VMware Cloud Community
Tidian
Enthusiast
Enthusiast

VLAN tagging and ESX Virtual Switch Tagging (VST Mode)

Hi there,

we are using tagged VLANs on our Core Switches (Nortel 8000) (Layer 3) and Nortel 5530 Switches (Layer 2) where the ESX servers connected to.

In VI3 we configured the virtual switches in VST Mode according to white paper http://www.vmware.com/pdf/esx3_vlan_wp.pdf.

My question is: What happens, if I configure a vSwitch with VLAN 101 and create a VM with IP 10.10.1.100 connected to that vSwitch, but this VLAN is not configured on the physical switch?

Thank you in advance

Tidian

PS: We have no problem with that, it's just a question regarging security.

Tags (4)
Reply
0 Kudos
4 Replies
TomHowarth
Leadership
Leadership

we are using tagged VLANs on our Core Switches (Nortel 8000) (Layer 3) and Nortel 5530 Switches (Layer 2) where the ESX servers connected to.

In VI3 we configured the virtual switches in VST Mode according to white paper .vmware.com/pdf/esx3_vlan_wp.pdf.

My question is: What happens, if I configure a vSwitch with VLAN 101 and create a VM with IP 10.10.1.100 connected to that vSwitch, but this VLAN is not configured on the physical switch?

Thank you in advance

Tidian

PS: We have no problem with that, it's just a question regarging security.

The traffic will not reach the guest as it is configured only to responde to VLAN 101 tagged traffic. all other tagged and untagged traffic will be dropped

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Tidian
Enthusiast
Enthusiast

Hello Tom,

thank you for your help. Hopefully your answer will satisfy my colleagues from network team.

Best regards

Tino

Reply
0 Kudos
mvoss18
Hot Shot
Hot Shot

Check out the section 'Virtual Switch Protection and VLANs' in the ESX 3 Configuration Guide (page 200-201).

http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_3_server_config.pdf

This also has some good material to give you some ammo with the security guys.

http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf

With VST, tagged incoming packets are untagged and sent to the appropriate port group. So if an incoming packet for VLAN 101 came to your vSwitch, it would only be able to send traffic to the port group assign to VLAN 101. If a VM is on that vSwitch but it not assigned to VLAN 101, it cannot see this traffic. It might be possible to sniff tagged traffic on a vSwitch if you had Promiscuous Mode enabled.

TomHowarth
Leadership
Leadership

Check out the section 'Virtual Switch Protection and VLANs' in the ESX 3 Configuration Guide (page 200-201).

This also has some good material to give you some ammo with the security guys.

With VST, tagged incoming packets are untagged and sent to the appropriate port group. So if an incoming packet for VLAN 101 came to your vSwitch, it would only be able to send traffic to the port group assign to VLAN 101. If a VM is on that vSwitch but it not assigned to VLAN 101, it cannot see this traffic. It might be possible to sniff tagged traffic on a vSwitch if you had Promiscuous Mode enabled.correct, however if it is untagged or differently tagged traffic it would be dropped or not even passed.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos