Jammrock
Contributor
Contributor

VLAN tagging without PortGroups?

Jump to solution

Is it possible to VLAN tag a vSwitch port without using a PortGroup using PowerCLI?  Similar to how you'd tag a port on a physical switch.

0 Kudos
1 Solution

Accepted Solutions
avlieshout
VMware Employee
VMware Employee

OK, you're using dvSwitches!.

I now understand what you want to achieve, although using portgroups has more benefits then the VLAN ID only.

Ofcourse this can be accomplished using PowerCLI too.

Try something like this:

$dvSwitchName = "dvSwitch0"
$dvPortId = "100"
$VLAN = 220

$portSpec = New-Object VMware.Vim.DVPortConfigSpec
$portSpec.operation = "edit"
$portSpec.key = $dvPortId
$portSpec.setting = New-Object VMware.Vim.VMwareDVSPortSetting
$portSpec.setting.vlan = New-Object VMware.Vim.VmwareDistributedVirtualSwitchVlanIdSpec
$portSpec.setting.vlan.inherited = $false
$portSpec.setting.vlan.vlanId = $VLAN

$dvSwitch = Get-View -ViewType 'VmwareDistributedVirtualSwitch' -Filter @{'Name'=$dvSwitchName}
$dvSwitch.ReconfigureDVPort_Task($portSpec)
Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

0 Kudos
17 Replies
weinstein5
Immortal
Immortal

No you need a port group, vmkernel port or service console port to assign a vlan tag -

If you find this or any other answer useful please consider awarding points

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Jammrock
Contributor
Contributor

VM guests only interact with the vSwitch at the PortGroup level, right?  Which means I'm stuck with PortGroups.

0 Kudos
mittim12
Immortal
Immortal

Correct, the vNic is assigned to the vSwitch via the portgroup. 

avlieshout
VMware Employee
VMware Employee

What's the problem with using portgroups?

Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
Jammrock
Contributor
Contributor

I work for a web host.  Each client gets at least one VLAN, sometimes more, and our VLAN count is expected to hit the thousands for our ESXi cluster.

Creating a  PortGroup for each VLAN is a lot of extra management overhead we would like to avoid by using the traditional switch approach of tagging a single port with a VLAN ID.  I suppose once I drill down into PortGroups it may be the same amount in the end, it's just not the way our network admin would like it to work.

We can do the tagging manually via the vSphere Center so I'm sure there's a way via the SDK/API.  Just not with PowerCLI, it would seem.

0 Kudos
owjeff
Enthusiast
Enthusiast

Is there a drawback (other than no PowerCLI) to tagging individual dvPorts with VLAN's instead of PortGroups from a best practices standpoint?

0 Kudos
avlieshout
VMware Employee
VMware Employee

How do you mean no PowerCLI?

Creating a portgroup is easy as 123:

Get-VirtualSwitch -VMHost "myESX" -Name "vSwitch0" | New-VirtualPortGroup -Name VM220 -VLanId 220

Connect your VM to this portgroup using:

Get-VM "myVM" | Get-NetworkAdapter | Where {$_Name -eq "Network adapter 1"} | Set-NetworkAdapter -NetworkName VM220 -Confirm:$false

Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
owjeff
Enthusiast
Enthusiast

The point is that we don't want to create separate PortGroups and tag the VLAN's at that level. We'd like to tag the individual dvPorts themselves (done in the GUI via an override). That doesn't seem to be possible via powerCLI. I wondering, if because it's not possible in the powerCLI, we're missing some other reason that we shouldn't be tagging the ports themselves and using PortGroups ...

Again, in this environment, we could create just 1 PortGroup with 128 ports for instance, and each port could potentially be a different VLAN (much like you'd do for a physical switch). If we used PortGroups, that's 128 PortGroups to manage instead of just 1.

0 Kudos
LucD
Leadership
Leadership

Did you consider using Private VLANs on distributed Switches ?

That would solve the portgroup per VLAN problem, on the other hand it does require Enterprise Plus licenses.

Have a look at my dvSwitch scripting – Part 6 – Private VLAN post to see how this can be done with PowerCLI.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
owjeff
Enthusiast
Enthusiast

We have looked at private vlans, but there are a few drawbacks since we have hybrid environments. We'd prefer to simply tag the individual ports themselves.

0 Kudos
avlieshout
VMware Employee
VMware Employee

OK, you're using dvSwitches!.

