VCAP-DCA Study Notes – 2.2 Configure and Maintain VLANs and PVLANs
This is one of the smaller objectives plus only the PVLAN concepts and practices are new – VLAN support remains relatively unchanged from VI3 (although the vDS and it’s associated VLAN support is new).
- Identify types of VLANs and PVLANs
Skills and Abilities
- Determine use cases for and configure VLAN Trunking
- Determine use cases for and configure PVLANs
- Use command line tools to troubleshoot and identify VLAN configurations
Tools & learning resources
- Product Documentation
- vSphere Client
- vSphere CLI
Types of VLAN
VLANs are a network standard (802.1q) which are fully supported in vSphere. They can be used to minimise broadcast traffic and as a security measure to segregate traffic (although like any technology there are weaknesses). Typical uses for VLANs with vSphere are to isolate infrastructure (vMotion, iSCSI and NFS) traffic and VM traffic.
There are three main ways of using VLANs with vSphere (covered in this VMware whitepaper);
- Virtual guest tagging (VGT) – requires VLAN driver support in the guest OS
- Virtual Switch tagging (VST) – common option, requires VLAN trunking on external switches
- External switch tagging (EST) – less flexible and requires more physical NICs
In the Cisco world you set a port to be an ‘access port’ or a ‘trunk port’ if it’s going to carry multiple VLANs. VLAN IDs are 16 bit values giving a range of 0-4095. 4095 is used within vSphere to mean ‘all VLANs’ and is how you configure a portgroup when using VGT.
Configuring VLANs and VLAN trunking
For standard vSwitches you configure VLAN tags on portgroups. This configuration is done at the ESX host using the VI client (Configuration -> Networking);
- Use VLAN 0 when no VLAN tags are present (EST)
- Use VLAN 4095 to pass all VLANs (VGT)
Use a specific VLAN ID depending on the isolation required (VST)
NOTE: Avoid using VLAN1 (native VLAN for most Cisco kit) as this can inadvertently expose traffic you may not mean to expose.
For distributed switches you configure VLANs on both dvPortGroups and dvUplinkPortGroups (with the option to override at the dvPort level when enabled). This is done in vCenter using the VI client;
- Use ‘None’ for EST
- Use ‘VLAN’ (and specify a VLAN ID) depending on the isolation requirement (VST)
- Use ‘VLAN trunking’ to pass either all VLANs (VGT) or a selection of VLANs (VST). This is an improvement over standard switches which either set a single VLAN ID or All. Restricting the VLANs this way is a form of VLAN pruning.
Use PVLAN when you need a subset of hosts within a single VLAN (see next section)
Types of PVLAN (Private VLANs)
From the ESXi Configuration Guide – “PVLANs are used to solve VLAN ID limitations”. They allow more fine grained control over subsets of hosts without requiring a dedicated VLAN for each group, cutting down on network administration (here’s a good explanation and diagram). Eric Sloof’s video on configuring PVLANs and dvSwitches is also worth a watch (from 24mins for the PVLAN part).
Think of PVLANs as a VLAN within a VLAN (read VMwareKB1010691 PVLAN concepts);
- Promiscuous VLAN – this is an extension of the original (parent) VLAN
- Secondary VLANs – there are two choices;
- Isolated (one per primary VLAN)
- Community (multiple per primary VLAN)
- PVLANs are only available on vDistributed Switches
- The physical switches must support PVLANs and be configured with the VLAN IDs used for secondary VLANs.
NOTE: To test PVLANs in a lab environment you could run multiple virtual ESX hosts on a single host (along with a virtual router such as Vyatta Core). This was the traffic never reaches the physical network so you don’t need a PVLAN capable switch.
VMwareKB1010691 offers a good overview of PVLAN concepts when used with vDS
- Configured via vCentre as a property of the vDS itself
- CANNOT be done from the command line
- MUST also be configured on physical switches
Read VMwareKB1010703 (PVLAN implementation on a vDS)or the ESXi Configuration Guide page 32 onwards.
NOTE: Trying to remove PVLANs from the vDS when a dvPortGroup is still using the PVLANs will result in an error and no deletion occurring. Check the various dvPortGroups and remove the config before removing the PVLANs from the vDS.
Command line tools for VLAN configuration/troubleshooting
The usual commands support VLANs, typically using the -v parameter;
- vicfg-vswitch – (use -v for vlan assignment. Use -v 0 to clear an existing VLAN tag)
NOTE: You can only administer VLANs at the command line – PVLANs are only configured in vCenter.