In some virtualization environments, the roles of network administrator and server administrator can become confused. Who administers the virtual switch when the network and server administration are handled by different groups? Rick Vanover explains the co-administration approach and how it can resolve this dilemma.
Almost every organization has embraced some amount of virtualization, and the network has surely been a hot topic as a virtual environment scales upward. Most virtual host systems (VMware ESX, Citrix XenServer, etc.) offer host-based switches that implement 802.1Q tagging on the ports to the virtual machines. This poses a unique question: Who administers the virtual switch when the network and server administration are handled by different groups?
Most organizations do not provide VLAN tags or trunks to individual servers. In the case of a virtualization implementation, the virtual host server is best suited to have access to multiple VLANs for a versatile solution. In some virtualization server hardware, such as the current blade servers, the network modules are actually Cisco blades. These modules can actually be managed like a traditional switch. But for other hardware configurations, a different solution is required.
One creative way to solve this dilemma is with a co-administration approach. This would give the network engineers access to the virtual environment for configuration during a change and read-only access for ongoing checks of configuration and for assurance that a virtual machine is not breaking any network rules, such as having a virtual network adapter on two interfaces where one is a secured or external network. In most situations, the network administrator has no visibility into the configuration of the network within virtualization installations, and the co-administered approach can change that.
This can be done quite easily within virtualization management platforms. In VMware VirtualCenter it would be a role with permissions assigned to a particular host, cluster, or datacenter. This way, the network administrator can ensure that the server administrator is using the network configuration with 802.1Q tagging as intended.