I was wondering if it's possible to have different VLANs ID/Subnet range for each of the different traffic type bellow:
- Hypervisor Management (ESXi)
- Nutanix Cluster administration
- Nutanix Cluster replication / AutoPath
And the very best would be to even have replication & AutoPath on different VLANs.
The rationale here is to comply with customer internal security policies regarding DMZ virtualization.
We are allowed to use VLANs and are not forced to use differents physical ports, but the security team (worldwide bank) is concerned about the ESXi & Nutanix being on the same VLAN.
Already have an account? Login
Login to the community
Login with your account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
putting the HV/ESXi mgmt traffic on a seperate VLAN should be no problem (its even mentioned in the install guide)
as for the "Nutanix Cluster Administration" and the "replication traffic" i don't see it supported currently.
If doing the VLAN-Splitup on the Hypervisor(vSwitch)-Level, you would need a 3rd/4th vNIC in your CVM (to configure the additional IPs for the additional networks)
Which would be of course no problem for the Linux the CVM runs in, but i can't see any configuration support for the different Nutanix Services.
If you "forward" the vlan tagged traffic inside the CVM, and do the split-up inside the VM, it would still be the same Problem.
The only (theoretical) way i see is to configure an openvswitch inside the CVM with 10g-bond-vNICs as uplink (carrying tagged traffic) and a native VLAN of the primrary Nutanix CVM IP residency. In addition there is some "openflow/openvswitch-rule"-magic (here it gets tricky :P) which tags e.g. replication traffic differently.
Edit: you may post into the Suggestion Box / Product Features - category..
I'm well aware of the technical limitations of the UI, but as you pointed, the Linux VM would be more than happy with more vNIC.
It's just a matter of adding the option, so if it's not possible right now, I will take your advice and post in the suggestion section.
Normally you would use this parameter for the CVM-IP-addresses, but the docs also talk about an theoretical (VPN) tunnel address.
to me this looks like you would - at least from a technical point of view - be able to add a second vnic to the CVM (in a different vlan, (un)tagged by ESXi vSwitch), and use that IP for replication traffic.
(check if cerebro service is listening on 0.0.0.0 or if it is interface bound)
if that works nutanix will possibly support it.
I'm still wondering about then "tunnel" comment in the docs.
Sometimes a network design requires the CVMs and ESXi hosts to be on separate networks.Current versions of Nutanix cluster do not allow this, and the ha.py failover script will not function properly.A workaround is detailed below, however this still requires the use of addresses within the CVM's network to assign to the ESXi hosts (in addition to the primary management addresses assigned on the hosts outside of the CVM network).
Where x.x.x.x is the IP address of the new vmkernel port group and n.n.n.n is the subnet mask.
As the first kind of traffic is management (often routed/remote) & the second is storage (most of the time L2 only, local), it will make a lot of sense to split them in 2 VLANs.