Home > Virtualization, VMware > vSphere VLANs – 802.1Q VLAN Tagging

vSphere VLANs – 802.1Q VLAN Tagging

I came across a test prep question in the book ‘VCP VMware Certified Professional on vSphere 4 STUDY GUIDE’ : ‘Which type of private VLAN (PVLAN) would allow a VM to communicate with any other PVLAN on the virtual switch as well as the physical switch connected via physical NIC uplinks?’
Now I took the VMware Fast Track with one of the co-authors Jeantet Fields, and I’ve been studying for a while so at first glance I’m thinking this is an easy one; it is Promiscuous mode; which happens to be the correct answer. I’m not really a guy that gets hung up on Q&A’s as I like to understand the how and why’s. The other optional answers include Community and Isolated mode and although I know these are valid VLAN mode’s I thought I would take a moment to review the topic as what I learned from my training has become foggy as it was awhile ago. VMware has a nice diagram ( shown below ) provided in the ‘What’s New inVMware vSphere 4: Virtual Networking‘ whitepaper that is helpful in understanding VLAN concepts.
http://www.vmware.com/files/pdf/VMW_09Q1_WP_vSphereNetworking_P8_R1.pdf
The primary reason for implementing VLANs is to enable secure logical network groups by segregating and isolating the network communication on a physical network. This is basically accomplished by dividing the broadcast domain into several logical broadcast domains.
Private VLANs can be thought of in terms of two groups.: A Primary VLAN and a Secondary VLAN.
The Primary VLAN is the network being divided into separate groups. It is the container of secondary VLANs and as such is able to communicate with any of the contained secondary VLANs. I think of the Primary VLAN as the physical network or the network switch although in a virtual environment it doesn’t have to be a physical device.
Secondary VLANs are the divided groups within a Primary VLAN.  Secondary VLANs are identified using 802.1Q VLAN tagging id’s associated with each network packet. Packets are ‘tagged’ with the associated VLAN id as they are transmitted and communication between hosts is dependent on VLAN association and type. Secondary VLANs can be in the same subnet or not. The important thing to remember is that VLAN tags will segment hosts regardless of subnet or subnet mask.
There are three types of Secondary Private VLANs: ( Promiscuous, Isolated & Community )
Isolated VLANs – Hosts connected to ports within an isolated VLAN cannot communicate with each other, any other Isolated or Community VLAN at the Layer 2 network level.
Community VLANs – Hosts connected to ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs.
Promiscuous – Promiscuous mode ports serve one Primary VLAN, one Isolated VLAN and multiple Community VLANs. The Layer 3 gateway ( or the uplink port ) is typically connected to the switch via a promiscuous mode port. Promiscuous mode ports may also be used for network traffic monitoring and/or logging. And, hosts that need to communicate with Virtual Machines in various private VLANs such as Backup Servers, are typically configured with promiscuous mode network ports.
Many SMB’s limited by funding and physical resources utilize VLANs to increase security and provide the logical network segmentation functionality typically achieved using physical network devices.
VLAN Usage Diagram
There are many challenges resolved using VLANs but here is what I use them for:
Since iSCSI and NFS traffic is neither secured during transmission or storage, I ensure that network storage resides on a dedicated VLAN. Since domain admins, or vCenter local administrators are able to install, connect and administrate vCenter with or without authorization, I lock down the vCenter/ESX/ESXi Management Network to a dedicated VLAN as well.
If you have a VLAN story or suggestion please share your experience.
Advertisements
  1. No comments yet.
  1. June 30, 2016 at 4:26 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: