Re: Virtual Switch / Vlan Question

bwilsey84 · ‎02-26-2019

I am working in a lab that has an ESXi host in it. This host is on a 192.168.5.X /24 network.... on the physical switch it's connected to its Vlan 5.

I am trying to create network isolation for developers. I want to put developers on Vlan 100 (Several workstations and their developer tools Ansible, Repositories, Jenkins, etc to be virtualized on the ESXi host).

The ESXi host is connected to the physical switch via an access port which wont allow the physical machines on Vlan 100 to communicate with any virtual machines on Vlan 100. When I configure the physical port to be a trunk I still can't get the machines to talk to them (I actually lose all connectivity to the host).

Is there something I have to do to get the above situation to work? I thought just changing the port to a trunk and allowing Vlan 5, and 100 on the trunk would work but it didn't. The reason I cant allow all vlan traffic is because this host will be running experiments that need to be isolated and those experiments will be using Vlans 150 and up. I dont want any experiment traffic to exit the host.

Could I achieve the same thing by creating a new virtual switch connected to the switch on a access port, accessing Vlan 100 and connect all the virtual machines to this virtual switch. I would leave all the other virtual machines on the vSwitch that is accessing Vlan 5

bwilsey84 · ‎02-26-2019

Also to clarify the host is connected to an access port on vlan 5 right now.

Developers will have physical workstations and accessing their tools which are guests on the host

IvarHome · ‎02-26-2019

No, its not matter is there one or many virtual switches, the result is same. Virtual switch uplink port is by default already trunk and no reason to be not. Problem is probaby in physical switch.

diegodco31 · ‎02-26-2019

Hi

You need to configure the VLANs in portgroup.

vSphere Documentation Center

The VMs create a portgroup or vswitch with the vlan.

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego

bwilsey84 · ‎02-28-2019

I guess I am more confused than I thought. How is the uplink port automatically a trunk? I was under the assumption that to use VST (Have the switch tag my packets then send it to the physical switch which is a Layer 3 switch - Routing it to the physical developer machine)

• Virtual switch tagging (VST mode) — This is the most common configuration. In this mode, you provision one port group on a virtual switch for each VLAN, then attach the virtual machine’s virtual adapter to the port group instead of the virtual switch directly. The virtual switch port group tags all outbound frames and removes tags for all inbound frames. It also ensures that frames on one VLAN do not leak into a different VLAN. Use of this mode requires that the physical switch provide a trunk.

When I set the physical switchport to trunk mode I lose all connectivity to the host, should I have One Physical NIC used for the management of the server and One Physical NIC connected in trunk mode, and then use this NIC as the uplink for a vSwitch?

MikeStoica · ‎02-28-2019

Do you have the VLAN configured for the physical adapters? If the VLAN is correctly configured you shouldn't loose access

a_p_ · ‎02-28-2019

If I understand the situation correctly, it should be easy to change the network setup.

From what you write I assume that you are using Cisco switches (Access Ports, Trunk Ports). I further assume that the native/default VLAN is VLAN 1 (default).

The host is currently connected to an Access Port on VLAN 5, so the port groups for the Management Network, and the VM network do not have a VLAN ID assigned.

If you change the physical switch port to a Trunk Port you will either have to change the VLAN ID on the ESXi host's exiting port groups from 0 to 5, or define VLAN 5 as the default VLAN on the physical port.

Personally I prefer the first method, i.e. not touching the native/default VLAN on the physical side, but setting the VLAN ID on the ESXi host's port groups. To do this with only minimal network interruption, either set the VLAN ID on the Management Network first (you will lose connection after doing this), followed by changing the physical port, or change the physical setup first, and then change the VLAN ID for the Management Network from the ESXi host's DCUI.

André

bwilsey84 · ‎02-28-2019

I believe I see what you are saying.

vCSA and such are on the management network and connected with no Vlan ID... however why did I lost all connectivity to the host? I couldn't ping it either....

I was thinking a bit more and is it because I need to go into the DCUI and set Vlan 5 as the managment vlan?

This host was not built by me. So there are all sorts of settings that were changed in an effort to harden it (same with the switch).

All

Virtual Switch / Vlan Question