Configuring vSphere VLANs can be more complicated than establishing VLANs in a typical physical network and therefore...
requires a different approach – 802.1Q VLAN tagging.
In a physical network, servers all have their own physical Network Interface Cards (NICs) that are connected to a physical switch port. As a result, VLANs are usually controlled by setting the VLAN ID on the physical switch port and then setting the server's IP address to correspond to that NIC's VLAN. But in a virtual environment, dedicating a physical NIC (pNIC) to each VM that resides on the host doesn't work. In fact, a host physical NIC may service many VMs, which may all need to be connected to different VLANs. Consequently, the old method of setting a VLAN ID on the physical switch port doesn't work. That's where 802.1Q VLAN tagging comes in.
Networking for virtualization: The basics
Before we explain what 802.1Q VLAN tagging is, let's discuss the basics of how networking works in virtual environments. An ESX/ESXi host typically has multiple physical network adapters for redundancy, load balancing and segregation. The physical NICs (pNICs) are connected to physical switches and are assigned to virtual switches (vSwitches) that are created on each host. Connecting pNICs to vSwitches is referred to as uplink connection. Port groups are then created on vSwitches that can be connected to the virtual NICs (vNICs) that are assigned to each VM on the host. Virtual machines can use any pNIC connected to a vSwitch. The vSwitch load balancing policies define how pNICs are selected when routing traffic to and from a VM.
Because of this architecture, using the traditional VLAN methodology of assigning a single VLAN ID to a physical port switch does not work very well in virtual environments. With this method, all the VMs on a vSwitch would have to use the same VLAN ID, which in most cases is not desirable. You could create multiple vSwitches for each VLAN, but if you had many VLANs, you would need a great number of pNICs. This is why 802.1Q VLAN tagging is important.
How 802.1Q VLAN tagging for vSphere VLANs works
802.1Q VLAN tagging allows for multiple VLANs to be used on a single physical switch port. This capability can greatly reduce the number of pNICs needed in the host. Instead of needing a separate pNIC for each VLAN that you need to connect to on a host, you can use a single NIC to connect to multiple VLANs. Tagging works by applying tags to all network frames to identify them as belonging to a particular VLAN. Tags are removed at some point, depending on the type of tagging method utilized.
Types of 802.1Q VLAN tagging
There are several methods for tagging vSphere VLANs, but they are differentiated by where the tags are applied. Virtual Machine Guest Tagging (VGT) mode does this at the guest operating system layer, External Switch Tagging (EST) mode does it on the external physical switch, and Virtual Switch Tagging (VST) mode does it inside the VMkernel. The differences among the VLAN tagging modes are outlined below:
- Virtual Machine Guest Tagging (VGT mode) – With this mode, the 802.1Q VLAN trunking driver is installed inside the virtual machine. Tags are preserved between the virtual machine networking stack and external switch when frames are passed to and from virtual switches.
- External Switch Tagging (EST mode) – With this mode, you use external switches for VLAN tagging. This is similar to a physical network, and VLAN configuration is normally transparent to each individual physical server. The tag is appended when a packet arrives at a switch port and stripped away when a packet leaves a switch port toward the server.
- Virtual Switch Tagging (VST mode) – With this mode, you configure port groups on a virtual switch for each VLAN and connect the vNIC of the virtual machine to the appropriate port group. The virtual switch port group tags all outbound frames and removes tags for all inbound frames. It also ensures that frames on one VLAN do not leak into a different VLAN.
The VST mode is the one that is most commonly used with VLANs in vSphere because it's easier to configure and manage. It also eliminates the need to install a specific VLAN driver inside a virtual machine, and there is almost no performance impact from doing the tagging inside the virtual switches.
In part 2 of this series, learn how to configure your switch for Virtual Switch Tagging.
About the author: Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forum and maintains VMware-land.com, a VI3 information site.
- Building Scalable Data Center Networks –Cumulus
- 2018 Networking and Security Trends Report: From Data Centers to Centers of Data –VMware and Intel
- Network Virtualization: The Next Step in Data Center Transformation –AdvizeX Technologies
- SDN Across the Data Center and the Network: Expert Insight –SearchSecurity.com