ESXi, vswitch and CARP IP
I'm looking for some advice.
I have two ESXi host, linked by a single network card.
On each host, I created a vswitch which includes the physical network card. Then I add a port group to this vswitch, in order to create two separate subnets (say lan_a and lan_b).
So far, so good, I can setup CARP IPs and they do work well.
But I feel like this setup is not very good in sense of "traffic isolation". If I run a packet capture on one of the interface (in lan_a) I can see traffic (from lan_b) which is not for this interface. I guess this is quit normal since in ESXi I have to activate the "promiscuous" mode in order to make the CARP possible.
So is there any other option, which could allow the use of CARP IPs between two hosts and a good level of isolation?
Usually I setup vswitches without any physical interfaces attached to it, and the pfsense makes the routing. This provide a decent isolation (well at least when I do a packet capture I don't see any other traffic but the one related to the interface).
But then, no more layer 2 possible, right? Hence no CARP IP …
I have attached a diagram to show the current ESXi network settings. Both ESXi hosts are configured the same way.
So right now every firewall interface has a CARP IP which is working perfectly.
But I feel there is something wrong: I did setup a DHCP server on each interface ; and most of the time there is one DHCP server which answer all the network queries, even to servers in other networks. I guess this can be explained by the fact that all my "port groups" are attached to the same vswitch (which is also in promiscuous mode).
But how can I avoid this and make every DHCP server answer to its subnet only?
A switch is a layer 2 device…so its still 1 broadcast domain. U can create VLANS to split them up. But turning your interface in promiscuous mode make it one broadcast and collision domain.
Many you should a another NIC dedicated to CARP.
Unfortunately I can't add a secondary NIC as the server is provided as is by an hosting company (OVH).
So my best option would be to add VLANs … I'll do some tests to see if they are supported by the provider's switches.
And the answer is no. The provider doesn't currently permit to pass VLAN taggs between two hosts. It will be added in a future release though.
But for now, I can't use VLANs.
So what is the best option to isolate the subnets? Am I right in assuming that if I create a new vswitch with no attached interface to it, the CARP won't work at all for the subnet in this vswitch?