HI
Is there any needs or exampel to have Native VLAN ?
You have to create all the VLANs on Physical switch and trunk these VLANs to Physical Switch port where ESXi hosts NICs are connected.
You can configure any VLAN as native VLAN ( again on Physical switch port )
Native VLAN is useful where you cannot add VLAN id in NIC network configuration. e.g. if you want to boot server from network, PXE boot.
When you create virtual PortGroup, add the required VLAN id in Port groups. However make sure you are not adding native VLAN ID in PortGroup.
if you add native VLAN id in PortGroup configuration, network communication will not work with that PG.
-
Haridas
In other words , If I have all the traffic is taged in the vSwitch and physical Swtich has only Native VLAN. How the physical Swetich will manage the traffic ?
You have to create all the VLANs on Physical switch and trunk these VLANs to Physical Switch port where ESXi hosts NICs are connected.
You can configure any VLAN as native VLAN ( again on Physical switch port )
Native VLAN is useful where you cannot add VLAN id in NIC network configuration. e.g. if you want to boot server from network, PXE boot.
When you create virtual PortGroup, add the required VLAN id in Port groups. However make sure you are not adding native VLAN ID in PortGroup.
if you add native VLAN id in PortGroup configuration, network communication will not work with that PG.
-
Haridas
if you do not set any native VLAN, you can add that VLAN ID in portgroup and network communication will work.
Take a look here: Sample configuration of virtual switch VLAN tagging (VST Mode) (1004074) | VMware KB
Caution: Native VLAN ID on ESXi/ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with the VLAN ID on the outgoing traffic toward the ESXi/ESX host. Therefore, if the ESXi/ESX host is set to VST mode, it drops the packets that are lacking a VLAN tag.
Thank you ,
Thanks Richardson, I was missing the correct reason.
Thanks Richardson
I can set VLAN to 4095 in VSS but not in VDS it is only to 4094 . Is 4094 give Wireshark the option to sniff the traffic from the other VLAN ?
vHaridasvHaridas
I guess I found it . VSS trunk mode is to set VLAN to 4095, and for VDS I have to use Trunk mode 1-4094 in order to allow Wireshark to sniff the traffic from the other VLANs.
Am I assuming right ?
For the vSphere distributed Switch to enable trunk you have to add VLAN range.
Either it could be default 0-4094 or any other specific VLAN range which exist in your network.
You can use 4095 to enable Trunk on SS.
Note, when you enable Trunk on PortGroup, then you need to do the VLAN tagging inside VM Guest OS Network configuration (VGT Mode).
Sample configuration of virtual machine VLAN Tagging (VGT Mode) in ESX (1004252) | VMware KB
Assign a VLAN to a portgroup(s). The supported VLAN range is 1-4094.
Reserved VLAN IDs:
from KB - Sample configuration of virtual switch VLAN tagging (VST Mode) (1004074) | VMware KB
Wireshark to sniff the traffic
It really depends on where you are putting your Wireshark system.
e.g. if I want to snip all traffic for VMs from PortGroup-X which is VLAN 10 then I can enable Promiscuous mode for this PortGroup and add Wireshark VM in this PG.
Promiscuous mode will broadcast VM traffic to all ports in that PG.
Note, Port mirroring and Promiscuous mode are two different things.
-
Haridas Vhadade
vHaridas
Thanks, For the Wireshark, If it on PG on VDS. Wireshark will sniff traffic from VLAN 101, 102 and 103, I will configure PG that attached to wireshark VM as Trunk Mode 101,102,103 or 1-4094 for any VLANs can be added in the future (I know it is not the best config )
No need to enable Promiscuous mode.
Am I assuming right ?
Thank you
Yes,
thank you
My customer had the same issue and was able to figure this out. The actually behavior if you want to use a trunk with a native VLAN for guest VMs is to include 0 (zero) in your allow list:
Zero is the VLAN tag that matches the native VLAN. So when allowing VLANs on the uplink its 0-4094 for the full VLAN supported range including the native VLAN 0. On the distributed port group, the allow needs to include 0 (zero) and whatever other VLAN tags are needed on that same trunk interface.
On the upstream switch interface into the host, the native VLAN needs to be assigned on the trunk. It could be any VLAN ID, since it is untagged it will match 0 on the Distributed Virtual Switch Uplink on the VMWare Host.