VMware Cloud Community
brian_plank
Contributor
Contributor
Jump to solution

External Switch Tagginng vs Virtual Switch Tagging

Hello guys,

I'm really confused about these two configurations modes and their utilizations / implications.

Say that you have four pNics and will configure the vSwitches in the following way:

      • one vswitch with service console port group, vmkernel (vmotion) port group and VM's port group defined and four pnics attached to it

All three services (SC, vmotion and vmtraffic) are in the same network (e.g.: 192.168.1.X), so, all the pnics are attached in the physical switch to this VLAN.

In this scenario, I guess that I'll use EST, right? Do I need to configure something in the physical switch (like trunking the 4 pnics)? Or just nic teaming the four nics in the vswitch is enough? Or both?

=======================================================================================================

Say now that you have 6 pnics and will configure the vSwitches in the following way:

      • one vswitch with service console port group defined and two pnics attached to it

      • one vswitch with vmkernel (vmotion) port group defined and two pnics attached to it

      • one vswitch with vm port group defined and two pnics attached to it

Each service has its own network, but now, you have production and DMZ VM's.

In this scenario, I guess that i will have to do the following (prepare yourself cause its really confusing, at least to me):

1) Attach the first two nics in the pswitch, in the management vlan, and, in the vswitch nic team these two nics. So you're using EST.

2) Attach the second pair of nics in the pswtich, in the vmotion vlan, and, in the vswitch nic team these two nics. So you're using EST.

3) Attach the last pair of nics in the pswitch in two ports that doesn't have any vlan definied on it and then create two port groups in the vswitch: one for production VM's and another for DMZ VM's, tagging with the correct VLAN ID's and nic team these two nics. So you're using VST.

Edit: I realized that i could simplify the second scenario simply saying that all three services would be in the same vswitch with 6 pnics attached to it, but with four networks needed. And attach these 6 nics in the pswitch with no vlan defined in these 6 ports.

As you may notice, i'm pretty new in this stuff, so, if I'm talking something (or all) wrong, i'm sorry.

I have attached two draws to try to be more clear.

Excuse me for my english

Message was edited by: brian_plank

Reply
0 Kudos
1 Solution

Accepted Solutions
kjb007
Immortal
Immortal
Jump to solution

In the first scenario you are correct. No trunk necesarry. On the other hand, I myself prefer to use trunks for all of my connections, with all of my VLANs available on all of my trunks. That way, if I ever need to switch my pNICs around, I can do so without network involvement. If you control the network yourself, then that's not a problem. Of course, this is not required, the way you have your first scenario outlined will work just fine. And by trunk, I mean an 802.1q trunk in cisco terms, as opposed to a trunk in HP terms, which would be an 802.3ad link aggregation.

In the 2nd scenario, only the vm network vSwitch portgroups where you need multiple VLANs is where you need the trunk. Just make sure native VLAN on that trunk is different. Also, you will need to configure the ports as either an access port (which means the port will be part of a single VLAN) for the management VLANs, or a trunk port with multiple VLANs allowed. Other than that, there should be no problem with tagged and un-tagged VLANs. I use them all the time.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

View solution in original post

Reply
0 Kudos
6 Replies
kjb007
Immortal
Immortal
Jump to solution

First, if you have all NICs within one vSwitch, they all need to be configured the same, else you will have to separate them at the vSwitch portgroup layer, and that can be confusing from a management perspective. Also, for security reasons, you want to segregate at the vSwitch level as well, as the vSwitch is a memory object, and all portgroups on the same vSwitch are on that same memory object. Separating into separate vSwitch makes management more clear, as well as better from a security perspective.

Second, your terminology is correct. When you are not tagging at all, or tagging at the physical switch level, that is external switch tagging. You are basically relying on the physical switch to set your VLAN.

When you want to add additional VLANs on the same interface, then you have to configure the switch to be a trunk (cisco term) or a tagged port (hp terminology). That trunk should allow all VLANs you want the ESX host to make available to the vm's it runs. Then, on the ESX side, each VLAN that you want to access will be created as a portgroup, and the appropriate VLAN ID specified. Also, make sure that the native VLAN is different for the trunk than the VLANs you are allowing. Otherwise, by default, the switch will not tag these VLANs and you will not be able to communicate.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
brian_plank
Contributor
Contributor
Jump to solution

Thanks for your reply, KjB.

I'm still unsure about a couple things that i have mentioned earlier:

1) in the first scenario, do I need to configure a trunk in the pswitch level? Or it's just plug and play once you're utilizing the port-based vlan?I undesrtood that you don't need to configure anything in the pswitch. Am I right?

2) in the second scenario i do connect the pnics in physical swicth ports that doesn't have any vlans defined on it, is that ok? The switch (let's say a "good" Cisco one) is able to handle port-based vlans and tagged vlans, allowing them to communicate properly,right?

I didn't get what you mean with: "Also, make sure that the native VLAN is different for the trunk than the VLANs you are allowing.

Otherwise, by default, the switch will not tag these VLANs and you will not be able to communicate."

Could you explain it a little bit to me? What is native vlan?

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

In the first scenario you are correct. No trunk necesarry. On the other hand, I myself prefer to use trunks for all of my connections, with all of my VLANs available on all of my trunks. That way, if I ever need to switch my pNICs around, I can do so without network involvement. If you control the network yourself, then that's not a problem. Of course, this is not required, the way you have your first scenario outlined will work just fine. And by trunk, I mean an 802.1q trunk in cisco terms, as opposed to a trunk in HP terms, which would be an 802.3ad link aggregation.

In the 2nd scenario, only the vm network vSwitch portgroups where you need multiple VLANs is where you need the trunk. Just make sure native VLAN on that trunk is different. Also, you will need to configure the ports as either an access port (which means the port will be part of a single VLAN) for the management VLANs, or a trunk port with multiple VLANs allowed. Other than that, there should be no problem with tagged and un-tagged VLANs. I use them all the time.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

With an 802.1q trunk, when you configure a trunk, you can define a "native" vlan. A native VLAN will be used if there is traffic on that port that does not have a tag associated with it. It, in essence, is the default VLAN. For example, if you have a trunk, and allow VLANs 1, 2, 3, and VLAN 1 is the native VLAN. Then, when you configure your ESX side and configure 3 portgroups, one with VLAN 2, one with VLAN 3, and one with no VLAN ID assigned. Then the last portgroup will be assumed by the physical switch to be VLAN 1. Hope that clears things up a bit.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
brian_plank
Contributor
Contributor
Jump to solution

Ok, now i guess i got it.

it would be the "same" thing to connect direclty in the switch with no trunk configured and thus no vlan defined in the vswitch and connect to the switch via trunk and pass through it one or various vlans.

But, as you mentioned, with trunks you have more flexibility in case that you want to add more vlans.

Thanks for the clarification in the native vlan thing too.

Best regards.

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

No problem. Happy to help.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos