VMware vSphere and Private VLANs

Definition 

  • Virtual LAN (VLAN) is a mechanism to divide a broadcast domain into several logical broadcast domains.
  • Private VLAN is an extension to the VLAN standard, already available in several (most recent) physical switches. It adds a further segmentation of the logical broadcast domain, to create “Private” groups.
  • Private means that the hosts in the same PVLAN are not able to be seen by the others, except the selected ones in the promiscuous PVLAN.
  • Standard 802.1Q Tagging indicates there is no encapsulation of a PVLAN inside a VLAN, everything is done with one tag per packet.
  • No Double Encapsulation indicates that the packets are tagged according to the switch port configuration (EST mode), or they arrive already tagged if the port is a trunk (VST mode).
  • Switch software decides which ports to forward the frame, based on the tag and the PVLAN tables.


Private VLANS definitions:

  • Promiscuous – A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated – An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community– Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

Different Types of VLANPrimary

Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets downstream to all Secondary VLANs.

Secondary

Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with other VMs on the Isolated VLAN.

Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the same community VLAN.

Where we configure PVLANs in vSphere?

Create a vDS if you don’t already have one in the environment by going to Home > Networking > click the icon to add new vDS.

The next step is to create some PVLANs. You’ll be doing it at the vDS level, so select and click the vDS > Manage > Private VLAN tab. Once there you can add some PVLANs. Notice the Secondary Promiscuous was created automatically when you created the Primary private VLAN.


So in my example above I created Primary Private VLAN 4000 which automatically created secondary PVLAN 4000. Then I only could create an Community Secondary VLAN 4001 and Isolated VLAN 4002

 

Now we have those PVLANs created and this gives us the possibility to use them for new or existing port groups. Example below I’m creating new port group with some name and after selecting the PVLAN, a new drop-down menu appears which gives the option to choose an entry between the Isolated, or Community.

Command Line Tools

There are commands which can be run via VMA, others via vCLI or directly SSh to the ESXi via Putty:

esxcli network vswitch standard list  – shows the standard vswitch settings

Etc… if you put -h for help you can get the options showed at different levels

esxcli network -h  shows options for fence, firewall, ip, vswitch, nic…. etc.

Comments