I now understand what you want to achieve, although using portgroups has more benefits then the VLAN ID only.

Ofcourse this can be accomplished using PowerCLI too.

Try something like this:

$dvSwitchName = "dvSwitch0"
$dvPortId = "100"
$VLAN = 220

$portSpec = New-Object VMware.Vim.DVPortConfigSpec
$portSpec.operation = "edit"
$portSpec.key = $dvPortId
$portSpec.setting = New-Object VMware.Vim.VMwareDVSPortSetting
$portSpec.setting.vlan = New-Object VMware.Vim.VmwareDistributedVirtualSwitchVlanIdSpec
$portSpec.setting.vlan.inherited = $false
$portSpec.setting.vlan.vlanId = $VLAN

$dvSwitch = Get-View -ViewType 'VmwareDistributedVirtualSwitch' -Filter @{'Name'=$dvSwitchName}
$dvSwitch.ReconfigureDVPort_Task($portSpec)
Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

0 Kudos
owjeff
Enthusiast
Enthusiast

Yes - dvSwitches in play here. Probably an important piece of info we should have shared.

Arnim v Lieshout wrote:

I now understand what you want to achieve, although using portgroups has more benefits then the VLAN ID only.

Can you elaborate? We want to be sure we not missing something, but as far as I can tell, for our network model, this should work well. I suppose we lose the ability to set traffic shaping, security, and fail-over policies on a per-VLAN basis, but I don't think we necessarily need that.

One last powerCLI related question. That code assumes you have a dvPort number - is it possible to get that port number from an existing network adapter? Ie. something in the Get-NetworkAdpater namespace? In order to set the VLAN appropriately, we need to know which port the VM's connected to.

0 Kudos
Jammrock
Contributor
Contributor

owjeff wrote:

One last powerCLI related question. That code assumes you have a dvPort number - is it possible to get that port number from an existing network adapter? Ie. something in the Get-NetworkAdpater namespace? In order to set the VLAN appropriately, we need to know which port the VM's connected to.

$VmNic = Get-NetworkAdapter -VM $VmName
$VmPort = $VM.ExtensionData.Backing.port.portkey

$VmvPG = Get-VirtualPortGroup -vm $VmName


@avlieshout

We have a few large vPortGroups on the dvSwitch.  I can get the correct vPG and port number, but how do I tell the dvSwitch which vPG to change the port on?

Kind of off topic, but what do you use for the PowerShell syntac highlighting? I didn't see a built-in PS option.

0 Kudos
Jammrock
Contributor
Contributor

Nevermind, I'm a dunce.  Too much time in code and not enough in the UI.

Here's the final code:

$VmName = "TEST"
$dvSwitchName = "dvSwitch01"
$VLAN = 220

$VmNic = Get-NetworkAdapter -VM $VmName
$dvPortId = $VmNic.ExtensionData.Backing.port.PortKey

$portSpec = New-Object VMware.Vim.DVPortConfigSpec
$portSpec.operation = "edit"
$portSpec.key = $dvPortId
$portSpec.setting = New-Object VMware.Vim.VMwareDVSPortSetting
$portSpec.setting.vlan = New-Object VMware.Vim.VmwareDistributedVirtualSwitchVlanIdSpec
$portSpec.setting.vlan.inherited = $false
$portSpec.setting.vlan.vlanId = $VLAN

$dvSwitch = Get-View -ViewType 'VmwareDistributedVirtualSwitch' -Filter @{'Name'= "$dvSwitchName"}
$dvSwitch.ReconfigureDVPort_Task($portSpec)

Full points to avlieshout Smiley Happy

0 Kudos
avlieshout
VMware Employee
VMware Employee

Glad to here that everything worked out fine.

For the highlighted code I use PowerGUI's "Copy as HTML" option.

On the forum use the HTML editor and paste the code from PowerGUI.

Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
LucD
Leadership
Leadership

Fyi, I documented this, and other procedures to copy code in a post, in Some ways to enter PowerCLI code under the new forum SW some time ago.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Jammrock
Contributor
Contributor

Thanks again to both of you.  While I am not new to PowerShell I am very new to PowerCLI and scripting against the ESXi environment.  I installed PowerCLI for the first time last week so I am still getting my bearings in the VMware PowerCLI community.

So far the response has been phenomenal, and I really do appreciate the help on this on thread. I just need to figure out how to monitor running tasks better and I'll be golden for now Smiley Happy

0 Kudos