I'm helping a colleague setup a colocated server that is running Windows Server 2012 Datacenter w/Hyper-V to be used in a multi-tenant environment. My colleague's company developed an inhouse application that their customers use, each customer with their own VM on the Hyper-V server. We need to isolate each VM as much as possible network-wise.
Currently 3 customers with plans to expand rapidly.
Here's the current setup:
Datacenter rack -> Fortigate firewall (managed by datacenter) w/3 public IPs available -> RFC1918 addressing -> D-link switch (supports up to 32 VLANs) -> Intel server with 4 physical NICs.
Server nics #1-4 connects to switch ports #1-4.
Firewall lan port #1 connects to switch port #16.
More IPs available as needed.
Customers will either connect by WWW or RDP or both, depending on their needs.
So if I understand this correctly:
1. Each guest VM will be put onto its own VLAN, by going into the Hyper-V manager and editing the guest VM properties and adding the VLAN (customer AAAA VLAN 100, customer BBBB VLAN 101, customer CCCC VLAN 102, etc).
2. All customers run off same virtual switch, or if bandwidth becomes a concern, split them to the 2nd physical nic and run 2nd virtual switch from it.
3. Add VLAN 50 (any number as example) to the virtual switch in Hyper-V, for hypervisor management access.
4. On the D-link switch where physical NIC #1 connects to switch port #1, enable trunking and VLAN membership 50,100,101,102.
5. Ask datacenter to add VLAN tagging to their firewall's lan port #1.
Not sure how to handle untagged traffic. There shouldn't really be any if I understand this correctly. My colleague will probably dump the D-link switch before the VLANs are all used up. I recommended him to get something Cisco or HP.
Am I missing something else?
Currently 3 customers with plans to expand rapidly.
Here's the current setup:
Datacenter rack -> Fortigate firewall (managed by datacenter) w/3 public IPs available -> RFC1918 addressing -> D-link switch (supports up to 32 VLANs) -> Intel server with 4 physical NICs.
Server nics #1-4 connects to switch ports #1-4.
Firewall lan port #1 connects to switch port #16.
More IPs available as needed.
Customers will either connect by WWW or RDP or both, depending on their needs.
So if I understand this correctly:
1. Each guest VM will be put onto its own VLAN, by going into the Hyper-V manager and editing the guest VM properties and adding the VLAN (customer AAAA VLAN 100, customer BBBB VLAN 101, customer CCCC VLAN 102, etc).
2. All customers run off same virtual switch, or if bandwidth becomes a concern, split them to the 2nd physical nic and run 2nd virtual switch from it.
3. Add VLAN 50 (any number as example) to the virtual switch in Hyper-V, for hypervisor management access.
4. On the D-link switch where physical NIC #1 connects to switch port #1, enable trunking and VLAN membership 50,100,101,102.
5. Ask datacenter to add VLAN tagging to their firewall's lan port #1.
Not sure how to handle untagged traffic. There shouldn't really be any if I understand this correctly. My colleague will probably dump the D-link switch before the VLANs are all used up. I recommended him to get something Cisco or HP.
Am I missing something else?