VM access on vSwtich attached to physical Cisco switch via trunk

I’ve run out of NICs on my Hosts, so I’ve added another port group to vSwitch3 port group and configured VLAN 9 off it, for 10.33.9.0/24. This is for a server to sit behind with public access and only certain internal PCs can reach. Basically DMZ. My problem is when I configure VLAN 9 in our Cisco 4507, I have no ports to add to the VLAN 9 to bring it up, because vSwitch3 is configured to go across the trunk, which is passing all VLANs.  

What’s wrong with my theory/design?
LVL 1
HaroldNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Okay, this trunk which you currently have presented to the vSwitch3, does it have tagged VLANs, and then the virtual machine portgroups have tagged numbers for each VLAN.

a screenshot of the vSwitch would be better.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Once you created a vlan in 4507 switch, this vlan will pass thru the trunk(if allowed vlan all configured on the cisco switch).

You can confirm by this command

#sh vlan id 9

On the vSwitch side, does that vSwitch port connected to switch tagging all vlan's? As another Expert told, a screenshot of vSwitch will help to identify the issue

Thanks
HaroldNetwork EngineerAuthor Commented:
@Andrew: attached

@NetExpert
DUR-4507#sh vlan id 9
VLAN id 9 not found in current VLAN database
DUR-4507#sh int trun

Port        Mode             Encapsulation  Status        Native vlan
Te1/1       on               802.1q         trunking      1
Gi3/41      on               802.1q         trunking      1
Gi5/4       on               802.1q         trunking      1
Gi5/6       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/1       1-4094       (trunk vSwitch is on)
Gi3/41      1-4094
Gi5/4       1,8
Gi5/6       1,6,8

Port        Vlans allowed and active in management domain
Te1/1       1,6,8,15,50
Gi3/41      1,6,8,15,50
Gi5/4       1,8
Gi5/6       1,6,8

Port        Vlans in spanning tree forwarding state and not pruned
Te1/1       1,6,8,15,50
Gi3/41      1,6,8,15,50
Gi5/4       1,8
Gi5/6       1,6,8
vSwithc3.png
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Based on your command output,there is no VLAN 9 is created on the switch.

You have to create vlan 9 on the 4507 switch to reach the new VM network.

conf t
vlan 9
end

after this config, run the same command #sh vlan id 9 and try to reach the VM

Thanks
HaroldNetwork EngineerAuthor Commented:
Sorry, I had configured the interface.....

interface Vlan9
 ip address 10.33.9.254 255.255.255.0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Hi,

You have created L3 VLAN, but not L2 vlan.. without L2 vlan, the vlan will not be up. So you need to configure L2 vlan too.

If you run #sh int vlan 9 , then it will show that the vlan is in down state.

Once you created L2 vlan, then run #sh int vlan 9  --> you can see the difference

conf t
vlan 9
end

Thanks

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HaroldNetwork EngineerAuthor Commented:
DUR-4507#sh int vlan 9
Vlan9 is up, line protocol is up
  Hardware is Ethernet SVI, address is 001c.5830.e77f (bia 001c.5830.e77f)
  Internet address is 10.33.9.254/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output
HaroldNetwork EngineerAuthor Commented:
sh vlan id 9

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
9    ELS-SaaS                         active    Te1/1, Gi3/41

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
9    enet  100009     1500  -      -      -        -    -        0      0  

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
That's Great.

Now your VM issue should be resolved.  have you tried that

Thanks
HaroldNetwork EngineerAuthor Commented:
Sorry, I goofed earlier, but I'm still not sure what to do about adding and interface to this VLAN.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Based on your query, i understood your setup looks like below

4507 Switch --Trunk(passing all vlan) --- vSphere vSwitch trunk interface ---> your new VM on vlan 9 network.

Based on your command output vSwitch is physically connected to 4507 Te1/1 interface.

If thats the correct one, then you no need to assign any other interface for VLAN 9.

Thanks
HaroldNetwork EngineerAuthor Commented:
Yes, correct in my design, but "then you no need to assign any other interface for VLAN 9." this is what I'm confused on. It needs to be physically plugged into the 4507 to us and it is not it's virtual going across the trunk.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
I got your query now.

Can you run this command on your switch  #sh ip int br | i down and display the command output here

