- Determine use cases for and configure VLAN Trunking
- Determine use cases for and configure PVLANs
- Use command line tools to troubleshoot and identify VLAN configurations
Determine use cases for and configure VLAN Trunking
vSphere Networking, Chapter 7 “Advanced Networking”, Section, “VLAN Configuration”, page 68.
On a vSS you can only configure one VLAN ID per Portgroup.
A vDS allows you to configure a range of VLAN IDs per portgroup. In fact there are four options for VLAN type on a vDS:
VLAN tagging will not be performed by this dvPort group
Enter in a valid VLAN ID (1-4094). The dvPort group will perform VLAN tagging using this VLAN ID
- VLAN Trunking
Enter a range of VLANs you want to be trunked
- Private VLAN
Select a private VLAN you want to use – the Private VLAN must be configured first under the dvSwitch settings prior to this option being configurable
Now you can join physical VLANs to virtual networks.
Remember these VLAN IDs:
VLAN 0 = None;
VLAN 1-4094 = Valid IDs;
VLAN 4095 = All IDs.
Ingress= vDS incoming traffic
Egress = vDS outgoing traffic
Configure VLAN trunking
By default a dvUplink Group is configured for all VLAN IDs.
And on the dvPortGroup Level, you can define the desired ranges of VLAN IDs.
There is an Override on the Port Level!
Why create a VLAN trunk?
Configuring a VLAN trunk is useful for VLAN troubleshooting. This way the network traffic is delivered with a VLAN tag in the guest OS.
You have to configure your VM with a VMXNET3 or E1000 vmnic. Inside the guest OS, configure the VLAN advanced parameter and specify a VLAN ID.
- VMware KB 1003806 VLAN Configuration on Virtual Switch, Physical Switch, and Virtual Machines. Also info on External Switch Tagging (EST), Virtual Switch Tagging (VST), Virtual Guest Tagging (VGT)
Determine use cases for and configure PVLANs
vSphere Networking, Chapter 3 “Setting up Networking with vSphere Distributed Switches”, Section “Private VLANs”, page 27.
Private VLANs are used to solve VLAN ID limitations and waste of IP addresses for certain network setups.
A private VLAN is identified by its primary VLAN ID. A primary VLAN ID can have multiple secondary VLAN IDs associated with it.
- Primary VLANs are Promiscuous, so that ports on a private VLAN can communicate with ports configured as the primary VLAN.
- Ports on a secondary VLAN can be either:
- Isolated, communicating only with promiscuous ports, or
- Community, communicating with both promiscuous ports and other ports on the same secondary VLAN.
To use private VLANs between a host and the rest of the physical network, the physical switch connected to the host needs to be private VLAN-capable and configured with the VLAN IDs being used by ESXi for the private VLAN functionality. For physical switches using dynamic MAC+VLAN ID based learning, all corresponding private VLAN IDs must be first entered into the switch’s VLAN database.
A graphic will clarify this.
Figure 4 Origin: http://daxm.net
In the VMware documentation, you can find the whole process, step-by-step.
However, if you are new to this subject, I recommend that you watch Eric Sloof’s tutorial on this subject.
An old proverb says: “An excellent video tells you more than 1000 written words”.
- Excellent Tutorial on this subject is Eric Sloof’s video on Configuring Private VLANs.
Use command line tools to troubleshoot and identify VLAN configurations
The vSphere Networking Guide or even the vSphere Troubleshooting guide do not provide much information on this subject
Using command line tools to troubleshoot VLAN issues, there are a few options. Apart from which CLI (vSphere CLI, PowerCLI) and location (Local on a ESXi host, vMA or your desktop), these examples assume we are able to logon to an ESXI host:
Troubleshooting means in the first place, gathering information.
- The /esx/vmware/esx.conf contains a section on network settings. Look for entries starting with: /net
- The esx-vswitch –l command gives an overview of all vSS an dVS, including VLAN settings
- The ESXCLI command does the same. For standard switches use:
esxcli network vswitch standard portgroup list
- The esxtop command in network display is always useful to collect network statistics.
For adjusting VLAN settings on a portgroup, use the esxcfg-vswitch command with the parameter -v.
- VMware KB 1004074 Sample configuration of virtual switch VLAN tagging (VST Mode) and discusses the configuration of virtual and physical switches.