VMWare ESXI vNetworking – vSwitches bridged by multiple multiple Layer 2 bridge hosts

bridgestpvmware-esxivswitch

I want to create a multi-VM pfsense cluster ESXI. For those that are not familiar with pfsense, consider it a Free BSD based router/switch (with many features on top of it, but not necessary for this question).

Basically, I want to have two physical NICs on the ESXI – an "Input" and an "Output". The Input interface would accept packets from 1-inifinite number of hosts, and the Output interface would send them out to the Internet. See ASCII diagram below:

                       --[pfsense1]--
                      /               \
[INPUT] --------[VSW1]                 [VSW2]------- [OUTPUT]
                      \               /
                       --[pfsense2]--

Where:

  • [INPUT] is a real, physical NIC
  • [OUTPUT] is a real physical NIC
  • [pfsense1] is a virtual machine in Layer 2 Bridge mode.
  • [pfsense2] is a virtual machine in Layer 2 Bridge mode.
  • [VSW1] is a virtual switch.
  • [VSW2] is a virtual switch.

In a normal, non VMWare ESXI setup, this is easily done with Spanning Tree. The functionality I want is this

  1. Packets entering from INPUT to VSW1 will select a single virtual machine to pass through.
  2. When one of the virtual machines fails, packets will automatically be forwarded through the other VM instead.
  3. Packets will never be "load balanced" – they will take one path or the other.

Typically, [pfsense1] would be the highest priority, thus if it is on and functional, all traffic should pass through it. If not, then traffic will pass through [pfsense2].

How would one achieve this functionality? Does the solution lie within the VM (pfsense) or at the ESXI networking level? Can STP be used on vSwitches?

EDIT 1: Removed VLANs from diagram as they were from an old, test config (thanks Mario).

Best Answer

How would one achieve this functionality?

vSwitches are just that, a switch, and nothing else, if you had a physical switch how would you expect it to do this? You wouldn't, you'd probably do it via round-robin DNS or an external load-balancer.

Does the solution lie within the VM (pfsense) or at the ESXI networking level?

How about within the design and understanding of what vSwitches do? What you're trying to do has been done many times before, even using pfsense, have you looked on their own support sites (btw as we state very clear when you sign up this site is for professional sysadmins, we know what pfsense is)

Can STP be used on vSwitches?

No, vSwitches do not act as part of a Spanning Tree network, nor can they be made to.

Related Topic