We have a production network and we want to work in an ESXi lab environment isolated from the production network so that the VMs do not interfere with production services (for example DHCP)
We have managed to isolate the VMs from the ESXi, and we can manage it from the production network and the VMs have no communication with the production network. We have achieved this by enabling 2 switches, one switch for the machines and another for administration (VMkernek and physical nic card).
But this way, the VMs don't have access to the ESXi, there's no communication, and on one VM we have Veeam Backup and we'd like to be able to communicate for backup jobs.
Is this possible? At first we tried to define a second MVKernel and link it to the MV switch but this has not failed.
Hi,
But how can you ping a physical environment if you don't have any physical network connection? Of course, that will never work. The connections between VMs are made virtually by the Virtual Switch. That is it, nothing else.
And why do you need to ping the ESXi hosts anyway?
Hi,
Maybe I'm making things too simple, but assuming you want to keep the "test" virtual machines fully isolated from the production environment, the virtual machine you use to perform backups with the VEEAM product could be placed in its own "portgroup" related to the same vSwitch on which the "portgroup" for management lands.
Regards,
Ferdinando
When you state "do not interfere with production services" do you mean just isolating the network, or do you mean performance vs bandwidth sharing the network with the production services?
If it is just isolation, you can do this by using VLANs. If it is performance, then you need extra vmnics for that(if you want the VMs to communicate outside).
Second, don't know why you are referring to vmkernel. vmkernel is not for VMs networking.
Creating a vSS or vDS without any vmnics is ok and works. As long as the VM doesn't need to communicate outside, all the traffic will stay inside the ESXi environment, which will work.
For the Veeam backup, I never tested a Virtual Switch without vmnics, but the only thing I see here that could cause not backup is if you are using the application awareness (that needs to connect direct to VM).
Hi,
Thank you for fast reponse.
I refer a isolation de the network completely.
The vSS without any vmnics is ok and works but the VMs have not comunication with ESXi host and I can not do work Veeam backup
From any VM I can not a ping to ESXi host, but I have comunication between machines network. (view atachment)
Thanks you for all
Hi,
But how can you ping a physical environment if you don't have any physical network connection? Of course, that will never work. The connections between VMs are made virtually by the Virtual Switch. That is it, nothing else.
And why do you need to ping the ESXi hosts anyway?
Ok, I was thinking that the machines could connect to the ESXi internally using the vmkernel with the admin service.
I need it because one of the machines is the backup server and if it does not have a connection to the ESXi, backups cannot be made, Veam allows it to be deployed in a virtual machine and backup the environment and even itself
All of this is derived from using the same physical wired production network. I would not have these problems if I isolated my ESXi environment on another network, but it is not possible.
Give me a couple of days, I will test this and update it here.
I will also try with the Veeam backup.
Thank you very much for your trouble and effort.
Hi again
So I try two ways. Creating a vDS and Standart Switch with no vmnics on it.
I could ping both VMs, and of course, pinging the ESXi host is impossible since there is no physical connection.
Using Veeam, I was also able to backup using normal backup but also using application-aware.
vDS no vmnics and VMs assigned to it.
Backup VMs even have no connection to ESXi
Enabling application-aware and backup again
Successfully backup
As you can see it is possible to backup those VMs.
Hope this cam help.
Thank you very much for your effort.
where it is installed Veeam, on which machine?
From the screenshots it appears that Veeam does not reside on any of the machines in the DSwitch test
Hi,
Maybe I'm making things too simple, but assuming you want to keep the "test" virtual machines fully isolated from the production environment, the virtual machine you use to perform backups with the VEEAM product could be placed in its own "portgroup" related to the same vSwitch on which the "portgroup" for management lands.
Regards,
Ferdinando
Hi,
This solution is perfect, the only objection is that the Veeam MV has comunication with production environment, but in this case is not a problem.
Thank you very much for all and your dedication