A Secure budget VMware LAB Environment – Step one – Design

I recently was challenged with designing a VMware Environment for a team within a existing network.

I had some requirements.

I needed to keep the cost low, meaning I could propose some license costs, but I had to use existing backed storage and server’s with a little ram.

I had ten users that needed to use Visual Studio with dual monitor’s within Windows 7 , but had older computer resources. Staff needed a Environment to that was separated from Production. Staff had a SQL requirement to use in conjunction with Visual Studio in a separated Environment.

I had the following hardware.

A FC San in main Environment.
A VMware View cluster in main Environment

A Hardware Pool with the following.

A Dell MD100 with 14 300GB 10k disk, & PCIe Hardware Raid card.
Two Dell 2950’s.
A Dell 2850.
A Dell 2650.

I decided to take the 2850 and make it a openfiler box, connected to the Dell MD1000.

I perposed,the following new hardware for the Lab.

Additional Ram for the three hosts, and the open filer box. I would recommend NFS for ease of use.
A SMB Switch, with enough ports, that has Jumbo Frame and LACP support. The switch had to support the proper VLAN’s for the Lab. NFS, iSCSI, etc.
VMware vSphere, vCenter and Windows Licensing.

No redundant requirements ( IE switch, or storage at this time ) , backup’s were decided to be done outside of this scope.

My Thought process was to take the above hardware and create the needed environment, the challenge was to deliver the VMware View performance and VMware vSphere cluster performance with the above hardware. Additionally, I needed to provide a segmented secure network, with controlled access in and out.





In this first configuration, I recommended a configuration using a firewall both internal to the segmented network, but going into the main Network.

To me this is a secure solution, but in this case the view desktop’s would be on the main domain, and need to be VLAN’D separately off. This would require VLAN access security, as well as a firewall configuration. 
    To get the VMware View desktop’s access into the segmented network, routes would need to be fined.

In this configuration I setup two Trunked ports from the Segmented Network, into the VMware View Hosts. This allows the VMware View Desktop’s to be on the Segmented domain.
This would require configuration of Etherchannel on the switches, and a separated vSwitch/vDS that the interfaces would be plugged into on each host. Additionally, a recommendation of using a 1000v Cisco vSwitch with VLAN security, or vShield zones.

Thoughts on each? Other recommendations? Any recommendations to improve each of the above? I’d love to see some comments. Which would you pick, and why?

DM me, or e-mail me.

If you want to see my Prof of Openfiler concept, See my Post:

Lab Powered by vSphere OpenFiler And NFS – A view from Veeam Monitor

Next:  backup planning.

UPDATE: To clarify some below questions.

The VMware view host server’s on the right diagram are FC connected to a Enterprise San. the desktop’s will not saturate the San in term’s of I/O.
I also made the recommendation to max the memory on one of the two server’s.

The openfiler box is using raid 10, with 1 hot spare.

A VMware essentials bundle was recommend for in the lab. A cluster will be defined, as two hosts are vmotion compatible.

Roger L

Written by Roger Lund

VMware and Storage crazy man, vExpert, MN VMUG leader