VMware Cloud Community
AndrewSt
Enthusiast
Enthusiast

Private VLANs - any plans for support on ESX?

Anybody know if in a future implementation vSwitches in ESX 3.5+ will support protocol to assign cisco PVLAN (private vlan) to a port group?, this important feature permit that a group of VM's with ip address belonging to same subnet network, attached to same vSwitch, share a common gateway without in same time be able to connect togheter, for example in an ISP provider scenario.

-


-Andrew Stueve

----------------------- -Andrew Stueve -Remember, if you found this or any other answer useful, please consider the use of the Helpful or Correct buttons to award points
Reply
0 Kudos
9 Replies
-am-
Contributor
Contributor

Andrew,

this would be a very helpfull feature - even without Cisco proprietary extension. There are many LAN Switch vendors with PVLAN or Private VLAN support already built-in, e.g.

  • Foundry Networks

  • D-Link

  • LinkSys

  • HP Procuve

  • and many others

What I would like to see is a common basic support for Private VLANs - description:

  • Ports A,B, C and D are members of VLAN 500 - and all Ports are members of one PVLAN

  • Port A is the common (or uplink) PVLAN port - and could be a standard tagged VLAN port

  • Ports B, C and D are not able to communicate on Layer 2 to other members of PVLAN 500, except to Port A

  • Port A is able to communicate on Layer 2 to all members of VLAN 500, including the members of the PVLAN


Sample scenarios:

  • Hotel and Guest Rooms:
    Internet-Router is attached to Port A, each guest room has it's on port (Ports B, C and D) - this allows to isolate each room from it's neigbour but they can share the same router for internet access

  • Firewall and DMZ (more ESX like scenario)
    Firewall DMZ segment is member of VLAN 500 and reachable via Port A, servers attached to Ports B, C and D are isolated and only reachable via Firewall - communication between membes of PVLAN hosts are controlled by Firewall on Layer 3

We are really looking forward for Private VLAN support for ESX vSwitches, because it would be significant security enhancement feature without the port-based ACL approach and maintenance overhead - especially in hosting environments.

So, any good news ou there about basic Private VLAN support for ESX vSwitches?

-am-

Reply
0 Kudos
TomHowarth
Leadership
Leadership

it is very unlikely that any new functionality will be built into the vSwitch in the current version of ESX

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
weinstein5
Immortal
Immortal

As Tom pointed out there will probably be no new functionality in the switches in VI-3 but vSphere Cisco and VMware have been working to build the next generation of virtual switches - http://www.vmware.com/company/news/releases/cisco_vmworld08.html - incorporating Cisco Nexus 1000v switch into vSphere -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
-am-
Contributor
Contributor

How do you define "current version" in terms of ESX and vSwitch? Very unlikely = not available in a 3.x Version?

-am-

Reply
0 Kudos
-am-
Contributor
Contributor

David, you pointed me to the right direction - thanks!

Paul Fazzone (Product Manager of Nexus 1000v at Cisco) states at this interview that Nexus 1000v will support Private VLAN (Isolated, Community, Promiscuous Trunks) .

But as an virtual add-in, Nexus 1000V requires VMware ESX 4.

Nevertheless, I'm sure that VMware will extend the built-in ESX vSwitch with some new features (like the distributed vSwitch feature) - and hopefully PVLAN (isolated) will be part of it .... anyone who could could confirm ...?

-am-

Reply
0 Kudos
weinstein5
Immortal
Immortal

That type of information I am sure is covered under the NDA -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
TomHowarth
Leadership
Leadership

That is about the sum of it yes. the next version of ESX has just gone in to RC. so the updates you wish for may or may not be coming

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
TomHowarth
Leadership
Leadership

On the basis of infomation in the public domain regarding DVS it will not have PLAN capabiltiy. anything else is subject to the strictures of the NDA.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
-am-
Contributor
Contributor

Okay, PVLAN are now available vor vSpere, but only for Enterprise Plus Smiley Sad

check

vSphere ESX 4.0 Configuration Guide - PVLAN

-am-

Reply
0 Kudos