Solved: Native VLAN

vSohill · ‎09-26-2016

HI

Is there any needs or exampel to have Native VLAN ?

vHaridas · ‎09-26-2016

You have to create all the VLANs on Physical switch and trunk these VLANs to Physical Switch port where ESXi hosts NICs are connected.

You can configure any VLAN as native VLAN ( again on Physical switch port )

Native VLAN is useful where you cannot add VLAN id in NIC network configuration. e.g. if you want to boot server from network, PXE boot.

When you create virtual PortGroup, add the required VLAN id in Port groups. However make sure you are not adding native VLAN ID in PortGroup.

if you add native VLAN id in PortGroup configuration, network communication will not work with that PG.

-

Haridas

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

View solution in original post

vSohill · ‎09-26-2016

In other words , If I have all the traffic is taged in the vSwitch and physical Swtich has only Native VLAN. How the physical Swetich will manage the traffic ?

vHaridas · ‎09-26-2016

You have to create all the VLANs on Physical switch and trunk these VLANs to Physical Switch port where ESXi hosts NICs are connected.

You can configure any VLAN as native VLAN ( again on Physical switch port )

Native VLAN is useful where you cannot add VLAN id in NIC network configuration. e.g. if you want to boot server from network, PXE boot.

When you create virtual PortGroup, add the required VLAN id in Port groups. However make sure you are not adding native VLAN ID in PortGroup.

if you add native VLAN id in PortGroup configuration, network communication will not work with that PG.

-

Haridas

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

vHaridas · ‎09-26-2016

if you do not set any native VLAN, you can add that VLAN ID in portgroup and network communication will work.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

rcporto · ‎09-26-2016

Take a look here: Sample configuration of virtual switch VLAN tagging (VST Mode) (1004074) | VMware KB

Caution: Native VLAN ID on ESXi/ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with the VLAN ID on the outgoing traffic toward the ESXi/ESX host. Therefore, if the ESXi/ESX host is set to VST mode, it drops the packets that are lacking a VLAN tag.

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto

vSohill · ‎09-26-2016

Thank you ,

vHaridas · ‎09-26-2016

Thanks Richardson, I was missing the correct reason.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

vSohill · ‎09-26-2016

Thanks Richardson

vSohill · ‎09-27-2016

I can set VLAN to 4095 in VSS but not in VDS it is only to 4094 . Is 4094 give Wireshark the option to sniff the traffic from the other VLAN ?

vSohill · ‎09-27-2016

vHaridasvHaridas

I guess I found it . VSS trunk mode is to set VLAN to 4095, and for VDS I have to use Trunk mode 1-4094 in order to allow Wireshark to sniff the traffic from the other VLANs.

Am I assuming right ?

vHaridas · ‎09-27-2016

For the vSphere distributed Switch to enable trunk you have to add VLAN range.

Either it could be default 0-4094 or any other specific VLAN range which exist in your network.

You can use 4095 to enable Trunk on SS.

Note, when you enable Trunk on PortGroup, then you need to do the VLAN tagging inside VM Guest OS Network configuration (VGT Mode).

Sample configuration of virtual machine VLAN Tagging (VGT Mode) in ESX (1004252) | VMware KB

Assign a VLAN to a portgroup(s). The supported VLAN range is 1-4094.

Reserved VLAN IDs:

VLAN ID 0 (zero) Disables VLAN tagging on port group (EST Mode)
VLAN ID 4095 Enables trunking on port group (VGT Mode)

from KB - Sample configuration of virtual switch VLAN tagging (VST Mode) (1004074) | VMware KB

Wireshark to sniff the traffic

It really depends on where you are putting your Wireshark system.

e.g. if I want to snip all traffic for VMs from PortGroup-X which is VLAN 10 then I can enable Promiscuous mode for this PortGroup and add Wireshark VM in this PG.

Promiscuous mode will broadcast VM traffic to all ports in that PG.

Note, Port mirroring and Promiscuous mode are two different things.

-

Haridas Vhadade

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

vSohill · ‎09-28-2016

vHaridas

Thanks, For the Wireshark, If it on PG on VDS. Wireshark will sniff traffic from VLAN 101, 102 and 103, I will configure PG that attached to wireshark VM as Trunk Mode 101,102,103 or 1-4094 for any VLANs can be added in the future (I know it is not the best config )

No need to enable Promiscuous mode.

Am I assuming right ?

Thank you

vHaridas · ‎09-28-2016

Yes,

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

vSohill · ‎10-01-2016

thank you

marknguy · ‎11-02-2018

My customer had the same issue and was able to figure this out. The actually behavior if you want to use a trunk with a native VLAN for guest VMs is to include 0 (zero) in your allow list:

Zero is the VLAN tag that matches the native VLAN. So when allowing VLANs on the uplink its 0-4094 for the full VLAN supported range including the native VLAN 0. On the distributed port group, the allow needs to include 0 (zero) and whatever other VLAN tags are needed on that same trunk interface.

On the upstream switch interface into the host, the native VLAN needs to be assigned on the trunk. It could be any VLAN ID, since it is untagged it will match 0 on the Distributed Virtual Switch Uplink on the VMWare Host.

All

Native VLAN