The problem you may encounter (and I'm not by any means an IP routing expert) is that unless you do run NAT on the interface connected to the physical production NIC (as opposed to using straight RRAS), other routers on the network won't know how to get to your "test" subnet. Unless of course you start playing with RIP / OSPF / BGP routing advertisement protocols so your other network routers know how to get to this subnet. With NAT, you wouldn't need to worry about that.
Again, its all relative to what you want to do. If you just want say web-browser ability for your virtual machines, you could use NAT, or use MS ISA server as a web-proxy on your physical machine and simply point your Virtual machines at that (which essentially is NAT-style behaviour anyway). Too bad I cant draw network diagrams with text-based emails *sigh* To summarise how *I* would probably do this. - Physical Server, 2 NICS - 1 NIC connected to private IP range, plugged into private switch, given a private IP address (like 192.168.10.254) - Additional devices (such as the Macs, printers etc) plugged into this switch. They are also given IP addresses in the 192.168.10.x range. - Virtual servers on physical server bound to NIC plugged into private network. Assign IP's in the 192.168.10.x range. - Other physical NIC in server plugged into production network and given production IP address External connectivity: - Install ISA server on physical machine and use the web-proxy / upstream proxy config to point ISA to my REAL upstream proxy (allows all machines in private network to browse the web, download patches etc) - Alternatively, install RRAS on the physical server and configure the production NIC as a NAT interface and enable routing. Allows more functionality (such as mapping drives etc to machines outside the private network). Default gateway of Virtual Machines / other devices on private network assigned the IP address of the physical NIC plugged into the private network (192.168.10.254). - Alternatively, install RRAS and configure as a full router. Get comms guys to add a static route in the router network to get at your private subnet via your physical machine (bit hazy on the specifics of doing this, havent touched my cisco routers for a while). Default gateway of Virtual Machines / other devices on private network assigned the IP address of the physical NIC plugged into the private network (192.168.10.254). Gives fully routed ability to machines within the private network, essentially they behave as if they were another subnet on the production network. Since I typically don't want free-for-all copying of data backwards and forward from the production network into the test lab, I would probably implement the ISA Server version, and use the physical server as a TS hop-point into the test network. Any data that has to go between the networks is firstly copied into the physical server, then copied from there into the test network. This allows virus scanning etc to take place on the physical server before it enters or leaves the test environment. I have implemented essentially this sort of thing for our gateway (DMZ) environment (minus the virtual servers running around), and from a management perspective it works quite well. I may be incorrect on some of the NAT'ing / IP routing protocol stuff, I'm sure someone will bash me if that's the case *grin* Hopefully that not all too confusing. G. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Your Name Sent: Tuesday, 30 November 2004 6:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Virtual Server 2005 Thanks. >From your descriptions, I think I would want to use NAT only on the NIC connected to the production network. That is, have all of the traffic from the virtual network appearing as a single address on the production network. Since I want everything on the test network (virtual and physical hosts) to appear on the same subnet, I don't think I want NAT on the Test NIC. In assigning it a static address on the virtual subnet, does it become a gateway under RRAS? I'm a little unclear on this, and (I think) it runs counter to Glenn's recommnedation earlier. I will try some configurations later in the day. Greatly appreciate the detailed suggestions. -- nme > The Test Physical NIC should be configured with a private IP address > that is on a subnet unique when compared to your production environment. > You mentioned that you assigned static address to your VMs, therefore > you Test Physical NIC should be on the same subnet as the VMs. > > > > With regards to routing, you do need to set up a device to route between > the two networks. How you do this depends on your planned architecture. > Do you want "true routing" or "NATed routing"? > > > > For true routing, set up the physical host with the Production and Test > NICs with RRAS configured as a router. This will allow all VMs, when > configured with the proper gateway, to "freely" route from their Test > network to the Production network. > > > > Using a NAT instead will limit the ability of the VMs to talk to the > production network. In your general scenario, this is the method most > often used in order to isolate the test network as much as possible. To > do this you have three basic options: > > > > 1. Use RRAS to setup a NAT on the physical host with both NICs. > > 2. Use ISA to setup a NAT on the physical host with both NICs. > > 3. Use Windows Internet Connection Sharing (OS dependent) to set up a > NAT on the physical host with both NICs. > > > > Of course, with any of these options you could substitute the use of the > physical host for that of a VM so long as the VM is configured with two > NICs, one on the Test LAN and one on the Production network, as is the > physical host it resides on. > > > > Your host DNS suffix configuration should not negatively impact > anything... > > > > > > HTH List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
