In many cases of virtualization deployments, especially when you have an FW-VA (Firewall Virtual Appliance) and wanna configure its required networking structure, I saw that all traffic, include LAN and WAN are transferred via a single boundary, I mean there is only one virtual switch with default configuration (just one port group), so all of the existing vNICs are connected to that port group. The sad story is here when you see there is only one connected uplink (VMNIC) for the physical connectivity of mentioned vSwitch.
If I want to describe the problem with more details, in some unexpected situations you will encounter the problem of unstable connectivity and many other issues like one I saw recently: duplicate and mismatch of the MAC address of firewall network interfaces! and I think you can imagine what's the origination and cause of the problem. In similar topology like that I described, all LAN, WAN, DMZ traffics of the virtual firewall will be forwarded from a single VM with multiple vNICs to a unique vswitch, and the vswitch will forward them through that single existing uplink. But the problem will be occur when the (reply) frames are coming back to the ESXi host from the physical networking, the vSwitch couldn't recognize exactly whose is the correct vNIC that originate the sending data. As you may know, the vSwitch does not need to learn the MAC learning feature and also which MAC address has been associated with each VM. So vSwitch doesn't really require to ARP information and CAM table. When the frame arrives to the vSwitch, it's part of the VMkernel duties to check the connected vNICs to that vswitch, and compare with the destination MAC inside the received frame. However consider this matter if there is no match the frame will be rejected.
In this situation for the first step you can simply separate the virtual switches (and by doing this actually you will separate the physical uplinks too). Then you need to assign separate port groups (in different vSwitch) per each of required interfaces in the firewall based on network topology design. and at last you should connect the physical cables directly to the endpoint WAN devices (like line terminal or DSL model) without any other interface. Now you can understand why it's required to separate physical connectives of firewall virtual appliances ...
Sometimes you may design for configuration of just one VSS/VDS and BTW you don't want to separate any traffics via dedicated virtual switches. In this situation you need to change the failover order of vmnics for each port group and arrange them based on corresponding outgoing physical interface. However, in similar circumstances I had many issues like that I mentioned. So I strongly recommend to use multiple separate vSwitches for LAN, WAN, DMZ port groups.
No comments:
Post a Comment