Unsolved
This post is more than 5 years old
4 Posts
0
51888
Bind IP Subnet to VLAN - Does this make sense?
Greetings Everyone,
I've inherited a Dell M1000e blade chassis and 16 M600 blades that I'm now in the middle of migrating from standalone to clustered. Each is running Server 2008 R2 SP1 and Hyper-V. My issue is I'm trying to think of the simplest way to manage traffic segregation for hosting multiple clients within our cluster. In other words, our M1000e chassis is a public cloud that we want to partition off into smaller private clouds for our SMB clients. However, the segregation is purely logical. Multiple clients can and will be hosted on the same physical servers. All segregation must be able to fail over between physical hosts along with the VM.
Can anyone point in the direction of some "best practice" approaches to this or similar situations? So far, I've only dealt with private, internal networks, never shared between multiple businesses.
My current plan is to use the "Bind IP Subnet to VLAN" feature of the M6220 blade switches we're using. Then I'll establish the convention with my colleagues that the first two digits of the VLAN are to identify the client, and the last two digits identify a VLAN within the client's private cloud. Then, the first two digits become the second octet of the subnet, and the last two numbers identify the 3rd octet of the subnet.
Example:
- Company ID: 12
- Management VLAN: 99
- WAN VLAN: 10
- LAN VLAN: 20
IP Subnets:
- Management: 10.12.99.0/24
- WAN: 10.12.10.0/24
- LAN: 10.12.20.0/24
VLAN to Subnet Mappings:
- 10.12.99.0/24: VLAN 1299
- 10.12.10.0/24: VLAN 1210
- 10.12.20.0/24: VLAN 1220
This would allow me to segregate 40 clients, each with 100 /24 VLANs. I guess I could reverse the order and do 100 clients each with 40 VLANs, but we're too small of a company for me to image having 40 customers, let alone 100.
In any case, is this a sane plan? I like it because the only VLAN configuration that needs to be done is on the switch and gateway router. Also, if a VM fails from one host to another, it doesn't really matter because the traffic is segregated based on subnet rather than a specific port on the switch. The only down side I can see is that it's not as secure because simply changing the IP of a NIC could potentially put it on another VLAN.
I see this as incredibly unlikely, however, as we will be configuring and managing most, if not all of these environments ourselves, and very few of our clients will directly log into the servers, let alone change IPs, let alone know what to change them to. Most of our clients have hired us because they don't have an IT department, so the chances of any of them know what a VLAN even is is incredibly slim.
Thoughts?
Moonigan
14 Posts
0
April 26th, 2012 06:00
Hi,
Did you get round to trying the "Bind IP Subnet to VLAN" method of segregating your clients? And more importantly did it work? I am in exactly the same situation as you and was also looking to use this feature and would appreciate your feedback.
Regards
Paul
semosesam
4 Posts
0
April 26th, 2012 14:00
Unfortunately, to answer my own question, no, this does not make sense. After a call to Dell, it was explained to me that this feature does not at all do what you would think it does. Your going to have to create every VLAN, then make the switchports members of those VLANs.
If you have LAGs, add the LAG to the VLAN, not the ports. If you're running Hyper-V (or I assume VMWare as well), and you configure the virtual NIC of each VM to be apart of different VLANs, then you want to put your switchports (or LAGs) into general mode, so it can except both tagged and untagged traffic, then add them to the VLAN in Trunk mode.
Hope that helps. Any more questions, don't hesitate.
Moonigan
14 Posts
0
April 26th, 2012 15:00
Thanks for the swift response, even if its not the one I was hoping for. So what is the point of "BIND IP to Subnet" if you have to go and manually create the VLANs and then change the configuration of all your switch ports.
There is one other thing that you may be able to help with. I'm currently using my ISA server as my DG for all my guests but I'll need to change this to my 6248 when I introduce VLANs. How do I tell the 6248 to pass all packets not destined for the VLAN's onto my ISA server for routing over the internet?
At the moment everything is flat with just the default VLAN and my management interface is on the same subnet.
My network looks something like this:
172.16.0.0/255.255.0.0
ISA = 172.16.1.1/172.16.1.254
6248 = MGMT Interface 172.16.1.252
DG of clients = 172.16.1.254
I want to move the 254 address to the switch and have packets destined for the web routed through the ISA. On my previous switch (3-COM) this was easy as there was a last hop setting that I configured to point to the ISA but I cant seem to find this on the Dell.
Cheers
Paul
Moonigan
14 Posts
0
April 26th, 2012 15:00
WOW. Thanks for the help. The ISA solution isnt the most elegant so I may have to look at doing something else.
Cheers
Paul
semosesam
4 Posts
0
April 26th, 2012 15:00
In my case, I have two M6220 switches stacked together into one switch, with a Juniper firewall for my DG. For this to work, the virtual NIC in the VM has to be assigned to a VLAN, the VLAN needs to be created on the switch, the VLAN needs to be assigned to the switchport (or LAGs, in my case), and the VLAN needs to be configured on my Firewall.
It will be almost the same for you. I create subinterfaces for each of my VLANs on the firewall:
Interface: Bgroup0/0.10
VLAN ID: 1010
Subnet: 10.10.10.1/24
DG IP: 10.10.10.1
So any VM in that VLAN/Subnet uses 10.10.10.1 as the DG. If I had VLAN 1020, I'd create another subinterface and configure the subnet to 10.10.20.1/24 with DG of 10.10.20.1.
It will be almost identical for you: blogs.technet.com/.../802.1q-and-isa-server.aspx
Basically, you want to create a *logical* NIC for each VLAN. If you have a server grade NIC in your ISA server, this should be no problem. See you NIC documentation or Google for how to do that.
Once you create that logical NIC, it will show up as if it is a real one, except you will have configured it to be a member of a specific VLAN. Then just configure it with an IP like any other interface.
I'm sure there are better instructions out there, but this should get you started. Let me know how it goes!
P.S. Just thought of something that might help you visualize this better: The VLANs are end to end. That is to say, they stretch all the way from the VMs, through the switch, into your DG. The traffic to/from these VLANs never actually uses the default VLAN.
semosesam
4 Posts
0
April 26th, 2012 15:00
Oh yah, and IIRC, the "Bind IP to Subnet" feature is either for diskless booting, or thin clients, or something like that. Would be exceedingly nice if Dell actually documented that somewhere. Oh, I dunno, maybe in the manual?
"This field is called "IP Address". Only IP Addresses are accepted." Gee, thanks Dell. But WHY would I use it?