|
The answer is that you should have nothing
entered in the default gateway field for the internal (TestLAN) interface. Traffic
is flowing now. Sorry to waste the bandwidth. -- nme From: Noah
Eiger [mailto:[EMAIL PROTECTED] Hi Glenn: I have been building a
configuration similar to what you recommend, but using RRAS (I don't own ISA). I have RRAS running on the
physical host. This has two physical NICs (ipconfig at the end of this post):
ProductionLAN and TestLAN. I have NAT'd the ProductionLAN
interface. I am able to ping from the test network to the production network
but can't get beyond that to the Internet. Any thoughts on what might
be keeping me from getting out to the Internet? I am sure
it is a simple RRAS configuration. Windows IP Configuration
Host Name . . . . . . . . . . . . : virtualserver
Primary Dns Suffix . . . . . . . : abc.private
Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . .
. . . . . : Yes WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : abc.private Ethernet adapter
ProductionLAN: Connection-specific DNS Suffix . :
abc.private
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT
Network Physical Address. . . . . . . . . :
00-0D-56-9E-91-CC DHCP Enabled. . . . . . . . . . . :
Yes Autoconfiguration Enabled . . . . : Yes IP Address.
. . . . . . . . . . . : 192.168.90.100 Subnet Mask . . . . . . . .
. . . : 255.255.255.0 Default Gateway . . . . . . . . . :
192.168.90.1 DHCP Server . . . . . . . . . . . :
192.168.90.30 DNS Servers . . . . . . . . . . . :
192.168.90.30 Primary WINS Server . . . . . . . :
192.168.90.30 Lease Obtained. . . . . . . . . . :
Wednesday,December 08, 2004 4:23:12PM Lease Expires . . . . . . . .
. . : Thursday, December 16, 2004 4:23:12PM Ethernet adapter
TestLAN: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 S Server
Adapter Physical Address. . . . . . . . . :
00-02-B3-A6-28-38 DHCP Enabled. . . . . . . . . . . :
No IP Address. . . . . . . . . . . . : 172.15.8.1
Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway .
. . . . . . . . : 172.15.8.1 DNS Servers . . . . . . . . . . . :
172.15.8.157 -----Original Message----- The problem you may
encounter (and I'm not by any means an IP routing expert) is that unless you
do run NAT on the interface connected to the physical production NIC (as
opposed to using straight RRAS), other routers on the network won't know
how to get to your "test" subnet. Unless of course you start playing
with RIP / OSPF / BGP routing advertisement protocols so your other
network routers know how to get to this subnet. With NAT, you wouldn't need
to worry about that. Again, its all relative to
what you want to do. If you just want say web-browser ability for your
virtual machines, you could use NAT, or use MS ISA server as a web-proxy on
your physical machine and simply point your Virtual machines at that
(which essentially is NAT-style behaviour anyway). Too bad I cant draw network
diagrams with text-based emails *sigh* To summarise how *I* would
probably do this. - Physical Server, 2 NICS - 1 NIC connected to private
IP range, plugged into private switch, given a private IP address (like
192.168.10.254) - Additional devices (such
as the Macs, printers etc) plugged into this switch. They are also given
IP addresses in the 192.168.10.x range. - Virtual servers on
physical server bound to NIC plugged into private network. Assign IP's
in the 192.168.10.x range. - Other physical NIC in
server plugged into production network and given production IP address External connectivity: - Install ISA server on
physical machine and use the web-proxy / upstream proxy config to point ISA to
my REAL upstream proxy (allows all machines in private network to browse
the web, download patches etc) - Alternatively, install
RRAS on the physical server and configure the production NIC as a NAT
interface and enable routing. Allows more functionality (such as
mapping drives etc to machines outside the private network). Default gateway of
Virtual Machines / other devices on private network assigned the IP
address of the physical NIC plugged into the private network (192.168.10.254). - Alternatively, install
RRAS and configure as a full router. Get comms guys to add a static route
in the router network to get at your private subnet via your physical
machine (bit hazy on the specifics of doing this, havent touched my cisco
routers for a while). Default gateway of Virtual Machines / other devices on
private network assigned the IP address of the physical NIC plugged into
the private network (192.168.10.254). Gives fully routed ability to machines
within the private network, essentially they behave as if they were
another subnet on the production network. Since I typically don't want
free-for-all copying of data backwards and forward from the production
network into the test lab, I would probably implement the ISA Server
version, and use the physical server as a TS hop-point into the test
network. Any data that has to go between the networks is firstly copied
into the physical server, then copied from there into the test network.
This allows virus scanning etc to take place on the physical server before it
enters or leaves the test environment. I have implemented
essentially this sort of thing for our gateway (DMZ) environment (minus the
virtual servers running around), and from a management perspective it
works quite well. I may be incorrect on some
of the NAT'ing / IP routing protocol stuff, I'm sure someone will bash me if
that's the case *grin* Hopefully that not all too
confusing. G. -----Original Message----- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Your Name Sent: Tuesday, 30 November
2004 6:15 AM To: Subject: RE: [ActiveDir] OT:
Virtual Server 2005 Thanks. >From your descriptions,
I think I would want to use NAT only on the NIC connected to the production
network. That is, have all of the traffic from the virtual network
appearing as a single address on the production network. Since I want everything on
the test network (virtual and physical hosts) to appear on the same
subnet, I don't think I want NAT on the Test NIC. In assigning it a
static address on the virtual subnet, does it become a gateway under RRAS? I'm a
little unclear on this, and (I think) it runs counter to
Glenn's recommnedation earlier. I will try some
configurations later in the day. Greatly appreciate the
detailed suggestions. -- nme > The Test Physical NIC
should be configured with a private IP address > that is on a subnet
unique when compared to your production environment. > You mentioned that you
assigned static address to your VMs, therefore > you Test Physical NIC
should be on the same subnet as the VMs. > > > > With regards to
routing, you do need to set up a device to route between > the two networks.
How you do this depends on your planned architecture. > Do you want "true
routing" or "NATed routing"? > > > > For true routing, set
up the physical host with the Production and Test > NICs with RRAS
configured as a router. This will allow all VMs, when > configured with the
proper gateway, to "freely" route from their Test > network to the
Production network. > > > > Using a NAT instead
will limit the ability of the VMs to talk to the > production
network. In your general scenario, this is the method most > often used in order to
isolate the test network as much as possible. To > do this you have three
basic options: > > > > 1. Use RRAS to setup a
NAT on the physical host with both NICs. > > 2. Use ISA to setup a
NAT on the physical host with both NICs. > > 3. Use Windows Internet
Connection Sharing (OS dependent) to set up a > NAT on the physical
host with both NICs. > > > > Of course, with any of
these options you could substitute the use of the > physical host for that
of a VM so long as the VM is configured with two > NICs, one on the Test
LAN and one on the Production network, as is the > physical host it
resides on. > > > > Your host DNS suffix
configuration should not negatively impact > anything... > > > > > > HTH List info : http://www.activedir.org/mail_list.htm List FAQ :
http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ :
http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ |
Title: RE: [ActiveDir] OT: Virtual Server 2005
