Virtual LANs for your Acropolis Hypervisor Virtual Machines
In the first article of our four part Acropolis Networking series we tackled bridges and bonds. The second part of the series addressed Load Balancing. Today we'll look at placing the Acropolis Hypervisor and Controller Virtual Machine in the correct VLAN for traffic segmentation.
Storage and management traffic are typically separated from user virtual machine traffic, and with Nutanix AHV this is no exception. VLANs provide a convenient way to segment the different traffic types and even segment between types of User VMs. With virtualization, many VLANs are often trunked to the physical servers to account for the different networks used by virtual machines.
In Nutanix, the recommended VLAN configuration is to place the CVM and Acropolis Hypervisor in the default "untagged" (or native) VLAN as shown below.
Note that in this default configuration VLANs 101 and 102 are still trunked to the AHV host for user VMs. Configuration of VM networks will be covered in our next blog post and video using both Prism and aCLI!
Traffic destined to AHV and the CVM will not contain a VLAN tag. If the default configuration of sending untagged traffic to the AHV and CVM is not desired, or is disallowed by security policy, VLAN tags can be added to the host and the CVM with the following configuration.
Configure VLAN tags on br0 on every AHV host in the cluster. Repeat this config on all hosts.
nutanix@CVM$ ssh firstname.lastname@example.org "ovs-vsctl set port br0 tag=10"
nutanix@CVM$ ssh email@example.com "ovs-vsctl list port br0"
Configure VLAN tags for the CVM on every CVM in the Nutanix cluster. Repeat on all hosts. I prefer to do this manually per host (one at a time) rather than using the "allssh" command, just in case my network admin hasn't actually trunked the switch ports properly!
nutanix@CVM$ change_cvm_vlan 10
In this design, the AHV host and CVM traffic will be tagged with VLAN ID of 10. Again, user VM traffic will be tagged in the network as configured in Prism or aCLI.
Storage data and management traffic for the CVM will all be carried together in VLAN 10 in the previous example. If network segmentation is required between storage data and management traffic to meet security requirements, please see KB article KB-2748.
Now the CVM and AHV hosts can communicate on their own network, separate from user VM traffic. Make sure to follow up in our next blog post for information on how to bring VLANs to VMs on Nutanix AHV.
This post was authored by Jason Burns, Senior Solutions & Performance Engineer at Nutanix