Solved: VLAN and Physical and vSwitch Configuration

GouldAdam · ‎03-17-2015

I am in the process of setting up a home lab and recently purchased a new physical switch with the objective of creating a number of VLAN’s to segment different networks with a router controlling access to each network.

The router is configured with 4 networks each on a separate interface:

10 network – home network
172 network – management network
192 network – lab network
Internet

These are in turn connected to a single physical switch. I would like my switch to have 3 VLANs to correspond to each network. Hosts on these VLANS may be physical or virtual. To enable connectivity to the virtual hosts a dedicated nic on the vSphere server will be bonded to a vSwitch and connected to the respective VLAN on the physical switch.

Can someone please explain to me what is required from a VLAN tagging perspective in order to get this working while maintaining separation between networks?

I have tried a combination of tagging at the physical switch and virtual switch and unable to get full connectivity to both virtual and physical hosts. At the moment I have three VLANS (default (1) where my 10 network is), 172 and 192.

I can ping the physical hosts on 172 and 192 VLANs however I cannot ping any virtual guests.

I can ping both physical and virtual guests from a virtual guest on any other network.

The router does not have any VLAN configuration at all.

Thanks,

Adam

RichardBush · ‎03-22-2015

Hi Adam,

I can give you an explanation of the way i would do this using cisco equipment.

You say you have 4 nics coming from your host, and want vlan'd networks, so a very simple way to do this would be to create the vlans on the switch. Set each of the physical nics on the switch to be an access port to the correct vlan. Personally i would trunk all the interfaces, but access is easier to explain...

So an example (cisco config)

Interface 1 on the switch access to vlan 10 - Conf t, interface gi 1, switch port mode access vlan, switchport access 10

interface 2 on the switch access to vlan 172 - Conf t, interface gi 2, switch port mode access, switchport access vlan 172

etc

when you create your vswitches, select the correct uplink, create a vm network per vswitch, you wouldnt need to specify a vlan.

If you wanted connectivity between the vlans to happen in the switch, assuming you have an l3 switch, you can give the vlans IP addresses on the correct subnet, use this as the gateway for clients and turn on ip routing.

Internet access; how i have this set up in my lab is i have a trunk between the switch and the router, allowing the vlans on my networks that require internet traffic, my router has sub interfaces set on the trunk interface for each vlan. these subs have an IP in the correct vlan (all clients use this as the gateway). internet link is plugged into the outside of the router and that deals with all the nats and routing between vlans etc.

Another way to do this would be to have an additional vlan on the switch to which your router connects, give them both ip addresses, use the switch to route 0.0.0.0 0.0.0.0 to the IP of the router. You would need to set up Nat's for each of the networks and no doubt some allow lists but its possible.

Not as easy to explain as i thought when starting this..

View solution in original post

Sysxp · ‎03-18-2015

Your switch is probably an L2 switch.

Generally, to communicate between different VLAN's you need an L3 device. (L3 Router).

This is because you can have port "untagged" for just one VLAN.

So, to route between your vlans you need to create VLAN interfaces on your L3 physical device.

This also may help: L2 &amp; L3 Vlan | LAN, Switching and Routing | Cisco Support Community | 6016 | 10305056

RichardBush · ‎03-22-2015

Hi Adam,

I can give you an explanation of the way i would do this using cisco equipment.

You say you have 4 nics coming from your host, and want vlan'd networks, so a very simple way to do this would be to create the vlans on the switch. Set each of the physical nics on the switch to be an access port to the correct vlan. Personally i would trunk all the interfaces, but access is easier to explain...

So an example (cisco config)

Interface 1 on the switch access to vlan 10 - Conf t, interface gi 1, switch port mode access vlan, switchport access 10

interface 2 on the switch access to vlan 172 - Conf t, interface gi 2, switch port mode access, switchport access vlan 172

etc

when you create your vswitches, select the correct uplink, create a vm network per vswitch, you wouldnt need to specify a vlan.

If you wanted connectivity between the vlans to happen in the switch, assuming you have an l3 switch, you can give the vlans IP addresses on the correct subnet, use this as the gateway for clients and turn on ip routing.

Internet access; how i have this set up in my lab is i have a trunk between the switch and the router, allowing the vlans on my networks that require internet traffic, my router has sub interfaces set on the trunk interface for each vlan. these subs have an IP in the correct vlan (all clients use this as the gateway). internet link is plugged into the outside of the router and that deals with all the nats and routing between vlans etc.

Another way to do this would be to have an additional vlan on the switch to which your router connects, give them both ip addresses, use the switch to route 0.0.0.0 0.0.0.0 to the IP of the router. You would need to set up Nat's for each of the networks and no doubt some allow lists but its possible.

Not as easy to explain as i thought when starting this..

GouldAdam · ‎03-23-2015

Thanks All,

In the end I actually ended up deleting recreating the VLAN's on the switch which resolved my issue - cannot explain why.. For those looking to achieve a similar result I simply created VLAN's on the switch using an access port. The vSwitches do not have VLANs and the router handles the routing between subnets with no VLAN config on the router. This is what I had expected since each VLAN has a router on its local subnet and only carries traffic for its own VLAN therfore trunking is not required.