September 24, 2009, 9:03 AM — Virtualization introduces many unique and new concepts into your environment, and as a result many groups within IT often put up resistance to it. This tip addresses the unique concerns of network administrators and what they need to know about virtualization -- before you start your virtualization journey.
Traditionally, most network groups manage the physical network connection of a server from the switch all the way to the NIC. Virtualization changes that with vSwitches, which effectively extend the physical network from the NIC in an ESX host to a vSwitch that is managed by the ESX server and a virtual NIC that connects a VM to the vSwitch. This vSwitch is usually managed by ESX administrators and not network administrators, which can cause some concern among network administrators because they can no longer control and manage part of the network that connects a virtual server to a physical network.
802.1Q VLAN tagging is a network technology commonly used when virtualizing servers. It enables you to use multiple VLANs on a single vSwitch and is a must-have in large environments. Without it, you would have to create a separate vSwitch for each VLAN and dedicate at least one NIC to it. This technology is not used that often with physical servers, and some network people might not have much experience with it.
Another networking area that is often a concern with virtualization is connecting VMs to your public demilitarized zone (DMZ) while keeping your ESX service console on your private internal network. The concern with this is that the ESX server is straddling the DMZ, because it has connections to both the private and public networks, and a potential attacker could compromise a VM in the DMZ and gain access to your internal network. The design of ESX does not allow for this to occur, and the only scenario in which this could potentially happen is if someone mistakenly configured a VM with two virtual NICs (vNICs), one being on an internal network vSwitch and the other on an external network vSwitch, which you would never want to do (unless the VM is acting as a firewall or proxy server).
What network administrators need to know:
- Explain the concept of vSwitches and vNICs and how they interact with physical switches and physical NICs.
- Show them how to set up and configure a vSwitch and how to install a vNIC in a VM and connect it to a vSwitch.
- Explain to them how ESX uses trunked network ports and how 802.1Q VLAN tagging works in a virtual networking environment.
- Explain virtual network security principles and how vSwitches are isolated from each other so that traffic cannot leak between them./li>
- Demonstrate NIC teaming and failover in a virtual switch.