Just bought an ASA 5505 and a separate gigabit switch, along with a Dell R610 virtualization server to replace existing bare metal web server.
There will be 2 physical machines, R610 running ESXi 4.1 & a backup server (old SC 1435).
R610 has 2X dual port NICs, all will be connected to the switch, as will backup server, and switch will be connected to the ASA, so:
uplink >> ASA >> switch >> 2 servers
What I am confused about is what to do with the 30 IP block I have.
Data center engineer who will do the ASA setup suggested:
****************
66.xxx.47.96/27
Network: 66.xxx.47.96
Gateway: 66.xxx.47.97
Firewall: 66.xxx.47.98
Switch: 66.xxx.47.99
Name Server 1: 66.xxx.47.100
Name Server 2: 66.xxx.47.101
Backup Server: 66.xxx.47.102
First Usable for production server: 66.xxx.47.103
Last Usable for production server: 66.xxx.47.126
Broadcast: 66.xxx.47.127
****************
I am thinking for ESXi server that NIC1 port1 will be for console manager; NIC1 port2 for devel VMs; NIC2 port1 for LAMP production VMs (i.e. existing bare metal web server) and NIC2 port2 for Rails/Grails VMs
Current web server only uses 6 IPs, so obviously I have some flexibility.
I just don't want to route myself into a corner, how would you allocate the .103~.126 IPs to ESXi 4 NIC ports?? Also, if the Name servers are outside of ESXi's listening range, how will DNS requests get routed to target VM on ESXi?
Ideas much appreciated...
Thanks!
Why on earth would you put your switches etc on the public internet? That smells of crazyness.
I strongly suggest you have two VLANs - one for your internal traffic (a 192.168.x.x for example) and then a DMZ for your public traffic (your 66.x.47.x range).
From a security standpoint it makes no sense to put your backup servers and your switch on the public network. It's just asking for trouble.
ESXi supports VLAN Tagging for vNICs so it shouldn't be a problem to just assign two vNICs to your virtual machines and have one on the private network and one on the public. Then just assign your public IP addresses to the virtual machines that need them.
What you will want at the end of the day is something that looks like this:
(source: stackoverflow.com)
As for requests that ESXi doesn't "know" about, then will be routed through your default gateway as per usual. Your gateway should be smart enough to know that those IP addresses are on its own network (A Cisco ASA properly configured is very smart), so it will route them back in to you (preferably on the vLAN with the public IP addresses). This is no different to any other network and is not specific to just ESXi.