Objective 2.2 – Configure & Maintain VLANs, PVLANs, & VLAN Settings
For this objective I used the following resources
- VMware KB Article 1010691
- VMware KB Article 1004048
- VMware KB Article 1010703
- Chris Wahl’s blog
- IT Cookbook blog
Identify types of VLANs and PVLANs
- A VLAN (virtual lan) is a grouping of hosts that are able to communicate in the same broadcast domain even though they may not be physically plugged into the same network device
- VLAN Trunking is the ability to pass multiple VLAN traffic (thus sharing) through a singular physical network connection
- Private VLANs allow you to isolate traffic between virtual machines in the same isolated VLAN. These isolated PVLANs are referred to as the primary VLAN divided into secondary VLANs. PVLANs are only configurable in ESX on vDS. There are three types of secondary PVLAN:
- Promiscuous – VM’s are reachable by and can reach any machine in the same primary VLAN
- Isolated – Vm’s can talk to no virtual machines except those in the promiscuous PVLAN
- Community – VM’s can talk to each other and to the VMs in the promiscuous PVLAN, but not to any other VM
See VMware KB Article 1010691 “Private VLAN (PVLAN) on vNetwork Distributed Switch – Concept Overview” for additional reading.
Skills and Abilities
Determine use cases for and configure VLAN Trunking
Use case for using VLAN trunking would be if you have multiple VLANs in place for logical separation or to isolate your VM traffic but you have a limited amount of physical uplink ports dedicated for your ESXi hosts. For example:
In the above example four port groups are created and are “tagged” with the required VLAN id’s that are used. Each of the vmnics is bonded together in an EtherChannel(completed on the physical Cisco switch) and is configured to “trunk” the various VLANs. On the ESXi switch side the NIC Teaming Load Balancing Policy will need to be set to Route based on IP hash. Note – this is just an example, you do not have to/need to use EtherChannel/Link aggregation to use VLAN trunking.
For additional reading on configuring and using EtherChannel or Link Aggregation see VMware KB Article 1004048 “Sample Configuration of EtherChannel/Link aggregation with ESX/ESXi and Cisco/HP swtiches”
Determine use cases for and configure PVLANs
Private VLANs provide additional security between virtual machines on the same subnet without exhausting VLAN number space. PVLANs are particularly useful on a DMZ where the server needs to be available to external connections and possibly internal connections, but rarely needs to communicate with other servers on the DMZ. This may be more easily explained with a picture:
(Graphic supplied by IT Cookbook – real world experience)
Configuring a PVLAN is completed as follows
1. In vCenter, go to Home -> Inventory -> Networking
2. Click Edit Settings on the desired dvSwitch
3. Choose the Private VLAN tab
4. On the Primary tab, add the VLAN that is used outside the PVLAN domain. Enter a private LAN ID and/or choose one from the list
5. On the Secondary Tab, create the PVLANs of the desired type (see definitions above). Enter a VLAN ID in the VLAN ID field
6. Select the Type for the Secondary VLAN ID
7. Click Ok
To set the PVLAN in the dvPortGroup
1. Highlight dvPortGroup and click Edit Settings
2. Click General -> VLAN -> Policies
3. Using the dropdown, set the VLAN type to Private
4. Select VLAN from the Private VLAN Entry dropdown
Above procedure was taken from VMware KB Article 1010703 ”Configuration of Private VLAN (PVLAN) on vNetwork Distributed Switch”
Again, Chris Whal has a great article covering the use of Private VLANs (PVLANs) in vSphere. Article is located HERE.
Use command line tools to troubleshoot and identify VLAN configurations
See section “Configure vSS and vDS Settings Using Command Line Tools” in Objective 2.1 located HERE.
To further “pimp out” Chris Wahl, he recently covered all of Section 2 objectives on the ProfessionalVMware Brownbag series. Available HERE on iTunes (release date is 9 5 12).