VMware Cloud Community
dsdavis08
Enthusiast
Enthusiast
‎07-06-2018 05:51 AM
Jump to solution

VLAN Troubleshooting

Hello,

Our organization is just getting started with vSphere. We currently have one host connected via four ethernet ports (two for management, two for ordinary VM traffic) connected to a single Cisco Catalyst 3560G managed switch, which connects to a Sophos SG 230 firewall appliance (XG software installed), which goes out to the Internet.

I am trying to use the VLAN feature in vSphere and am just getting stumped. It seems no matter how I configure the firewall, the switch, and/or vSphere, I cannot get any traffic to my VMs on the VLAN. Funny thing is, I do have one working VLAN (VLANID50) which I use for our vCenter Server (192.168.50.2) and our host (192.168.50.200); but those are connected to ports explicitly set for VLAN 50 on my Cisco switch. The trouble I'm having is when I'm trying to define the VLANs at the vSphere level using portgroups (with the connecting ports on the switch set to trunk).

Here's what I am currently trying to accomplish:

I am trying to get VLAN51 to connect to a portgroup designated as Test Network. I want the devices in the Test Network to receive DHCP values of 192.168.51.50 - 192.168.51.75. I want them to be able to access each other and the Internet.

Here's my current configuration:

Firewall: The firewall has a VLAN subinterface attached to eth/0 where the Cisco 3560G switch connects with IP 192.168.51.1. The appropriate DHCP range is assigned to that subinterface. Firewall rules are in place to allow devices in that VLAN to access the Internet.

Switch: The switch is configured to IP 192.168.11.10 and its gateway is 192.168.11.1 (firewall interface port eth/0). The port that serves as the uplink to the firewall (Gi0/2) is set as a switchport trunk encapsulating dot1q frames. It is set to "nonegotiate" as DTP is not supported by vSphere. I honestly don't know why I had to set this port as a trunk, but without it my one working VLAN (192.168.50.*) doesn't work. The two ports I am trying to use for my VM trunks are Gi0/21 and Gi0/23. Since we already have "mission critical" VMs running, I have done the bulk of my configuration/testing with Gi0/21 leaving Gi0/23 to continue to serve our VMs in case I do something that breaks the Internet traffic to them. Currently Gi0/21 (like Gi0/2) is set as a switchport trunk encapsulating dot1q frames and is also set to "nonegotiate."

vSphere: Version is vSphere 6.7. In vSphere, I have assigned the "Test Network" port group on vSwitch0 the VLAN ID 51. Within my Test VMs, however, whether I set an IP statically or attempt to use DHCP, I am getting zero communication outside the VM itself. It is only resolving 169.etc IP addresses no matter what I do.

Any assistance that can be offered will be greatly appreciated. I have beat my head against this thing for over a week and am getting nowhere. Thank you in advance.

1 Solution

Accepted Solutions
Finikiez
Champion
Champion
‎07-06-2018 08:38 AM
Jump to solution

VLANs won't appear magically. You have to configure them manually on a physical switch and then configure ports with necessary VLANs.

Trunk ports can serve more than one VLAN, but you have to add necessary VLANs into trunk.

View solution in original post

0 Kudos
10 Replies
Finikiez
Champion
Champion
‎07-06-2018 07:24 AM
Jump to solution

Hello!

Can you show port configs from your physical switch? or at least did you add VLAN51 to the trunk?

0 Kudos
dsdavis08
Enthusiast
Enthusiast
‎07-06-2018 08:11 AM
Jump to solution

Hi there, and thank you for your response. Of course:

Here is a high-level overview of my ports from the 3560G GUI. I have highlighted Gi0/2 connected to the Sophos firewall as well as Gi0/21 which connects to the ESXi host and is the port I'm attempting to configure/test for VLAN.

