VMware Cloud Community
vobelic
Contributor
Contributor
‎09-11-2013 03:34 AM

VMware (standard) vSwitch and double tagging (QinQ)

I'm experiencing an issue while trying to pass double tagged through a standard vSwitch.

A physical interface on the VMWare host machine is receiving double tagged traffic - the outer tag differentiates multiple switches (mirroring remote tag) and the inner tags are from the switches' own internal traffic. The internal traffic can be both tagged and untagged depending if the mirrored port was an access port or a trunk.

A vSwitch is configured with multiple networks (each for a different outer tag from a different switch) and a guest machine should see only (single) tagged traffic.

The problem is that the guest machine isn't receiving any of the traffic that was received (on the phy) as double tagged. If the original internal traffic wasn't tagged (phy on host machine receives only 1-tag) the guest sees that traffic correctly.

I also did a test and configured a network on the vSwitch with tag 4095 where any tagged traffic should be passed (VGT). Again the guest machine receives only the single tagged traffic as received from phy, only difference is that the guest sees it as tagged. This proves the guest OS correctly sees tagged traffic and leads me to conclude the problem is in the vSwitch.

So is there a way to force the vSwitch to ignore the inner tags and pass traffic to guest regardless of the inner tag?

vSphere/vcenter/ESXi version 5.1.0 in question.

Hopefully someone can clarify this for me.

Thanks in advance.

0 Kudos
5 Replies
chriswahl
Virtuoso
Virtuoso
‎09-20-2013 02:25 PM

The vSwitch does not allow multiply encapsulated packets (QinQ packets).

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
0 Kudos
OscarDavey
Hot Shot
Hot Shot
‎10-03-2013 04:57 PM

Unfortunately you cant do that .

If you have more question let me know

Best regards

Your Oscar

0 Kudos
vobelic
Contributor
Contributor
‎11-13-2013 02:09 AM

and what about a distributed vSwitch?

0 Kudos
MKguy
Virtuoso
Virtuoso
‎11-13-2013 02:56 PM

The dvSwitch doesn't support that either, at least the builtin VMware dvSwitch.

The Cisco Nexus 1000V dvSwitch might be able to handle it though, but I haven't really found any definite info on that.

-- http://alpacapowered.wordpress.com
0 Kudos
VirtuallyMikeB
Expert
Expert
‎01-10-2014 10:59 AM

Sounds like somebody was able to find a workaround...

https://communities.vmware.com/message/1320716

Edit: and it was documented in this book: VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment by Ed Haletky himself, but the process seems a bit arcane.

- Mike

http://VirtuallyMikeBrown.com

https://twitter.com/VirtuallyMikeB

http://LinkedIn.com/in/michaelbbrown

Message was edited by: Mike Brown

----------------------------------------- Please consider marking this answer "correct" or "helpful" if you found it useful (you'll get points too). Mike Brown VMware, Cisco Data Center, and NetApp dude Sr. Systems Engineer michael.b.brown3@gmail.com Twitter: @VirtuallyMikeB Blog: http://VirtuallyMikeBrown.com LinkedIn: http://LinkedIn.com/in/michaelbbrown
0 Kudos