Two notes to make here : regarding VLANs and regarding virtual routers
##################################################################################
VLANs
Ran across a very useful nugget of information. VMWare ESX server allows you to define virtual switches, but it also allows you to assign a particular switch a VLAN ID. In other words, any traffic that originates from virtual machines that you chose, will be tagged with a VLAN ID. Extremely useful if (like me) you have a very limited testlab and need to reproduce the behaviour of network nodes with VLAN traffic. The VMWare ESX server can basically be set up to be a “VLAN tagger”
The process is quite straightforward:
- Open vSphere client
- Click on the actual VMWare server (this has the small server icon) and go to the “configuration” tab.
- On the left hand menu, select “Networking”. Hit the “add networking” link
- As connection type use “Virtual machine”
- Either create a new switch or use a prexisting switch. Think of “switches” in this case as “VM to NIC binding”. Basically a “switch” in this context allows you to choose which physical NIC will be used to send the VM traffic. In my case, I sued a pre-existing switch, which means the physical NIC will be carrying both tagged and untagged traffic
- Select an appropriate name and appropriate VLAN tag
VMs can now be set to attach their virtual NICs to the virtual switch, which will in turn tag the traffic with the VLAN ID chosen above
##################################################################################
Virtual Routers / Firewalls
A large amount of open source (or open core) network vendors such as Untangle, Vyatta, Endian and so on, allow you to load their product onto a virtual machine. This allows a VMWare ESX admin to define a subnet of VMs which are connected to the router and the router is in turn connected to the physical NIC of the server. In other words:
anything to the left of the blue line is virtual and is hosted on the VMware esx server. This is very advantageous to test the open source routers and pass actual traffic through them, if you have a very small testlab.
First, create a switch which is not bound to any physical NIC. By default, the ESX server comes with a single switch that is already bound to the physical interface. Similar to the VLAN procedure, create a new switch but create a new switch when asked
Make sure not to select any physical interfaces. The VM hosting the virtual router usually is configured with two or more interfaces. In the VM networking properties (Edit virtual machine settings > network adapter, from the “network connection” select the appropriate switch just created.
In the above example, one of the NICs is connected to the “LAN_Isolated” switch, and the other to the “VM Network” switch.
The “VM Network” switch is bound to the physical NIC on the ESX server, and this is usually what I set to as the “WAN” of the router. In other words, “Network Adapter 2” above is used as the WAN port in the VM
The “LAN_Isolated” switch is not bound to any physical interface as described above, and this servers as the LAN interface of the virtual router.
On the VM you would like to place “behind” the virtual router, simply map their NIC cards to the “LAN_Isolated” switch
This will force the VM to send traffic to the virtual router/firewall, which in turn can be configured to send the traffic out of it’s “WAN” interface and onto the physical network
David Vassallo's Blog 