3560 High level view.PNG

Here are screengrabs of the configurations for for Gi0/2 and Gi0/21 respectively:

Gi02 Config.PNG

Gi21 Config.PNG

Here is a screengrab of my vSphere vSwitch configuration with vSwitch0 highlighted as well as the port group associated with the VLAN51 and the workstation I'm attempting to use for testing.

vSwitch0 Config.PNG

Here are screengrabs of the port group configuration screens:

VLAN50 selected.PNG

NIC Teaming.PNG

0 Kudos
a_p_
Leadership
Leadership
‎07-06-2018 08:25 AM
Jump to solution

Can you confirm that VLAN 51 exists on the physical switch ("show vlan")?

André

0 Kudos
Finikiez
Champion
Champion
‎07-06-2018 08:28 AM
Jump to solution

You have two active vmnics on ESXi host and only one port on the physical switch is configured as a trunk.

Can you leave only one vmnic on ESXi host connected to trunk port as active. Or configure both ports as trunk interfaces with necessary VLANs.

dsdavis08
Enthusiast
Enthusiast
‎07-06-2018 08:33 AM
Jump to solution

I can confirm that VLAN51 does not show up in the physical switch.

No VLAN51.PNG

As I understand it (could be wrong), I can explicitly assign a particular VLAN to a physical switch port; but my end goal is to be able to run multiple VLANs off of one or two physical switch ports. Ports Gi0/2 and Gi0/21 are both set as trunk ports; I assume that's why they're not listed here.

0 Kudos
dsdavis08
Enthusiast
Enthusiast
‎07-06-2018 08:36 AM
Jump to solution

Yes, I can set them both as Trunk. I did that originally just for testing so that if I broke one of the NICs somehow the other would pick up the slack. But I have no assigned both Gi0/21 and Gi0/23 (physical ports on the Cisco managed switch that run to vmnic1 and vmnic3 in vSphere) as Trunk.

Gi23 Set as Trunk.PNG

0 Kudos
Finikiez
Champion
Champion
‎07-06-2018 08:38 AM
Jump to solution

VLANs won't appear magically. You have to configure them manually on a physical switch and then configure ports with necessary VLANs.

Trunk ports can serve more than one VLAN, but you have to add necessary VLANs into trunk.

0 Kudos
Finikiez
Champion
Champion
‎07-06-2018 08:44 AM
Jump to solution

Ok I see that all VLAN are allowed by default if you configure port as a trunk interface from Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE - Configuring VLANs [Cisco Catalyst 3...

But this also means that VLAN51 can work only on your ESXi host and frames won't go anywhere outside ESXi host.

0 Kudos
dsdavis08
Enthusiast
Enthusiast
‎07-06-2018 08:46 AM
Jump to solution

I have attempted to add the VLAN manually into the switch with no favorable result, however based upon your recommendation I will try again. I had thought that with the Sophos firewall configured for VLAN51 and with the vSphere portgroup configured for VLAN51 that the Cisco managed switch would just serve as an intermediary and allow communication between the two devices.

This leads me to something that has confused me: you can see from the PNG that VLAN2, VLAN3, VLAN4, VLAN5, VLAN50, VLAN 52, AND VLAN 53 are all present. However I have configured no VLANs for those numbers. I did configure VLAN 50 at the firewall and statically assigned my ESXi host and vCenter Server static IPs in the .50.* subnet, but never did I do any configuring in the firewall for VLAN 50 other than to explicitly assign Gi0/17 and Gi0/19 those VLANs. I suppose perhaps the original owner of the switch may've had those configured; that's the only thing I can imagine would cause those VLANs to appear.

So to follow your instructions, I will create VLAN51 in the Cisco switch. That's easy enough. But to your knowledge, will I need to do anything to add it to my trunk ports? As I understood it, trunk ports carry all VLANs by default unless specific VLANs are defined. Thank you for your help thus far.

0 Kudos
dsdavis08
Enthusiast
Enthusiast
‎07-06-2018 08:57 AM
Jump to solution

Nevermind! I don't know what I did before, but adding the VLAN to the Cisco switch did the trick. Thank you so much! I feel that a great burden has been lifted off my shoulders. Thank you, thank you, thank you!

0 Kudos