VMware Cloud Community
gwelshAUS
Contributor
Contributor
‎10-08-2008 05:30 PM

vlan tagging - 802.1q - cisco environment

we have 4 x bl20p blades, 2 nics configured for vmotion/service console. the other 2 nics are configured for virtual machine traffic.

the servers are connected to switches, and those switches are then uplinked to the core switches

For some reason, the networking team have decided to limit the amount of devices per c-class segment to 30.

the same team has refused to trunk the switch ports that the esx hosts are connected to, and then on the vswitch level to enable vlan tagging, thus for a 4 node cluster there is now a hard limit of 30 VMs, pretty ridiculous

im not particularly strong on cisco config, i was told the reason that 802.1q couldnt be used, would be that enabling this would essentially turn the hosts into routers (the comms guy had attempted to enable 802.1q for some linux hosts), and that shutting those host down would cause convergence of all the switches on the network, or problems relating to the use of spanning tree.

since virtual switches do not support spanning tree, i thought this would not be an issue, and have implemented 802.1q and the use of vlan tagging in other environments

anyone got any hard and fast advice on this?

ive had a read through http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMware.pdf

0 Kudos
4 Replies
gary1012
Expert
Expert
‎10-08-2008 06:27 PM

This sounds like an uphill battle with a net admin who doesn't have all the facts. If you're using VST mode, then there is a small amount of overhead required to add and strip VLAN tags but it doesn't equate to turning the host into a router. If you're not using VST, then you only have EST or VGT as options. EST is more or less a 1:1 NIC to VLAN to port relationship. This doesn't buy you much as you don't have that luxury with blades. VGT requires that the VM does the VLAN tagging and this limits the OS options to Linux.

I know that you've read the Cisco/VMware doc; has your net admin?

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
Rumple
Virtuoso
Virtuoso
‎10-08-2008 07:02 PM

Unfortunately what you have is an admin who doesn't actually understand route/switch technologies or anything else for that matter by the sounds of it. I hear the military is looking for people...

Trunks have nothing to do with routers. they allow different vlan's to travel over the link. Granted, if you were a moron you could bridge vlan's by adding 2 nic's to a VM that connect to 2 different port groups on the Vswitch...but i can do that with a desktop if I was trying to be malicious by enabling IP forwarding in the registry and plugging into 2 networks.

Spanning tree is also not even closely related to trunking esx.

All you need to have enabled is:

Portchannel, Trunk, native vlan set to something that doesn't exist on the network (to force tagging), portfast (maybe if you are only running LACP)

Good document here

http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/

PS - in the end if your admin thinks esx is a concern, give me 30 minutes in your office...I will have him crying.

Texiwill
Leadership
Leadership
‎10-09-2008 07:07 AM

Hello,

You will need to provide your network person the documentation. VST makes the virtual switch the endpoint for the trunk. A VM could act as a router, but that is pretty easy to detect if that is their concern. That requires the VM to have multiple vNICs within it.

But that is not the issue. The ESX server does not act as a router. a vSwitch is a simple layer 2 device. I think he is extremely confused and should be sent to a virtualization course. I would push your management to do this. Or get VMware or another consultant to show up and explain the facts about virtual networking to him.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
khughes
Virtuoso
Virtuoso
‎10-09-2008 08:07 AM

It sounds like everyone has hit the nail on the head with the matter and your net admin/bosses have false concerns. I feel your pain since I deal with it a lot here and usually have an uphill battle every time I want to make a change, like machines going from 2 vCPU to 1 vCPU when its using on adverage 400mhz of CPU power with 2 vCPU's assigned... but thats beside the point. Here is a document that might help him go over the networking concepts in a virtual world. Maybe he'll begin to see he's flaws....

  • Kyle

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "
0 Kudos