In a "typical" data centre environment (telco, financial services etc), would a Linux OS typically have one IP address connected to one VLAN or would it have many IPs and/or VLANs. I say "Linux OS" as I'm referring to an instance of the OS not necessarily a Host or server. Think Linux OS = VM in a virtualisation context. Its common for a server/host to have many IP's and possibly in different VLANs but would an OS (VM) within that host typically just have one IP in one VLAN?
I'm asking because of an ongoing debate with a Network team that wants different IP's and VLANs per Linux OS and have us put for example ssh onto one IP, and then server traffic (e.g. HTTP) onto another IP in order to separate traffic. Is this kind of thing common in a modern data centre or not? When would one go that approach vs just putting the OS onto the VLAN thats "most representative" of its function: E.g. web proxy in DMZ VLAN, App server in Backend VLAN etc etc.
I'm currently working in a high security environment, here we have a kind of hybrid setup - where we have seperate Vlans for some functions and not for others.
By way of explanation I'll give a couple of examples.
All access to Consoles, Hypervisors, ILOM and things like management consoles are on a seperate Vlan. In addition all the SAM management is on an other Vlan and all backup on yet an other Vlan. The final segregated Vlan covers other administration functions - normally where people would want to ssh onto a server for things like Oracle administration.
However from the user interface perspective we have a large address range which is spanned onto a seperate Vlan which covers VOIP and applications access from the front end.
I can understand how the ILOM, SAN etc would be on different VLANs. In your case, does the VM OS itself span VLANs. E.g. if its a web server listening on port 80, would the web server IP be on one VLAN, and then an IP for SSH be on another VLAN?
No doubt that a physical server and hence base hypervisor would connect to multiple VLANs and do VLAN tagging (e.g. in VMWare distributed switch). E.g. vMotion on one VLAN, VMWare admin on another, iSCSI on another etc.
What I'm referring to is the actual individual VM's inside the hypervisor. How many VLANs would they be connected to?
---------- Post updated at 12:23 PM ---------- Previous update was at 12:17 PM ----------
Here is an example picture :
See how each individual virtual machine is connected to only one VLAN, even though the physical host is connected to many VLANS. VM1 could connect to VLAN1, VM2 to VLAN2, VM3 to VLAN2 etc. What about a scenario where VM4 connects to VLAN 1 and VLAN2? I have never once found a picture nor seen an actual environment where a virtual machine has lines going to two different VLANs. Under what circumstances would it be necessary for a a virtual machine to go to 2 different VLANs?
For instance, if you want make backup over dedicated network ?
In that scenario you would have one public network and one backup network in different subnets.
Cluster interconnects also, you can use seperate vlans for that, which would mean that there are now total of three separate interfaces on that virtual machine.
The decision about VLAN's is really down to your needs, in all here we operate around 8 or 9 VLAN's, mostly broken down by function.
But in addirion as we have a number of remote sites we have individulal VLAN's for each of them as well - giving a total of around 50.
It is not as simple as breaking the VLAN's down by function as you can see, each of the USER VLAN's has the same functionallity from a user perspective allowing them connection to the applications that they need to see.
This is down to the analysis of your require ments, we have separate Network Management and System Management VLAN's but you may not find that that is a requirement. We have a seperate Production and Test VLAN,s but we could just as easilly have had a single VLAN cover that.
So what you'll have to decide is how in depth you want to go on this how much segregation you want and how much administration overhead you are prepared to put up with. All these things will have a bearing on the resource requirements and therefore the cost and ongoing support requirements.
We have a similar number of VLANs across our operations and there is no debate around the need for the VLANs and their separation. My question is more around whether a VM (e.g. Linux) would connect to many VLANs or only one VLAN. E.g. you say you have a System Management VLAN and then say a DMZ VLAN. If a VM is a web server running apache and sits in the DMZ VLAN, where would the ssh traffic to that same VM go? Would it have an IP on the Management VLAN on which SSH listens, and then another IP in the DMZ VLAN on which it does the HTTP traffic? or/ would you say that its primary function is a web server and thus both HTTP and SSH traffic goes on the DMZ VLAN
