VMware Deployment Question

[Treeeman]

Hi,

i have a Deploment Question for wanos.
I have multible VLANs (ID: 1-10) which are routed by a Layer 3 Core Switch. Additionally there is a "Transfer"-VLAN (ID 11) where my Core Switch and my Firewall are untagged Members. The Default Gateway of my Core-Switch is the Firewall.

Now i want to deploy an wanos VM.
I dont want to change any Routing, IPs or Default Gateways.
How i am able to deploy wanos? I think i should work with two different VLANs between my Core-Switch and my Firewall to place the wanos between them. Right?

Thanks!
Marco

[ahenning]

Hi Marco,

Yes, that's the way. I would imagine vlan-12, where the wanos wan0 and the current firewall interface would be placed in. The wanos lan0 would then become a member of vlan-11.

Also, then if you ever wanted to bypass the wanos vm, the firewall port would be switched back to vlan-11.

[Treeeman]

Hi,

thanks for your quick reply.

Kind Regards
Marco

[Treeeman]

Hello,

meanwhile i am doing a Installation on my customers site and have some Problems where i need your help please.

System Overview (before implementing WANOS):
- 3x ESXi 5.5 Server in a VMware HA-Cluster
- a L3 HP Procurve 5412zl Core Switch with 9x VLANs (VLAN 1 - 10) for internal Communication and 1 VLAN (50) for Firewall Communication.
- IP Core Switch VLAN 50: 10.50.0.254 with Default IP Route to Firewall
- IP Firewall VLAN 50: 10.50.0.250

What i have done to implenent WANOS:
- Created a new VLAN 51 and named it "WANOS-WAN" on the Core Switch
- Enabled "RSTP" on my HP Procurve Switch
- VLAN 50 was named "WANOS-LAN"
- Tagged VLAN 50 and 51 in my virtual Environment
- Create on a existing vSwitch two new VM Networks named "WANOS-WAN" and "WANOS-LAN" with the specific VLAN Tagging. Promiscuous Mode is enabled on each of the new VM Networks.
- Import WANOS Appliance and connected NIC 1 to "WANOS-WAN" and NIC 2 to "WANOS-LAN"
- Power Up WANOS
- Changed IP of my WANOS Appliance to 10.50.0.200 to access it for management
- Physically disconnected my Firewall from a Port with untagged Membership VLAN 50 and connected it to a Switch Port with untagged Membership VLAN 51

My Problem:
After the WANOS Appliance was powered up i was able to ping my Core Switch, my Firewall and the WANOS. After connecting my Firewall from VLAN 50 to VLAN 51 i was still able to ping my Core Switch and my WANOS. Firewall was down. After connecting my Firewall back to my VLAN 50 Port i was again able to reach my Firewall and my Core Switch. My WANOS was not reachable any more.

My Questions:
- Is there a mistake within my Configuration?
- I read i have to enable PVST. Because there is no PVST on ProCurve, maybe there is a Problem in my Spanning Tree Configuration

Many Thanks!
Kind Regards
Marco

[ahenning]

Hi Marco,

Those steps looks perfect to me.

I agree regarding STP. The PVSTP is the safest recommendation, since it is smart enough to know there is not a loop there. But it not the only way.

If it is possible to assign one physical NIC on the ESXi host to Wanos, then a separate vSwitch can be created with two port groups, Wanos-Wan vlan 51 and Wanos-Lan vlan 50. It might be very similar to what you have already. Since Wanos traffic is now isolated on this one NIC, the trunk to the physical switch can be configured to allow only vlan-50 and vlan-51 and it is then safe to disable STP to create the bridge we are trying to introduce.

If is basically the same method as to run Wanos on a single NIC setup: http://wanos.co/forum/index.php?topic=45.0