Thursday, August 15, 2019

Cisco config verification: VLAN settings for ESXi management/vMotion

I've got some new ESXi hosts coming in and I'm prepping the network config. Admittedly networking is one of my weaker points, but I'm working on it!

Can someone take a look at my config and tell me if I'm on the right track?

Most of this is copying from pre-existing configs elsewhere on our network, but I have no idea if the people who set it up did it right either. It just happens to work.

General Info.

  • ESXi Mangement and vMotion on VLAN 101.
    • We don't use vMotion much (because we're on vCenter Essentials and don't get live migration...) so I'm OK with it sharing the Management network.
  • Data VLANS: 1 (hardwire), 17 (wireless)
  • Cisco Catalyst 4948, IOS v12.2(52)

Switch config:

interface GigabitEthernet1/38 description p-esxi-02 Mgmt and vMotion switchport access vlan 101 switchport mode access spanning-tree portfast interface GigabitEthernet1/41 description p-esxi-03 Mgmt and vMotion switchport access vlan 101 switchport mode access spanning-tree portfast interface Vlan101 ip address 192.168.101.1 255.255.255.0 ip helper-address 192.168.11.2

Current Status

  • Two dummy hosts connected: one on g1/38, the other on g1/41
  • Both hosts get a DHCP address from 192.168.11.2 (during prod each hosts will have a static non-DHCP address).
  • Both hosts can ping 192.168.101.1 and each other.
  • Neither host can ping anything outside the 101.0/24 subnet.
  • No host outside the 101.0/24 subnet can see or ping these hosts.

Questions

1. Is the above config sufficient?

I believe that this config is sufficient for when the ESXi hosts arrive, since it ticks all the boxes (inter-VLAN communication, no external communication). Would people agree?

Or do I need to provide more information?

2. Ping one of the dummy hosts from a PC on VLAN 1 or 17?

For testing, I want to be able to ping the one of the dummy hosts from a PC on VLAN 1 or 17. How would I enable that?

My initial thought was putting switchport trunk allowed vlan 1,17,101 on the interfaces, but that doesn't make sense to me. My understanding is that:

  1. trunk is used for switch-to-switch connections, and access is used for a single host (Source)
  2. setting switchport trunk <foo> and switchport mode access at the same time seems... wrong. With mode access, won't the trunk settings have no effect? Eg: trunk settings only apply with mode trunk?

Basically I'd end up with:

interface GigabitEthernet1/38 description p-esxi-02 Mgmt and vMotion switchport access vlan 101 switchport trunk encapsulation dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 1,17,101 switchport mode access spanning-tree portfast interface GigabitEthernet1/41 description p-esxi-03 Mgmt and vMotion switchport access vlan 101 switchport trunk encapsulation dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 1,17,101 switchport mode access spanning-tree portfast

3. What best practices, if any, am I missing?

Any tips?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)