Hello everyone,

I’m having problems with private vlans on a distributed virtual switch. Hopefully someone can help me out here.

There is a network diagram attached to this post for more information.

We have a core router (layer 3 switch) with a few ESX 5.1 Enterprise plus hosts.

I configured a distributed virtual switch with 3 uplinks to the core switch.

On the dvSwitch are 3 portgroups configured for virtual machines, PortGroup1 (VM1 + VM2), PortGroup2 (VM3 + VM4) and PortGroup3 (VM5).

PortGroup1 is configured as Isolated private vlan number 25.

PortGroup2 is configured as Community private vlan number 24.

PortGroup3 is configured as Promiscuous private vlan 23.

So the primary vlan id on the dvSwitch is 23.

I have a workstation (PC1) connected to the core switch on default vlan1.

The cisco switch port for the workstation is configured with the following setting.

Switchport mode access.

The 3 uplinks from the dvSwitch are configured on the ciso with the following settings.

Switchport mode trunk

Switchport trunk encapsulation dot1q

Switchport allowed vlan 1,23-25

The cisco switch (core) has the layer2 vlans configured vlan23-25.

There are also interfaces (layer3) configured to route between vlan1 and vlan23-25.

PC1 = 172.16.40.1 / 255.255.255.0

PC1 gateway = 172.16.40.254

VM1 = 172.16.50.11 / 255.255.255.0

VM2 = 172.16.50.12 / 255.255.255.0

VM3 = 172.16.50.13 / 255.255.255.0

VM4 = 172.16.50.14 / 255.255.255.0

VM5 = 172.16.50.15 / 255.255.255.0

VM1 - VM5 gateway = 172.16.50.254

All tests are performed between different ESXi servers, so traffic must be passing the cisco switch.

Test situation 1.

Core switch config:

Interface vlan23

Ip address 172.16.50.254 255.255.255.0

Interface vlan24

No ip address

Interface vlan25

No ip address

Test execution 1 (ip address configured on vlan23).

Ping from pc1 to vm1 = timeout (expected result)

Ping from pc1 to vm3 = timeout (expected result)

Ping from pc1 to vm5 = response (expected result)

Ping from vm1 to vm2 = timeout (expected result)

Ping from vm1 to vm5 = response (expected result)

Ping from vm3 to vm4 = response (expected result)

Ping from vm3 to vm5 = response (expected result)

Conslusion: everything works as it should.

Test situation 2 (ip address configured on vlan24).

Core switch config:

Interface vlan23

No ip address

Interface vlan24

Ip address 172.16.50.254 255.255.255.0

Interface vlan25

No ip address

Test execution 2.

Ping from pc1 to vm1 = timeout (expected result)

Ping from pc1 to vm3 = response (expected result)

Ping from pc1 to vm5 = timeout (expected result)

Ping from vm1 to vm2 = timeout (expected result)

Ping from vm1 to vm5 = response (expected result)

Ping from vm3 to vm4 = response (expected result)

Ping from vm3 to vm5 = response (expected result)

Conslusion: everything works as it should.

Test situation 3 (ip address configured on vlan25).

Core switch config:

Interface vlan23

No ip address

Interface vlan24

No ip address

Interface vlan25

Ip address 172.16.50.254 255.255.255.0

Test execution 3.

Ping from pc1 to vm1 = timeout (why does this timeout?)

Ping from pc1 to vm3 = timeout (expected result)

Ping from pc1 to vm5 = timeout (expected result)

Ping from vm1 to vm2 = timeout (expected result)

Ping from vm1 to vm5 = response (expected result)

Ping from vm3 to vm4 = response (expected result)

Ping from vm3 to vm5 = response (expected result)

Conclusion: The connection from pc1 to vm1 could not be established.

Now to the question.

Why doesn’t this work?

The communication between the isolated virtual machine and the virtual machine in the promiscuous pvlan is fine. But there is no traffic between the virtual machine in de isolated pvlan (cisco vlan25) and the pc in (cisco vlan1).

Is this a bug or am i doing something wrong?