Test your VMware networking skills

Two vSwitch portgroup-related questions:

  • Can you configure the same VLAN on two portgroups in the same vSwitch? How about vDS?
  • Can VMs attached to two different portgroups in the same ESX host talk to each other directly or do they have to go communicate through an external switch (or L3 device)?

Got your answers? Now click the Read more ... link.

Correct answers:

  • Yes & Yes.
  • The VMs can communicate directly, as long as the portgroups belong to the same VLAN (or have no VLAN information).

Actually this was one of the more unexpected discoveries I made while preparing for the VMware Networking Deep Dive webinar (choose between a live session and a recording).

Somehow I always assumed portgroups were security-related objects (because you can configure VLANs on them), whereas in fact they’re just configuration templates. Configuring a VLAN on a portgroup has exactly the same consequences as configuring switchport mode access and switchport access vlan X on a Catalyst switch.

Looking at the questions from the “portgroups are configuration templates” perspective, the vSwitch/vDS behavior makes perfect sense – there is no reason the same VLAN could not be configured in two templates, and the VMs attached to the same VLAN (although using different configuration templates) can communicate directly.

6 comments:

  1. Dmitri Kalintsev17 June, 2011 07:50

    http://it20.info/2011/03/the-93-000-firewall-rules-problem-and-why-cloud-is-not-just-orchestration/

    "...The first one is called vCloud Director Network Isolation (vCDNI) in vCloud parlance or vShield PortGroup Isolation (PGI) in vShield parlance. It’s, basically, a technology that allows you to virtualize a VLAN. This allows different customers to be assigned dedicated vDS PortGroups that represent separate layer 2 domains… yet sharing the same VLAN ID. We use a technique called MAC-in-MAC to implement this. Kamau just posted a very interesting blog on how this works. You can read more here if you are interested. This technology is already available and fully integrated in vCloud Director so you can use it today if you want to."

    ReplyDelete
  2. Ivan Pepelnjak17 June, 2011 08:12

    ... and this is how well it's actually designed 8-)

    http://blog.ioshints.info/2011/04/vcloud-director-networking.html

    ReplyDelete
  3. Dmitri Kalintsev17 June, 2011 10:26

    Yes, seen that. Did you get anybody from VMware comment offline?

    ReplyDelete
  4. Why would one have 2 portgroups with the same VLAN ID?
    care to provide a scenario? :)

    ReplyDelete
    Replies
    1. Fat finger (= operator error). Many people think two port groups cannot have the same VLAN ID and thus believe VMs connected to different port groups can never communicate directly.

      Delete
    2. We use it to provide load balancing across multiple physical adapters. You can override the NIC priority at the port group level. Within our Linux systems we create a bonded pair of NICs and it works well.

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.