Tip

VLAN configuration on VMware Infrastructure 3: VST, EST and VGT tagging tips

When VMware gurus talk about the use of virtual LANs (VLANs) with VMware Infrastructure 3 (VI3), they are usually referring to the use of VLAN trunks. There are, however, three other types of VLAN configurations VI3 uses: virtual switch tagging (VST), external switch tagging (EST) and virtual guest tagging (VGT).

This tip is your guide to VST, EST and VGT, covering what they are and when to use them. I discussed VLAN trunks, which use 802.1q encapsulation to pass tagged traffic up to the VMware ESX Server in my previous tip,

    Requires Free Membership to View

Configuring VLANs in VMware Infrastructure 3 (VI3).

Virtual Switch Tagging (VST)
VST uses 802.1q VLAN trunks and tagged traffic, as we've discussed already. The physical switch treats the ESX Server like any other switch, tagging traffic with the appropriate VLAN tags as it moves across the trunk into the ESX Server's NICs. The ESX Server then uses the VLAN tags to direct the traffic to the appropriate port group. In order to use this configuration, the physical switch ports must be configured as VLAN trunks and ESX Server needs to have a port group defined for each VLAN ID.

External Switch Tagging (EST)
In EST, the physical switch is configured to pass untagged traffic for a single VLAN on each port. In the Cisco IOS world, this means that the physical switch ports would be configured as access ports assigned to a specific VLAN, like so:

  interface GigabitEthernet0/23
    switchport mode access 200

Given that most physical switch ports are already configured this way, this is a pretty typical switch configuration that is widely seen through many organizations. In this mode, ESX Server has a different vSwitch for each VLAN, and each vSwitch has its own individual uplink to a physical NIC (pNIC). Port groups can still be used to control traffic shaping and security policies, but they will not affect the VLAN operation.

Virtual Guest Tagging (VGT)
VGT is a specialized implementation that passes the VLAN tags all the way up to the virtual machine (VM), where the guest operating system (OS) will then handle the VLAN tags. This means that the guest OS must be able to support VLANs and VLAN tags. The physical switch still treats the ESX Server like any other switch, but the ESX Server passes the VLAN information directly to the guest OS instead of processing it and directing traffic to a matching port group. ESX Server requires only a single port group, using a VLAN ID of 4095, in order to use VGT.

When to use VGT, EST or VST VLAN configurations
Each of the different VLAN configurations has its advantages and disadvantages. As with most other things in a VI3 implementation, the "best answer" will depend upon the organization's business needs. In most cases, VST provides the right balance between complexity and simplicity while providing the greatest level of flexibility.

However, there are cases where EST or VGT are more appropriate. For example, consider the organization whose servers plug into distribution layer switches. These distribution layer switches then connect to a core switch. If the connections between the core switch and the distribution switch are not already configured as VLAN trunks, i.e., are capable of carrying multiple VLANs simultaneously, then using VST is impossible. Each of the distribution switches only carries a single VLAN and is only capable of carrying a single VLAN. In this instance, EST is the only solution available.

Similarly, if a particular VM (virtual machine) needs to be present on multiple VLANs simultaneously, then VGT -- instead of multiple vNICs, each assigned to a different port group or VLAN --might make more sense. This kind of situation is less common, but it is a valid scenario nevertheless. Guest OS support for VLAN drivers is required; this seems to be most common in various UNIX and UNIX-like operating systems: Solaris, OpenBSD and certain Linux distributions, for example.

One advantage that VGT has against EST is that both VGT and VST can be used at the same time. VST requires the creation VLAN-specific port groups, each configured with the appropriate VLAN ID. Because the 802.1Q specification only allows for a maximum VLAN ID of 4094, it's possible to have both VST port groups (with VLAN IDs from 1 to 4094) as well as a VGT port group (with a VLAN ID of 4095) at the same time on the same vSwitch.

About the author: Scott Lowe has had a lifelong love of computers, dating all the way back to his first computer, a Tandy TRS-80 Color Computer. He began working professionally in the technology field in 1994 and has since held the roles of an instructor, technical trainer, server/network administrator, systems engineer, IT manager, and CTO. For the last few years, Scott has worked as a senior systems engineer with a reseller, providing technology solutions to enterprise customers. Scott also runs a virtualization-centric weblog at http://blog.scottlowe.org.

This was first published in November 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.