wagde
Contributor
Contributor

Can I connect a port in a vSwitch to more than one vlan in that vSwitch ?

Jump to solution

Hi

In physical switches we have the option to add a port to more than 1 vlan. how can I configure the vSwitch to add a specific port to two vlans ?

Thanx

wagde

0 Kudos
1 Solution

Accepted Solutions
mystereman
Enthusiast
Enthusiast

I just went through figuring this out myself. What you want to do is setup a trunking portgroup (VLAN ID 4095). This VLAN ID sets up that portgroup as a trunk, and forwards all VLANS into that portgroup. You then assign the Linux box to that portgroup.

After this is done, you need to use Linux vconfig (or whatever your linux distro uses to configure native VLAN trunking) to create multiple vlan interfaces (ex: eth0.100 for vlan 100). Then, you create porgroups for the individual VM's with their own VLAN ID's and you're good to go.

Here's some references:

View solution in original post

0 Kudos
9 Replies
ExCon
Enthusiast
Enthusiast

If I'm understanding your question, just use two portgroups on the vSwitch:

vSwitch1

---PortGroup1 (VLAN 100)

---PortGroup2 (VLAN 101)

Then just trunk your port straight to the ESX box, and let ESX do the tagging.

0 Kudos
wagde
Contributor
Contributor

I'm talking about a full virtualized environment.

I have 3 clients. 10.10.10.50 and 20.20.20.50 and 30.30.30.50

and I have another linux machine (firewall which should scan all the traffic) with 1 vNIC and three VLANs (eth0.10, eth0.20 and eth3.30)

Now, I don't want the hosts to be in the same port group / VLAN, in order not to see the traffic (it should be filtered by the firewall), so if one host spoof the linux ip it will see all the traffic.

So I want to do is to create 3 vlans / port groups !!! and let the linux be in all of them and on each portgorup/vlan we'll have one host.

(this configuration is possible in physical siwtches)

Thanx

Wagde

0 Kudos
ExCon
Enthusiast
Enthusiast

If you want all traffic to go through the firewall VM and be isolated from everything else, you'll probably want to use Internal Only switches.

vSwitch1, vSwitch2, vSwitch3 are not connected to any physical NICs

One VM is attached to each of the above vSwitches

vSwitch4 is attached to physical NICS, and the firwall VM has an ethernet adapter connected to each of the 4 vSwitches.

Is that what you're trying to do?

0 Kudos
wagde
Contributor
Contributor

Thanx for the nice idea. but this solution is not scalable.

I want to control all the traffic between the host VMs and not betwenn the VMs and the "physical" world outside the esx.

As you know there is a limitation of 4 vNICs in each machine, so If I have 5 subnets, this won't work.

I'm trying to figure out if there is any way to use only 1 vNIC in the firewall and defines VLANs on it and control the traffic between the VMs

ESX physical NICs are not interesting in this scenario, right ? because I'm talking about "perfect virtual env" and I don't care about the "physical world" outside the esx box.

Thanx

Wagde

0 Kudos
mystereman
Enthusiast
Enthusiast

I just went through figuring this out myself. What you want to do is setup a trunking portgroup (VLAN ID 4095). This VLAN ID sets up that portgroup as a trunk, and forwards all VLANS into that portgroup. You then assign the Linux box to that portgroup.

After this is done, you need to use Linux vconfig (or whatever your linux distro uses to configure native VLAN trunking) to create multiple vlan interfaces (ex: eth0.100 for vlan 100). Then, you create porgroups for the individual VM's with their own VLAN ID's and you're good to go.

Here's some references:

View solution in original post

0 Kudos
wagde
Contributor
Contributor

Thanx alot, it helped, it did waht I needed

But this solution has one small problem, that it does not behave like physical switches. the port with the "4095" VLAN is listening to all the VLANs, while in physical switches you can associate ports to specific VLANs and not all VLANs.

anyway, the solution suggested is good enough for me.

Thanx alot

Wagde

0 Kudos
jasonboche
Immortal
Immortal

To my dismay, I've noticed in the past that VMs populated on different VLANs within ESX VST can "see" each other providing they are subnetted properly. In other words, properly submitted, a VMware VLAN is not an uncrossable threshold for VMs. I'm not sure if this changed with ESX 3.5 now. Will have to test.

Jason Boche

VMware Communities User Moderator

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
0 Kudos
mystereman
Enthusiast
Enthusiast

I think you must have had something misconfigured. I tested this explicitly on 3.0.2 (haven't tested 3.5 yet) and was not able to talk to other computers on the same subnet with different VLAN ID's. Are you certain you didn't have some kind of routing in place that routed between subnets automatically, such as a Linux box with ip_forwarding turned on?

0 Kudos
mystereman
Enthusiast
Enthusiast

Yes, that is a limitation of this approach. Anything on the 4095 VLAN can listen to all traffic. You cannot configure a port to be on multiple, specific VLAN's.

Typically this is not much of a problem, except in very specific circumstances. On a physical switch you would typically assign specific VLAN's to reduce broadcast traffic, but since vSwitches are not bound by physical LAN speeds (they operate at memory speeds many orders of magnitude faster than even the fastest external switch) this isn't so much of a problem.

The only issue is that it could be a security problem if you allow users who shouldn't have access to a specific VLAN to use the machine that is on VLAN 4095. The solution to this problem would be to put sensitive VLAN's on their own vSwitch.

0 Kudos