2016
    \nI'm well aware of the technical limitations of the UI, but as you pointed, the Linux VM would be more than happy with more vNIC.
    \n
    \nIt's just a matter of adding the option, so if it's not possible right now, I will take your advice and post in the suggestion section.
    \n
    \nSylvain.","quoteUsername":"shuguet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
    mluksch
    Userlevel 2
    徽章 + 10
    重读这些文档让我想起了远程复制命令的地址列表选项。

    通常,您会将这个参数用于cvm - ip地址,但文档中还讨论了理论上的(VPN)隧道地址。

    对我来说,这看起来像你会——至少从技术的角度来看——能够添加第二个vnic到CVM(在一个不同的vlan, (un)由ESXi vSwitch标记),并使用该IP进行复制流量。

    (检查cerebro服务是否监听0.0.0.0或接口绑定)

    如果这有效,nutanix可能会支持它。

    我还在想,然后“隧道”注释在文档中。
    \n
    \nNormally you would use this parameter for the CVM-IP-addresses, but the docs also talk about an theoretical (VPN) tunnel address.
    \n
    \nto me this looks like you would - at least from a technical point of view - be able to add a second vnic to the CVM (in a different vlan, (un)tagged by ESXi vSwitch), and use that IP for replication traffic.
    \n
    \n(check if cerebro service is listening on 0.0.0.0 or if it is interface bound)
    \n
    \nif that works nutanix will possibly support it.
    \n
    \nI'm still wondering about then \"tunnel\" comment in the docs.","quoteUsername":"mluksch","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
    C
    徽章 +5
    从合作伙伴网站
    描述
    有时网络设计需要将cvm和ESXi放在不同的网络中。Current versions of Nutanix cluster do not allow this, and the ha.py failover script will not function properly.A workaround is detailed below, however this still requires the use of addresses within the CVM's network to assign to the ESXi hosts (in addition to the primary management addresses assigned on the hosts outside of the CVM network).

    解决方案
    处理:
    1. 在每个ESXi主机上创建一个存储VMKernel端口组。
    • 在cvm的子网内分配IP地址。这将允许CVM与主机通信,以获得虚拟机/CPU/内存统计的详细信息,并通过HyperInt API自动挂载NFS数据存储。
    • 取消选择该端口组中的vmotion、管理流量、容错日志和iscsi。
    1. 将ESXi的IP地址(你创建的新vmk)放到CVM的nfs-白名单中:
    ip-subnet-mask ="x.x.x.x/n.n.n "

    其中,x.x.x.x表示新vmkernel端口组的IP地址,n.n.n表示子网掩码。
    1. 对在步骤1中创建的每个新VMKernel IP地址重复步骤2(可选地,你可以添加整个CVM子网)
    \nDescription<\/b>
    \nSometimes a network design requires the CVMs and ESXi hosts to be on separate networks.Current versions of Nutanix cluster do not allow this, and the ha.py failover script will not function properly.A workaround is detailed below, however this still requires the use of addresses within the CVM's network to assign to the ESXi hosts (in addition to the primary management addresses assigned on the hosts outside of the CVM network).
    \n
    \nSolution<\/b>
    \nWorkaround:
    \n
      \n
    1. Create a storage VMKernel portgroup on each ESXi host.<\/ol>
        \n
      • Assign an IP address within the CVMs' subnet. This will allow the CVM to communicate with the host to get details of VM\/CPU\/memory statistics and automatically mount NFS datastores via the HyperInt API. \n
      • Unselect vmotion, management traffic, fault tolerant logging and iscsi from this port group.<\/ul>
          \n
        1. Put the ESXi IP address (the new vmk that you created) in the CVM's nfs-white-list:<\/ol>ncli cluster add-to-nfs-whitelist ip-subnet-masks=\"x.x.x.x\/n.n.n.n\"
          \n
          \nWhere x.x.x.x is the IP address of the new vmkernel port group and n.n.n.n is the subnet mask.
          \n
            \n
          1. Repeat step 2 for each of the new VMKernel IP addresses you created in step 1 (optionally, you can add the entire CVM subnet instead)<\/ol>","quoteUsername":"comotoza","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
    shuguet
    Userlevel 4
    徽章 + 20
    这是解决方案的一部分,但主要关注的是分离CVM管理和CVM到CVM复制。
    由于第一种流量是管理(通常是路由/远程),第二种是存储(大多数情况下只有L2,本地),因此将它们划分为两个vlan是很有意义的。

    Sylvain。
    Sylvain Huguet - 2x Nutanix技术冠军2015-2016,法国Nutanix连接章节冠军,法国VMUG领袖,6x VMware vExpert 2011 -2016
    \nAs the first kind of traffic is management (often routed\/remote) & the second is storage (most of the time L2 only, local), it will make a lot of sense to split them in 2 VLANs.
    \n
    \nSylvain.","quoteUsername":"shuguet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

    回复


    Baidu