Test your VMware networking skills

Two vSwitch portgroup-related questions:

  • Can you configure the same VLAN on two portgroups in the same vSwitch? How about vDS?
  • Can VMs attached to two different portgroups in the same ESX host talk to each other directly or do they have to go communicate through an external switch (or L3 device)?

Got your answers? Now click the Read more ... link.

Correct answers:

  • Yes & Yes.
  • The VMs can communicate directly, as long as the portgroups belong to the same VLAN (or have no VLAN information).
Actually this was one of the more unexpected discoveries I made while preparing for the VMware Networking Deep Dive webinar.

Somehow I always assumed portgroups were security-related objects (because you can configure VLANs on them), whereas in fact they’re just configuration templates. Configuring a VLAN on a portgroup has exactly the same consequences as configuring switchport mode access and switchport access vlan X on a Catalyst switch.

Looking at the questions from the “portgroups are configuration templates” perspective, the vSwitch/vDS behavior makes perfect sense – there is no reason the same VLAN could not be configured in two templates, and the VMs attached to the same VLAN (although using different configuration templates) can communicate directly.

6 comments:

  1. http://it20.info/2011/03/the-93-000-firewall-rules-problem-and-why-cloud-is-not-just-orchestration/

    "...The first one is called vCloud Director Network Isolation (vCDNI) in vCloud parlance or vShield PortGroup Isolation (PGI) in vShield parlance. It’s, basically, a technology that allows you to virtualize a VLAN. This allows different customers to be assigned dedicated vDS PortGroups that represent separate layer 2 domains… yet sharing the same VLAN ID. We use a technique called MAC-in-MAC to implement this. Kamau just posted a very interesting blog on how this works. You can read more here if you are interested. This technology is already available and fully integrated in vCloud Director so you can use it today if you want to."
  2. ... and this is how well it's actually designed 8-)

    http://blog.ioshints.info/2011/04/vcloud-director-networking.html
  3. Yes, seen that. Did you get anybody from VMware comment offline?
  4. Why would one have 2 portgroups with the same VLAN ID?
    care to provide a scenario? :)
    Replies
    1. Fat finger (= operator error). Many people think two port groups cannot have the same VLAN ID and thus believe VMs connected to different port groups can never communicate directly.
    2. We use it to provide load balancing across multiple physical adapters. You can override the NIC priority at the port group level. Within our Linux systems we create a bonded pair of NICs and it works well.
Add comment
Sidebar