Search the VMware Knowledge Base (KB)
View by Article ID

Enabling vMotion on internal vswitch behind bridged-mode firewalls and other network appliances (1006701)

  • 14 Ratings

Details

How can I enable vMotion for servers behind a firewall virtual appliance (or other service virtual machine) deployed in bridged networking mode?

Solution

Increasingly, network security and other infrastructure services are being delivered as virtual appliances, rather than as external physical appliances. Many ISVs or IHVs have announced or shipped virtual appliance editions of their physical appliance solutions. Common network security and services that are being virtualized include firewalls, intrusion detection and prevention (IDS/IPS), content filtering, load balancing, access control, and NAT routing. 

 

As these network services are on-boarded to the same ESX host as a workload server virtual machine itself, a common network configuration is to deploy the network virtual appliance in bridged mode between two vswitches.

One vswitch connected to the physical network through a physical NIC, the other vswitch internal-only to the workload virtual machines in order to be inline with the workload traffic.

 

By default, migrating a virtual machine with vMotion produces an error if the virtual machine has an active connection to an internal vswitch (that is, one that is not directly connected to a physical NIC). The intent of this restriction was to ensure server availability through a live migration, and avoid problems where the target ESX host might be misconfigured without an active connection to the physical network.  However, this restriction does not take into account when a bridged-mode virtual machine is being used to filter traffic between the workload and the physical network. 

 

To enable vMotion when using network security or service virtual machines in bridged mode, perform one of these options:
  • Add these lines to the <config> flag in the VirtualCenter vpxd.cfg configuration file to turn off the internal vswitch restriction on vMotion events, then restart the VirtualCenter Server service:

    <config>
       <migrate>
         <test>
           <CompatibleNetworks>
             <VMOnVirtualIntranet>false</VMOnVirtualIntranet>
           </CompatibleNetworks>
         </test>
       </migrate> 
    </config>

    Notes: For more information on restarting the VirtualCenter Server Service, see Stopping, starting, or restarting vCenter services (1003895).

  • From a vSphere Client connected to the vCenter Server navigate to Administration > vCenter Server Settings > Advanced Settings and add config.migrate.test.CompatibleNetworks.VMOnVirtualIntranet with a value of "false".

    Note: Making this change from the vSphere Client does not require a restart of the VirtualCenter Server service. To restore the usual checks, change the setting to "true". 

Keywords

Security, firewall, vMotion, internal vswitch, bridged mode, NAT

Update History

01/17/2011 - Included instructions to modify this setting from vSphere Client.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 14 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 14 Ratings
Actions
KB: