VMware Cloud Community
meistermn
Expert
Expert
‎06-20-2007 10:44 AM

VLAN Tagging error prone?

I did following vlan test

On esx host A with vswitch0 for service console bind to two pnics, vswitch1

with one pnic for vmotion and vswitch2 with 2 pnics for vm's.

On vswitch2 configured two vlans and on the physical switch although configured the two vlans 10 and 15 .

Then esx host B is configured the same like host A , but this time i did only configured the physical switch port with vlan 10.

Very import is that the vswitch2 for esx host B was configured with this two vlan's.

In the first test vmotioned vm-A , which uses vlan 10 , from esx host A to esx host B.

That worked fine.

In the second test vmotioned vm-B, which uses vlan 15 from esx host A to

esx host B. The vm-B has requested timeouts, what I expected, because the physical vlan tag is missing.

On the other hand I was suprised , because the vm-B was vmotioned to esx host B.

Conclusion, only the vlan tag on vswitch2 is proved, but not the physical port.

0 Kudos
6 Replies
pdrace
Hot Shot
Hot Shot
‎06-20-2007 10:51 AM

Conclusion, only the vlan tag on vswitch2 is proved,

but not the physical port.

Sounds like that is correct, that vmotion doesn't check if the vm connection is valid only that the same Network label exists on the destination host.

0 Kudos
meistermn
Expert
Expert
‎06-20-2007 11:14 AM

Yes and if the configuration of the physical switch ports is done by

our network team , you have to prove if every physical port was configured with the same vlan.

So if you have a vswitch2 with 6 pnics for vm's and loadbalacing on the vswitch and only one physical switch port is not configured as the others

then you will although requested time outs for the vm,

when it uses this physical port.

Message was edited by:

meistermn

0 Kudos
Gabrie1
Commander
Commander
‎06-20-2007 12:40 PM

Yes, but isn't this always a problem if people don't do their work like they should? I lost 2 days of getting ESX autoinstall running, just because the network guys gave me different vlans on pnic1 and pnic2.

Also, because of possible human failure, we don't allow an ESX host to see production VLANs and DMZ VLANs. The VLAN technique is safe enough to share them on a host, but I don't want to have the risk that VMadmin John Doe, comes at work on monday morning and by accident chooses VLAN-099 instead of VLAN-069 and therefore connects a server to the outside world.

We now demand a config dump of the cisco switch to which my hosts are connected. Just to be sure.

Gabrie

http://www.GabesVirtualWorld.com
MR-T
Immortal
Immortal
‎06-20-2007 12:44 PM

This isn't an issue on the ESX side, this is an expected result and will always happen in the physical servers aren't configured correctly.

VMotion will check for the existance of a port group with identical label and will also ensure the storage is available on the destination host, but it won't sniff the network to ensure the packets are comming from the correct VLAN.

meistermn
Expert
Expert
‎06-20-2007 01:26 PM

So the best way to check from esx console if all physical ports have the same vlan's is using the following command:

esxcfg-info -n | grep -E -i "_name|Hint"

Or to use knoppix and whireshark or tcpdump

0 Kudos
MR-T
Immortal
Immortal
‎06-20-2007 01:29 PM

If that command does the trick, I'm not familiar with it.

Or just have a test VM which you can quickly change the IP address and bounce it round your system.

The thing is, once you've got this setup it shouldn't change.

0 Kudos