Solved

ESX: setup a vLAN

Posted on 2013-06-06
8
577 Views
Last Modified: 2013-06-06
Hi All,

I've been asked to setup a vLAN for one of our Virtual Servers.  I followed this guide;

To configure a VLAN on the portgroup using the VMware Infrastructure/vSphere Client:
1.  Click the ESXi/ESX host.
2.  Click the Configuration tab.
3.  Click the Networking link.
4.  Click Properties.
5.  Click the virtual switch / portgroups in the Ports tab and click Edit.
6.  Click the General tab.
7.  Assign a VLAN number in VLAN ID (optional).
8.  Click the NIC Teaming tab.
9.  From the Load Balancing dropdown, choose Route based on originating virtual port ID.
10. Verify that there is at least one network adapter listed under Active Adapters.
11. Verify the VST configuration using the ping command to confirm the connection between the ESXi/ESX host and the gateway interfaces and another host on the same VLAN.

I've done steps 1-10 (dont know how to do 11), but I'm unable to ping the server on my new vLAN.

Here are the settings and I does say it's seen vLAN 2, but its not working.

vSwitch0 Settings
Any ideas on what i can check or should change?


many thanks
0
Comment
Question by:detox1978
  • 4
  • 4
8 Comments
 
LVL 117
ID: 39226104
Have you configured the physical switch for VLAN, trunk ?

the physical switch which is connected to this physical network uplink ports?

e.g. vmnic 1,0,4 and 6 will need to be in a trunk configuration, with a VLAN tag of 2 configured otherwise, traffic of packets, tagged by ESXi, will not know where to go, when they hit the physical switch.

I can see you have a 1 virtual server on VLAN 2, but where are you trying to ping it from, another device on VLAN 2.

You will only be able to ping from another VLAN, if you have Inter-VLAN routing configured on the physical switch.

and what VLAN are the other 22+ servers in?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39226189
Yes I've configured the switch (a 3com 4500g) port as hybrid, so everything untagged is in vLAN1 and added vLAN2 (for voice).
0
 
LVL 117
ID: 39226452
use tags on the trunk. e.g. VLAN Tag 2, and VLAN Tag 3 for normal traffic etc

VLAN1 is a special VLAN, and should not be used.

how are you pinging the dsevice on VLAN 2 from where?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39226493
We have to use VLAN1 as its used by our main network (which I inherited).  I've checked everything from the switch side, and it works perfectly.  So there must be something i've forgot to do on the ESX side.

If i set a dedicated physical port (untagged) and use the switch to tag it, everything works.  But i dont really want to tied up a NIC to a single vLAN (effectively making it a LAN rather than vLAN).
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 117
ID: 39226776
ESXi does very little, in the way of VLANs, other than set the correct VLAN Tag Number, which corresponds to the VLAN you want to use, traffic through that virtual port group will then be tagged by the Host, when it enters the physical switch, if tag matches physical switch config, it will be sent on it's way....on that VLAN 2.

have you checked which nic port the VM is assoicated with, and checked that trunk, is configured correctly, with all four nics, for VLAN 2.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39226888
Is there any segregation between vLAN that are on the same host?

Is there a way to check the packets are being tagged correctly?  If i plug my laptop into a switch port the ESX was using and put it on vLAN 2's IP address i can resolve everything on vLAN 2.
0
 
LVL 117

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 500 total points
ID: 39227047
but is your laptop actually using VLAN 2, or just an IP address on VLAN 2.

e.g. have you actually used an 802.1Q Tag on your Laptop NIC?

Yes, there is complete isolation between VLANs on an ESXi host.

Unless you use the special VLAN tag of ALL (4095), connecting this portgroup to a NIC, with Wireshark, you should be able to monitor traffic.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39227400
I think this has many follow up questions, that I dont have time to fit in at the moment, so I'll close the question and reopen when I have time to do full diagnosing.  For now I've just put it on its own NIC.

Many thanks for your time.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
Teach the user how to edit .vmx files to add advanced configuration options Open vSphere Web Client: Edit Settings for a VM: Choose VM Options -> Advanced: Add Configuration Parameters:
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now