Hello,
I have a VMware vSphere 4 virtual environment running in production composed by 5 VMware ESX 4 hosts backed by a single AT-8000GS/48 switch from Allied Telesis.
The networking in the virtual environment has been initially configured as follows:
1. Switch interfaces to which nodes in the "Trusted" security zone are connected to (including virtual servers not facing the Internet and client computers) are currently untagged members of default VLAN 1
2. Switch interfaces to which virtual servers facing the Internet (virtual servers in the DMZ) are connected to are instead untagged members of a new VLAN 2 created for the purpose (as a result they have been automatically excluded from default VLAN 1).
The networking of each VMware vSphere 4 host has been initially configured as follows:
1. Physical network interfaces to which virtual servers in the "Trusted" LAN are virtually connected to (through the corresponding ESX Server Port Groups) are physically connected to Switch interfaces members of VLAN 1
2. Physical network interfaces to which virtual servers in the DMZ are virtually connected to (through the corresponding ESX Server Port Groups) are physically connected to Switch interfaces members of the newly created VLAN 2
3. An 8-10/100/1000 Interface WatchGuard Firebox X750e appliance is used both as a Firewall and as a router in order to allow selected traffic to traverse VLANs. More specifically the "Trusted" network interface of the Firebox is physically connected to a Switch interface member of VLAN 1 while an "Optional" network interface of the Firebox is physically connected to a Switch interface member of VLAN 2
To further subdivide VLAN 2 into multiple logical networks for security reasons, we are planning to further segregate VLAN 2 traffic using the tagging mechanism as follows:
1. On the VMware vSphere 4 hosts side, a single Physical network interface currently connected to Switch VLAN 2 will be backed by different ESX Server Port Groups to match different VLANs instead of using a single Port Group with no VLAN tag. As a result, we will provision a different Port Group on a virtual switch for each VLAN.
2. On the WatchGuard Firebox X750e side, the "Optional" network interface currently connected to a Switch interface member of VLAN 2 will be reconfigured to support VLANs. More specifically, according to the WatchGuard VLAN implementation different VLANs will be created to match the different VLANs created on the VMware vSphere 4 hosts side. Each VLAN will have its own VLAN gateway to allow selected traffic between different VLANs. Upon creation the new VLANs will then be dropped to the "Optional" network interface mentioned above.
According to common VLAN implementation on physical switches regarding to the three VLAN main modes (Access mode, General mode or Trunk mode), which one best applies on the physical switch to match the whole configuration ?
Thank you experts and have a great day.
Massimiliano