Purpose
This article provides a sample network configuration for isolation and segmentation of virtual machine network traffic.
Resolution
To configure Virtual Switch (vSwitch) VLAN Tagging (VST) on ESX host:
1. Assign the VLAN on vSwitch and or portgroup. Supported VLAN range (1-4094) 2. Set the switch NIC teaming policy to Route based on originating virtual port ID, this is
set by default.
o VLAN ID 0 (Zero) Disables VLAN tagging on port group (EST Mode)
o VLAN ID 4095 enables trunking on port group ( VGT Mode)
Note: Incoming traffic NIC teaming is called Ether-channel / LACP. For more information, see Sample configuration using EthernetChannel, ESX 3.0 and a Cisco switch (1004048).
To configure the Physical Switch Settings (Cisco, HP, DELL, etc): 1. Define ESX VLANs on the physical Switch. 2. Allow proper range to ESX.
3. Set the physical port connection between ESX and physical switch to TRUNK mode.
ESX only supports IEEE 802.1Q (dot1q) trunking.
o Physical switch is set to TRUNK mode o dot1q encapsulation is enabled
o Spanning-tree is set to portfast trunk ( Port forwarding, skips other modes) o Define VLAN interface
o Assign IP Range to VLAN interface o VLAN Routing – and VLAN Isolation
Caution: Native VLAN ID on ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch.
Native VLAN packets are not tagged with VLAN ID on the out going traffic toward ESX host. Therefore, if ESX is set VST mode, it drops the packets that are lacking a VLAN tag.
This sample is a supported Cisco Trunk Port configuration: interface GigabitEthernet1/2
switchport (Set to layer 2 switching) switchport trunk encapsulation dot1q (ESX only supports dot1q, not ISL)
switchport trunk allowed vlan 10-100 (Allowed VLAN to ESX . Ensure ESX VLANs are allowed)
switchport mode trunk (Set to Trunk Mode) switchport nonegotiate (DTP is not supported) no ip address
no cdp enable (ESX 3.5 supports CDP)
spanning-tree portfast trunk (Enables portfast feature- port forwarding)
To assign a VLAN to a port group, there has to be a corresponding VLAN interface for each VLAN on a physical switch with a designated IP range. For example:
interface Vlan200
ip address 10.10.100.1 255.255.255.0 (This IP can be used as VLAN 200 Gateway IP)
Note: Once the VLAN ID is defined on Physical Switch, it can be configured for ESX.
If the IP range is assigned to a VLAN, decide if any routing may be required to reach other nodes on the network.
To configure VLAN on the portgroup within the Virtual Infrastructure Client:
1. Highlight the ESX host. 2. Click the Configuration tab. 3. Click the Networking link. 4. Click Properties.
5. Highlight the virtual switch in the Ports tab and click Edit. 6. Click the General tab.
7. Assign a VLAN number in VLAN ID (optional). 8. Click the NIC Teaming tab.
9. From the Load Balancing dropdown, choose Route based on originating virtual
port ID.
10. Verify that there is at least one network adapter listed underActive Adapters. 11. Verify VST configuration by utilizing the ping command to confirm connection between
ESX host and gateway interfaces and other host on the same VLAN.
Note: For additional information on VLAN configuration of a VirtualSwitch (vSwitch) port group, see Configuring a VLAN on a portgroup (1003825).
To configure via command line:
esxcfg-vswitch -p \name>\-v
show interfaces Gi2/0/23 capabilities
