VMware Cloud Community
khaliqamar
Enthusiast
Enthusiast
‎08-12-2014 01:36 AM
Jump to solution

vDS issue

hello,

I need some suggestions on vDS

I am running vswitch so VM01 and VM02 running in single port group (100) vMs can ping each other so i am implementing a vDS isolation private VLAN to stop them pinging each other.

at this point I have already portgroup name 100 trunk in physical switch which i am already using in vswitch.

my questions,

1- what settings needs to change on physical switch to use a same trunk-ed port group which earlier i was using as a normal portgroup in vswitch.

2- my all other management servers are physical one alike DNS, exchange - will vDS isolation VLAN allow them to access DNS/echange ?

0 Kudos
1 Solution

Accepted Solutions
JPM300
Commander
Commander
‎08-12-2014 05:19 AM
Jump to solution

Hey VirtualRay,

If your PVLAN is 100 your physical switch will need to have the ability to handle PVLANs, if it does you will only need to pass the PVLAN100 as the isolated vlans inside your PVLAN stay there.

PVLAN100

      -  PVLAN 101 Isolated

      -  PVLAN 102 Community

PVLAN100 is will be your switch or firewall wall.

Re: DMZ question

When I get to my system that has visio on it I will draw a diagram that will hopefully be able to help you see it a little better

2.)  Your other physical servers like DNS, exchange, ect will only be able to talk to what is in your isolated or community if you have a route or rule in your firewall to do so.  So for instance VPLAN 101 can only talk to VPLAN100, which will be your switch or firewall. PVLAN 102 can talk to anything that is also in the same community and PVLAN100.  If pVLAN100 runs to your firewall, then you can put rules in place or routes in place to have other VLAN's talk to some things

I hope this has helped

View solution in original post

0 Kudos
7 Replies
JPM300
Commander
Commander
‎08-12-2014 05:19 AM
Jump to solution

Hey VirtualRay,

If your PVLAN is 100 your physical switch will need to have the ability to handle PVLANs, if it does you will only need to pass the PVLAN100 as the isolated vlans inside your PVLAN stay there.

PVLAN100

      -  PVLAN 101 Isolated

      -  PVLAN 102 Community

PVLAN100 is will be your switch or firewall wall.

Re: DMZ question

When I get to my system that has visio on it I will draw a diagram that will hopefully be able to help you see it a little better

2.)  Your other physical servers like DNS, exchange, ect will only be able to talk to what is in your isolated or community if you have a route or rule in your firewall to do so.  So for instance VPLAN 101 can only talk to VPLAN100, which will be your switch or firewall. PVLAN 102 can talk to anything that is also in the same community and PVLAN100.  If pVLAN100 runs to your firewall, then you can put rules in place or routes in place to have other VLAN's talk to some things

I hope this has helped

0 Kudos
khaliqamar
Enthusiast
Enthusiast
‎08-12-2014 11:55 AM
Jump to solution

So i have to put my DNS and other server also on same sort of private  VLANs on my physical switch in order to get access of out sider (physical server) DNS . Otherwise they will not be able to talk inside my VM in isolated Private VLAN.

vDS even not control inside ESXi but they know how the traffic is coming from outside -if the traffic is coming from isolated/community  port group then only vDS allow to talk a VM inside vDS.

Currently i am in the process of testing it.

Thank you JPM300 !!!

0 Kudos
JPM300
Commander
Commander
‎08-12-2014 02:12 PM
Jump to solution

Sorry, I would of replied sooner but we had internet issues ALL DAY due to a bell outage.

There is a really good video of a guy who sets up a VMware vDS pVLAN setup end to end, let me see if I can dig it up for you and post it here.  I found it when I was studying for my DCA

http://www.vladan.fr/private-vlans-vmware-vsphere/

Here is the video

https://www.youtube.com/watch?v=spOf1MuH1N4

Np any time, glad I could help

0 Kudos
khaliqamar
Enthusiast
Enthusiast
‎08-13-2014 03:06 PM
Jump to solution

Hello JPM300,

the video from Eric you shared, it is having a router VM in his promiscuous VLAN but in my case i have physical router so my vDS will be attached to physical switch and then physical router.

do you think it will work if I have primary VLAN and isolated VLAN as secondary VLAN trunked on physical switch? and router is also physical.

Thanks again.

0 Kudos
JPM300
Commander
Commander
‎08-13-2014 05:43 PM
Jump to solution

Yeah it should work just fine, the ports that your PVLAN pluggs into on your physical switch just need to have PVLAN enabled and be on the permiscous VLAN ID.  From there the the switch will route it to the gateway/router to do any routing where you can control if you want anything else to route to other VLANS.

Just treat those switch ports like Eric treats the virtual router.  If for some reason it doesn't work you can always put a virtual router in effect like Eric does, but I don't think you will need to.  Give it a try and let us know how it goes.

khaliqamar
Enthusiast
Enthusiast
‎08-16-2014 10:55 AM
Jump to solution

HI,

So i just need to create pvlan on physical switch and from then i will create vDS,

In vDS i will create a primary vlan 500 and secondary vlan 501 > 502 isolated vLAN.

on physcial switch i just only need to create private vlan 500 and at vds level . vds handle the secondary vlan and isolated vlan?

My test servers are almost ready and this week i will give it a try ..

any information about router, which virtual router i can put and how i should configure it ..

Thanks a lot

0 Kudos
JPM300
Commander
Commander
‎08-16-2014 07:23 PM
Jump to solution

Yes your setup with the VLAN is correct and that should work.  If however for some reason it doesn't work out you can look into a virtual router or VMware vShield to create the firewall.  Let us know how it goes.

0 Kudos