JasonVmware
Enthusiast
Enthusiast

Default VLAN Question & Best Practices

Jump to solution

Hello all,

I recently was reading over VMwares ESX Server 802.1Q-VLAN Solutions White Paper and came across the following section:

Native VLAN Issue (a.k.a "VLAN1 Issues")

"Native VLAN is used for switch control and management protocol. Native VLAN frames are not tagged with VLAN ID's in many types of switches, and in which case the trunk ports implicitly treat all untagged frames as the native VLAN frame.

VLAN 1 is the default native VLAN ID for most Cisco switches. However, in many enterprise networks, the native VLAN is VLAN 1 or 100, it could be any number depending on your switch type and running configuration.

It is a common best practice to avoid using native VLAN (often VLAN 1) for any regular data traffic. VMware recommends you not associate any ESX server virutal switch port group VLAN IDs with the native VLAN. Also, as long as you avoid using native VLAN for your VLAN port groups, there is no native VLAN related configuration necessary on the ESX server systems."

With this being said I know a lot of people in smaller to medium size networks leave there switching network on the default VLAN. If this is the case would it be best to change the entire switching network to a different VLAN and then put the port groups on the same VLAN? Or is the issue with the default VLAN really not that impacting?

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership

Hello,

You have quite a few networks involved when using Virtualization and some I would classify as Virtualization Host Networks: Service Console, VMotion, IP Storage. They should most likely be on separate networks from your VM Network traffic.... At least use VLANs to do this.

Check out http://kensvirtualreality.wordpress.org for a good set of blogs on virtual networking.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
2 Replies
Texiwill
Leadership
Leadership

Hello,

You have quite a few networks involved when using Virtualization and some I would classify as Virtualization Host Networks: Service Console, VMotion, IP Storage. They should most likely be on separate networks from your VM Network traffic.... At least use VLANs to do this.

Check out http://kensvirtualreality.wordpress.org for a good set of blogs on virtual networking.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
proden20
Hot Shot
Hot Shot

Create a virtual switch for virtual machines. This virtual switch can contain different port groups for tagged vlans (for instance virtual servers, virtual workstations)

Create a virtual switch for an isolated service console port group and vkernel traffic port group (iscsi and vmotion), or multiple virtual switches for them if you have the nics.

Remember to use LACP at the physical switch end for teamed virtual switches to prevent packet reflection.