Most IT professionals, especially those involved in network design or network support, completely understand the...
idea of virtual LANs (VLANs). When a server needs to be provisioned on a particular VLAN, the network gurus know they need to configure the appropriate switch port or ports for that VLAN. Then, they must physically cable the server to the correct switch port or ports before the server will be able to communicate with the rest of the network.
Where this process begins to break down, however, is when VMware Infrastructure 3 (VI3) is introduced. Now, when a new virtual server is provisioned, how does an organization determine on which VLAN that server will reside? How many physical NICs (network interface cards) are required in order to support multiple VLANs in a VI3 environment? How should the switch port or ports be configured? These are the questions that IT professionals are asking, because the procedures that worked without virtualization don't work with virtualization. In this article, we'll take a look at how to configure your VI3 environment to support VLANs.
The key to understanding VI3's support for VLANs lies with the concept of a "VLAN trunk". A non-trunk port -- also called access port -- carries traffic for a single VLAN, but a trunk port carries traffic for multiple VLANs simultaneously. On a trunk, each flow of traffic is tagged so that whatever device is at the other end of the connection -- typically another switch -- knows which packets belong to each VLAN. The switches separate the traffic flows according to these tags. A standard, known as 802.1q, defines the VLAN tags that are applied to the packets crossing a VLAN trunk so that, in theory, all vendors that support the standard can work together.
VI3 works with VLANs through the use of VLAN trunks. Each physical switch port to which a physical NIC in the ESX Server host machine is connected should be configured as an 802.1q VLAN trunk. This instructs the physical switch to tag the packets with a VLAN tag. On the ESX Server, vSwitches (virtual switches) accept the tagged traffic, read and strip away the tags and pass the traffic to the correct destination. It's just like a connection between two physical switches, except in this instance one of the switches is virtual.
The ESX Server host separates the VLANs using port groups. Each vSwitch may have one or more port groups. Strictly speaking, port groups and VLANs will not have a direct one-to-one relationship; a single VLAN may be represented by multiple port groups. This is because port groups define more than just VLAN membership. In addition to VLAN membership port groups also define other networking features such as traffic shaping and security settings.
The first step is configuring the physical switch to treat the ports as VLAN trunks. For many Cisco IOS-based LAN switches, the commands would look something like this:
interface GigabitEthernet0/1 switchport switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport trunk allowed vlan all
There are two important things to note here. First, the native VLAN has been set to VLAN ID 4094. What does this mean? It means that any traffic on VLAN 4094 is considered to be on the "native" VLAN, and therefore won't be tagged. If it isn't tagged, then it typically won't be seen by guests on ESX Server. For this reason, VMware recommends not placing VMs on the native VLAN, and I recommend setting the native VLAN to a "dummy VLAN" that isn't used anywhere else in the organization.
Second, all VLANs are allowed across this trunk. If only certain VLANs were allowed, this would prevent the ESX Server from hosting VMs on those VLANs. This makes sense, of course, but it can be easily overlooked if one isn't careful.
For each VLAN defined on the physical switch (or group of physical switches), a matching port group must is defined on the ESX Server hosts. The port groups are linked to the VLANs using the numeric VLAN ID, so VLAN 200 on the physical switches would be represented by a port group with a VLAN ID of 200. Be sure to keep the port group names and configuration identical across your ESX Server farms in order to prevent any VMotion problems! Once your port groups have been defined, VMs attached to a port group will then communicate on the matching VLAN on the physical switches.
More advanced VLAN configurations, such as passing the VLAN tags all the way up to the guest VM, are also supported within the ESX Server environment as well. We'll take a look at that kind of configuration in a future article.
For more information on VLAN configurations, check out my tip, VLAN configuration for VI3: VST, EST and VGT tagging tips.
About the author: Scott Lowe has had a lifelong love of computers, dating all the way back to his first computer, a Tandy TRS-80 Color Computer. He began working professionally in the technology field in 1994, and has since held the roles of an instructor, technical trainer, server/network administrator, systems engineer, IT manager, and CTO. For the last few years, Scott has worked as a senior systems engineer with a reseller, providing technology solutions to enterprise customers.