Nexus1000v: Mgmt Port on different VLAN than host

Unanswered Question
I am setting up a pair of Nexus 1000v switches.   As per the Cisco
documentation, I have the management port in the system-uplink
port-profile.  However, currently, this management port is in the same
production VLAN as most of our servers.  I would rather have the
management in an separate VLAN for security and reliability reasons.
Also, as I cannot assign a VLAN to both the system-uplink and the
data-uplink port-group, this means all of the server traffic will be
using the system-uplink port-group.  This does not sound logical.

My question is:
1.  Does the management port have to be in the same VLAN as the VM Host
2.  If is does, what are the implications of putting the management port
on the data-uplink port-group?
3.  OR, if (1) is YES, then what do you think about putting the VM Hosts
(ESXI) on a separate VLAN than the virtual servers?

Note:  I have been playing with svs domain mode l3.  But as I cannot even
ping the gateway, I haven't had much success.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Sebastian Helmer Fri, 08/06/2010 - 03:02
User Badges:
  • Silver, 250 points or more

I would say you should seperate it.

One VLAN Management (mabye in ESX Managemt or Switchmanagement VLAN)

One VLAN for Packet & Contrl.

Others for Data (server, user traffic)

Seperate Management ist just for security reasons

The others should be seperated, because the are very important to let the nexus Work, If packets are lost, the hole nexus will get trouble to work.

Additional you should think about QoS if you don't use a seperate NIC for that traffic. I would suggest to use a bundle of NIC's for evetyhing and work with QoS to be High Available.

Thats my point of view after discussion in a nexus training and with a cisco technician.



Sebastian Helmer Fri, 08/06/2010 - 06:35
User Badges:
  • Silver, 250 points or more

No it must not.

the VSM mus only be able to contact the VC. But I think you know that.

Because of that I will prefere to use the same VLAN.

It is just for management like SSH, telnet etc...and connection to the VC

I have no configuration sorry, my testlab is not ready until now..




This Discussion

Related Content