Thanks for the feedback too date.

Networking is not my strong point so i appreciate the pointers and i see i have some reading too do.

Yes, the Virtual Machine Portgroups are for different VLANS.

So traffic from VM1 in PG1 (VLAN1)will need to go out too the physical switch before coming back into the vSwitch

and directed too VM2 in PG2(VLAN2) if I understand your answers correctly.

yea - if you are doing virtual switch tagging, then they need to be routed by something.

(i am however sure that traffic can pass from one PG to another on the same vSwitch if there are not vlans on them)

Yes, it will hit the physical switch. However traffic within the same portgroup will not leave the vswitch.

Best regards

Frank Brix Pedersen

Hi Ronald,

So traffic from VM1 in PG1 (VLAN1)will need to go out too the physical switch before coming back into the vSwitch

and directed too VM2 in PG2(VLAN2) if I understand your answers correctly.

This is correct. But it will also go through the router because it goes to another VLAN.

So this is the route:

VM1 --> vSwitch --> Physical Switch --> Router --> Physical Switch --> vSwitch --> VM2

Hello,

Moved to Security and Compliance forum.

Check out http://itknowledgeexchange.techtarget.com/virtualization-pro/how-traffic-routes-between-vms-on-esx-h... for information on how data routes around the virtual network.

In general however portgroup to portgroup can not communicate to each other whether on the same vSwitch or not. You would need some sort of bridge between them to make this happen. vSwitch to vSwitch also requires some sort of bridge. The only exception is a portgroup on a vSwitch with VLAN ID or 4095. VMs on this portgroup can see all traffic on the vSwitch if the VM can place its vNIC into promiscuous mode.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

In general however portgroup to portgroup can not communicate to each other whether on the same vSwitch or not.

This is assuming the 2 port groups are on different layer 3 segments though (and they would be typically). If they were not you would need to have promiscious mode enabled in order for them to 'see' the traffic of the other port group (as you suggest)

(for my clarification - not trying to be a pest)

d.

Hello,

Within a vSwitch only, one portgroup can not see the traffic of another portgroup unless that portgroup has VLAN ID 4095 and promiscuous mode vNICs are allowed.

Once you leave the vSwitch, whatever your pSwitch will allow is up to the pSwitch, if it acts as a bridge between the two portgroups, i.e. at Layer 3 then traffic can flow between them. But there needs to be something acting as this bridge. the vSwitch is a Layer 2 device which prevents this within the vSwitch.

You could also have an external firewall acting as a gateway between the two portgroups, etc.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

I think the easiest way to look at this is to not look at port groups as VLAN groups as that is not what they are. A port group is really just a configuration group in which all vNICs connected to that port group have the same configuration options.

2 or more port groups on the same vswitch can have the same VLAN ID and therefore both will see the traffic for that VLAN. The use of VLAN 4095 sends ALL VLAN traffic to the port group with that VLAN ID assigned. The use of promiscuous mode will send all traffic to all ports connected to that port group. Much like setting up a SPAN port on a Cisco switch.