Hello,
I have two ESX 3.5 hosts configured in a cluster (enterprise license with HA and Vmotion) with about 20 VMs. One of these VM runs a firewall, and other VMs are on a DMZ zone (Web server, ftp servers, etc...). The DMZ zone is made with a dedicated virtual switch, obviuosly not linked to any phisical nic, because access to it must be provided only through the dedicated firewall.
Now the issue: I replicated the whole network configuration (virtual switches with same names and nics) on both hosts, but when I try to migrate a VM on DMZ, I get an error, saying: "Unable to migrate from host1 to host2: Currently connected network interface 'Network Adapter 1' uses network 'DMZ' which is a 'virtual intranet' ".
Please, can anybody tell me the way on how to solve this error, and take advantage og HA and Vmotion features of my licences ?
Thanks in advance, Stefano
i seem to remember a post that said you have to make some modification to the vpxd.cfg file on the VirtualCenter. Some thing like:
<migrate>
<test>
<CompatibleNetworks>
<VMOnVirtualIntranet>false</VMOnVirtualIntranet>
</CompatibleNetworks>
</test>
</migrate>
I think you have to create the section at the end of the vpxd.cfg file but still within the <config> section.
regards
If you can work around this (I've never tried...), you will have to be very certain of what you're doing. HA will not be a problem - if the host fails, all of the VMs will be restarted on another host (assuming there's capacity) - make sure you set DRS affinity rules to keep them together. VMotion could be another can of worms! Do the VMs behind the firewall need to talk to each other? If so, then once you migrate one of them to another host, it will become isolated - there is no connectivity between the two vNetworks (isolated vSwitches) on the two hosts. While the IP configuration may work, it may be that nothing else does!
As an example, let's assume you have something like this:
(HOST 1) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> Web Server | FTP Server | DNS Server | DB Server
(HOST 2) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> <No VMs>
Now, what happens when you VMotion the DB server to the other host? You now have a configuration like this:
(HOST 1) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> Web Server | FTP Server | DNS Server
(HOST 2) pNIC <-> vSwitch <-> Firewall VM <-> vSwitch (vNetwork) <-> DB Server
Your DB Server is now isolated behind a vSwitch (with the same name on both hosts...), but it can't talk to anything - and nothing can talk to it. Are you sure this is what you want?
Ken Cline
Technical Director, Virtualization
VMware Communities User Moderator
Thanks Chris! I didn't think it was supported...just too lazy to look for the KB article.
Ken Cline
Technical Director, Virtualization
VMware Communities User Moderator
If you only have two ESX hosts, and are not planning on adding more quickly, you can connect a crossover between the two and create a similar effect of the internal only network, and now the two DMZ VM's can still talk to each other, and you will be using a supported config.
-KjB
Hi Ken,
I understand what you want to warn me about, but I have many H24 services, and whenever I have to do maintenance on ESX servers I prefer migrate VMs then shutting them down/move/restart. Even because the startup procedure is often long and tricky. So even if a service is unreachable, it will be for a short time, much shorter with Vmotion then manually moving.
Also Chris knowledge base link is not helpful, because: 1) I have no more phis nic to assign, 2) Again I do no want to shutdown VMs.
Instead, I found this post: http://communities.vmware.com/message/778360#778360 where is explained how to modifyVC to enable Vmotion even in this scenario (thanks to Romano).
Bye, Stefano
That was the thread! i knew i'd saw it somewhere. Glad it helped.
Regards