unsichtbare
Expert
Expert

Problems with VLAN's and trunking in a virtual router with VGT

I am trying to set up a virtual router (Zeroshell) on ESX and do not seem to be able to make tagged packets pass between from the VM through ESX to my physical switch. I have set 4095 as the VLAN ID on the port group in use and created my VLAN's, DHCP, etc on the router but get no communication between any of the VLAN's configured on my physical switch and the router except on untagged (native) VLAN 1.

On my physical switch, I have the uplink port set to trunking, VLAN's as tagged except the native VLAN 1 is untagged. The client ports are defined as accept untagged packets for VLAN X.

One thing that interests me is the output of esxcfg-nics -l on the ESX in question:

# esxcfg-nics -l

Name PCI Driver Link Speed Duplex MTU Description

vmnic3 03:01.01 e1000 Down 0Mbps Half 1500 Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)

vmnic0 02:01.00 tg3 Up 1000Mbps Full 1500 Broadcom Corporation NC7781 Gigabit Server Adapter (PCI-X, 10,100,1000-T)

vmnic1 02:02.00 tg3 Up 1000Mbps Full 1500 Broadcom Corporation NC7781 Gigabit Server Adapter (PCI-X, 10,100,1000-T)

vmnic2 03:01.00 e1000 Up 1000Mbps Full 1500 Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)

The router is on vmnic2 which is an Intel NIC which was added prior to ESX being installed. Is there anything about Inter or the e1000 driver that could be getting in my way?

Regards

-J

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos
11 Replies
Craig_Baltzer
Expert
Expert

There shouldn't be an difficulties with the Intel NIC on the ESX side, but there may be an issue with the vNIC in the Zeroshell VM. Have a look at the vNIC that's configured and see if its set to an e1000 adapter (it may be set to Flexible depending on how the VM was created). . If its listed as Flexible, try forcing it to be the e1000 adapter by adding the line

ethernet0.virtualDev="e1000"

to the .vmx file for the VM. If you're using VC you'll need to remove the VM from inventory and re-add it to get the change in the .vmx file recognized...

I'm not certain that this is a solution but its worth a shot just in case the default driver that Zeroshell uses for the "flexible" NIC doesn't support VGT...

unsichtbare
Expert
Expert

Thanks Craig,

Seemed like sound advice, but unfortunately no-go. The Zeroshell router took the e1000 driver like a charm but still no communication batween the VLAN on the switch and its gateway on the router.

I never knew that after manually editing the .vmx one needed to remove a VM from VirtualCenter inventory and re-add it to get changes acknowleged. What a great thing to learn!

-J

P.S. Here are the networking parameters of my .vmx, could it be the automatic/static MAC? "Building 1" is my VLAN.

ethernet0.present = "true"
ethernet0.networkName = "Building 1"
ethernet0.addressType = "vpx"
ethernet0.generatedAddress = "00:50:56:8f:3d:1c"
ethernet1.present = "true"
ethernet1.networkName = "Virtual Machine Network"
ethernet1.addressType = "vpx"
ethernet1.generatedAddress = "00:50:56:8f:53:ab"
ethernet0.virtualDev="e1000"
ethernet1.virtualDev="e1000"

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos
Texiwill
Leadership
Leadership

Hello,

If you can within zeroshell see if it is receiving Tagged Packets? Is zeroshell expecting to send on the tagged packets to multiple VLANs or is it supposed to be sending to a VGT VM as well.

Also, on 'Building 1' does the portgroup on that vSwitch have a VLAN setting?

Remember if you are using zeroshell to split the 'VLANs' the target of the VLANs must have the proper VLAN ids. If this is to bridge from one network to another network why use VGT at all and not just use a router. Can you show your vNetwork including VLAN ids involved?


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
unsichtbare
Expert
Expert

Zeroshell is 802.1q compliant and I have used it before as a standalone appliance with VLANs. I am not suspect of Zeroshell as much as my ESX servers ability to communicate with it accurately. Zeroshell is both senting and (theoretically) recieving tagged packlets. "Building 1" is configured as an "accept" port on the switch with vlan X set to accept untagged packets and the uplink is configured as a trunk port in the switch with the native vlan as untagged and vlan X set as tagged (linksys/cisco).

Thanks for the thoughts

-J

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos
Craig_Baltzer
Expert
Expert

Huum, I wouldn't think that the dynamic/static MAC would make any difference; you don't have any "MAC filters" enabled do you? Other than that I can't see why it would make a difference...

0 Kudos
Texiwill
Leadership
Leadership

Hello,

However, how is Building 1 configured, it is a portgroup on a vSwitch, does it have a VLAN identifier associated with it? If not, it needs to have one. If so, it should be the proper one.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
unsichtbare
Expert
Expert

Building 1 is connected to a portgroup on a vSwitch, on which the vlan id is set to 4095 (all) to enable VGT, allowing tagged packets to pass through to the VM. This should allow my virtual router to sort the packets according to their vlan id.

Problem is: I have tested Zeroshell using a physical PC and the same Linksys switch and it performs perfectly. When I virtualize Zeroshell (where it needs to be in my environment), it seems as if ESX is stripping the vlan id prior to passing the packet to Zeroshell.

-thanks for your consideration

-J

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Problem is: I have tested Zeroshell using a physical PC and the same Linksys switch and it performs perfectly. When I virtualize Zeroshell (where it needs to be in my environment), it seems as if ESX is stripping the vlan id prior to passing the packet to Zeroshell.

This is the normal behavior when traffic does not go through a portgroup with VLAN ID 4095 or the data is double encapsulated. Your config should look similar to:

pSwitch Trunked through port <-> pNIC <-> vSwitch <-> portgroup VLAN ID 4095 <-> Zeroshell <-> vSwitch ...

The key is to trunk through the port to the pNIC and vSwitch, or VST.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
unsichtbare
Expert
Expert

Yup, that's pretty much the configuration I have. Still no go, though.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos
mbx369
Enthusiast
Enthusiast

Hi,
Have you tried to set the physical switch to "switch port access mode" with the specific VLAN only?
Just to confirm that this VLAN actually does gets routed across the network.
Also, what is the port trunk settings that you've set? ~~~~~ To Live Is To Die ~~~~~
Please awards points if this was useful. :) ~~~~~ To Live Is To Die ~~~~~ VCP3/4/5
0 Kudos
Texiwill
Leadership
Leadership

Hello,

This then sounds like a switch trunking issue or a zeroshell issue. Does it work if you use some other virtual router software (I.e. Linux)?


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos