In this article, we will look at a basic infrastructure where we can deploy our filegateway, or anything for that matter. It is a very basic infrastructure architecture. It is definitely no production environment, but is built to have the potential to become one. As we go, we should be able to easily add firewall, load balancer, SSL offloader, redundancy/FT, application clusters, Oracle RAC, monitoring, security and connect it with another LAN with IPSec. Hopefully we will be able to play with many application features in this platform. A DMZ within this virtual infrastructure is certainly possible without significant re-design.
The logical view of the network infrastructure.
Due to limited budget, this environment has been built in an ESXi host within a VM on a Windows 7 64-bit host. Physical switch has been replaced with a vSwitch and the uplink is simulated by a port in a Vyatta Router VM.
The ESXi view of the network and guest OS'es.
 |
| ESXi Virtual Network |
The Infrastructure Explained
- VLAN
There are 3 VLAN's.
- MSG_VLAN - As the name suggest, this is for the TIBCO EMS traffics.
- DB_VLAN - The database network.
- APP_VLAN - The VLAN for TIBCO BW and the Admin Server. The oracle fusion server will also be deployed on this network.
- SWITCH (vS1)
This is a layer 2 access layer switch that provides VLAN and has an 'uplink' that connects to a VLAN trunk in another Layer 3 router. The vSwitch does not do VLAN routing.
- ROUTER (vR1)
This router provides a link to our 'external world', which is our host machine. The router provides inter VLAN routing, NAT and firewall (disabled for now). It has an interface that is configured to support 802.1q VLAN trunking. Outgoing traffics are routed to vR0 for internet access. This route also provide access to the APP_VLAN from the Host machine.
Update: The Vyatta configuration details for vR1 is now available here.
- ROUTER (vR0)
vR1 does not have direct connectivity to the internet. This router provides limited access to the internet from VLAN's and the PROD_LAN. In my Lab, I have another notebook that acts as Internet Connection Sharing (ICS) host. Note the IP address 192.168.0.1 as dictated by Microsoft. This router also eliminate my problem of the ICS side effect where the domain name of every PC connected to 192.168.0.0/24 become mshome.net after ICS is turned on.
Update: The Vyatta configuration details for vR0 is now available here.
- NFS_LAN
This is an IP network that carries all NFS traffics to/from the esx host. For the sake of simplicity, the NAS also provides storage to all VM's within the host. The storage type includes iSCSI (for VMSTORE) and NFSv3, for all other VM's, primary for application data, database cluster and logging. The NAS implementation is provided by OpenFiler.
- Connectivity
All inter VLAN traffics are routed by the layer 3 router on a stick (implemented in Vyatta virtual appliance, vR1).
- Security/Isolation
All VLAN's defined within the Switch are isolated, effectively defining the broadcast boundaries. Routing between the VLAN (Inter VLAN) is performed by the Router connected to the (virtual) uplink port of the switch. Communication between different tiers (MSG, APP, DB) could be firewalled if required.
Access to the Virtual Lab from the Host machine is limited only to the APP_VLAN. Hosts on the MSG_VLAN and DB_VLAN can only be accessed from the hosts within the APP_VLAN.
To provide further clarity, the following images are of the 3 core VMware guest OS'es that make up the ESXi Infrastructure sitting on a Windows 7 host. The rest are in the ESXi 'host'.
 |
| ESXi 'host' as a VMware Workstation guest |
 |
| OpenFiler iSCSI & NAS as a VMware guest |
 |
| vR0/FW0 as the 'edge router' into the internet. |
Kein, can I contact you regarding this article? For some reason when I do this procedure, the ESXi host refuses to communicate on the iSCSI vmkernel network. So I can't get the Openfiler virtual NAS to work.
ReplyDeleteGracias! I get it working. I'm using a debian squeeze instead with the vlan package.
ReplyDeletePlease, i need your help.
ReplyDeleteI have read all the posts from the internet, but i don't know what is wrong.
I want to ping from PC10 (portgroup in Vlan 10 with ip 1.1.10.200, GW 1.1.10.2) to the int vlan 10 from the switch (ip 1.1.10.2) but it says Destination host unreacheable.
I want to configure a topology with a Cisco L3 Switch with vlan routing between 2 VM's created inside an ESXi host.
So i have the following:
- on my laptop i have installed VMWare Workstation
- inside the workstation i created 2 VM's: one ESXI host and one GNS3 VM Server
- on ESXI host i have created two VM's:
-----PC10 on portgroup V10 allocated to Vlan 10 with ip 1.1.10.200/24 GW 1.1.10.2
-----PC20 on portgroup V20 allocated to Vlan 20 with ip 1.1.20.200/24 GW 1.1.20.2 -----the management interface has the ip: 10.10.10.10
The switch is configured as a L3 SW:
----- the switch runs inside the GNS3 VM and it is a QEMU VIRL image
----- i have created vlan 10 and vlan 20
----- int vlan 10 with ip 1.1.10.2
----- int vlan 20 with ip 1.1.20.2 ----- int g0/0 (connected to ESXI host) is configured as a trunk
I want to mention that i have tested the connectivity between the switch and a PC inside the ESXI and it worked as follows:
- Switch: int g0/0 (connects to ESXi host)
--- no switchport
--- ip addr 10.10.10.2/24
- ESXI host: mangement int - 10.10.10.10 GW 10.10.10.2
- PC inside ESXI: ip add 10.10.10.200 GW 10.10.10.2 (connected to VM Network)
- no vlan configuration was done, neither inside the switch, nor inside ESXI.
I have just wanted to test connectivity between switch and PC inside ESXi, and after that to configure vlan. But it didn;t work.