Thanks
HaroldNetwork EngineerAuthor Commented:
sh ip int br | i down
FastEthernet1          unassigned      YES NVRAM  down                  down    
TenGigabitEthernet1/2  unassigned      YES unset  down                  down    
GigabitEthernet1/3     unassigned      YES unset  down                  down    
GigabitEthernet1/4     unassigned      YES unset  down                  down    
GigabitEthernet1/5     unassigned      YES unset  down                  down    
GigabitEthernet1/6     unassigned      YES unset  down                  down    
GigabitEthernet3/4     unassigned      YES unset  down                  down    
GigabitEthernet3/6     unassigned      YES unset  down                  down    
GigabitEthernet3/8     unassigned      YES unset  down                  down    
GigabitEthernet3/11    unassigned      YES unset  down                  down    
GigabitEthernet3/18    unassigned      YES unset  down                  down    
GigabitEthernet3/21    unassigned      YES unset  down                  down    
GigabitEthernet3/23    unassigned      YES unset  down                  down    
GigabitEthernet3/29    unassigned      YES unset  down                  down    
GigabitEthernet3/31    unassigned      YES unset  down                  down    
GigabitEthernet3/33    unassigned      YES unset  down                  down    
GigabitEthernet3/42    unassigned      YES unset  down                  down    
GigabitEthernet3/43    unassigned      YES unset  down                  down    
GigabitEthernet3/47    unassigned      YES unset  down                  down    
GigabitEthernet4/1     unassigned      YES unset  down                  down    
GigabitEthernet4/5     unassigned      YES unset  down                  down    
GigabitEthernet4/8     unassigned      YES unset  down                  down    
GigabitEthernet4/10    unassigned      YES unset  down                  down    
GigabitEthernet4/12    unassigned      YES unset  down                  down    
GigabitEthernet4/13    unassigned      YES unset  down                  down    
GigabitEthernet4/17    unassigned      YES unset  down                  down    
GigabitEthernet4/19    unassigned      YES unset  down                  down    
GigabitEthernet4/32    unassigned      YES unset  down                  down    
GigabitEthernet4/38    unassigned      YES unset  down                  down    
GigabitEthernet4/40    unassigned      YES unset  down                  down    
GigabitEthernet4/42    unassigned      YES unset  down                  down    
GigabitEthernet5/7     unassigned      YES unset  down                  down    
GigabitEthernet5/8     unassigned      YES unset  down                  down    
GigabitEthernet5/12    unassigned      YES unset  down                  down    
GigabitEthernet5/13    unassigned      YES unset  down                  down    
GigabitEthernet5/14    unassigned      YES unset  down                  down    
GigabitEthernet5/15    unassigned      YES unset  down                  down    
GigabitEthernet5/16    unassigned      YES unset  down                  down    
GigabitEthernet5/17    unassigned      YES unset  down                  down    
GigabitEthernet5/18    unassigned      YES unset  down                  down    
GigabitEthernet5/19    unassigned      YES unset  down                  down    
GigabitEthernet5/20    unassigned      YES unset  down                  down    
GigabitEthernet5/21    unassigned      YES unset  down                  down    
GigabitEthernet5/22    unassigned      YES unset  down                  down    
GigabitEthernet5/23    unassigned      YES unset  down                  down    
GigabitEthernet5/25    unassigned      YES unset  down                  down    
GigabitEthernet5/26    unassigned      YES unset  down                  down    
GigabitEthernet5/27    unassigned      YES unset  down                  down    
GigabitEthernet5/29    unassigned      YES unset  down                  down    
GigabitEthernet5/30    unassigned      YES unset  down                  down    
GigabitEthernet5/31    unassigned      YES unset  down                  down    
GigabitEthernet5/32    unassigned      YES unset  down                  down    
GigabitEthernet5/33    unassigned      YES unset  down                  down    
GigabitEthernet5/34    unassigned      YES unset  down                  down    
GigabitEthernet5/35    unassigned      YES unset  down                  down    
GigabitEthernet5/36    unassigned      YES unset  down                  down    
GigabitEthernet5/37    unassigned      YES unset  down                  down    
GigabitEthernet5/38    unassigned      YES unset  down                  down    
GigabitEthernet5/39    unassigned      YES unset  down                  down    
GigabitEthernet5/40    unassigned      YES unset  down                  down    
GigabitEthernet5/41    unassigned      YES unset  down                  down    
GigabitEthernet5/42    unassigned      YES unset  down                  down    
GigabitEthernet5/43    unassigned      YES unset  down                  down    
GigabitEthernet5/44    unassigned      YES unset  down                  down    
GigabitEthernet5/45    unassigned      YES unset  down                  down    
GigabitEthernet5/46    unassigned      YES unset  down                  down    
GigabitEthernet5/48    unassigned      YES unset  down                  down
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@hdoolittle,

Once you found the free interface(not connected) interface then apply the below command on the specific interface

conf t
int <interface name>
switchport mode access
switchport access vlan 9
desc connect to vSwitch

Thanks.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Please capture the below command output

#sh run int te1/2
#default interface Te1/2

Apply the below command

conf t
int te1/2
switchport mode access
switchport access vlan 9
end

Connect your vSwitch to this switch interface ( First module second port , next to Te1/1 connected to another vSwitch)

Once you connected the vswitch then run this command #sh int te1/2

Let me know the status

Thanks
HaroldNetwork EngineerAuthor Commented:
te1/2 is actually an empty FC module slot, with not module. Plus I have no where on my Host to plug into either.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@hdoolittle,

whats your host side NIC card / interface type? is it TenGig of Gig interface
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
where is the screenshot of your VMware Networking ?

with the config I've seen above, it's an access port in VLAN 9, so just cable a nic from your host to it, and your done.

but you will need to use a new vSwitch and physical nic.
HaroldNetwork EngineerAuthor Commented:
to both....I have 2 hosts and I had my mind stuck on Host2 which ALL NICs are used, therefore I had no where to plug into. Then I sat back and looked at my VM network and saw NIC 1, 2 and 4 where used. Waalaa NIC 3 available.  Just got a cable run there and moving the server now.

Get back soon.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Great.

Eagerly waiting for the updates -:)
HaroldNetwork EngineerAuthor Commented:
Got it moved and on its own NIC. Still can't get to the server behind the GW(10.33.9.1) though. Was my initial problem.
do sh int trun                    

Port        Mode             Encapsulation  Status        Native vlan
Te1/1       on               802.1q         trunking      1
Gi3/41      on               802.1q         trunking      1
Gi5/4       on               802.1q         trunking      1
Gi5/6       on               802.1q         trunking      1
Gi5/48      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/1       1-4094
Gi3/41      1-4094
Gi5/4       1,8
Gi5/6       1,6,8
Gi5/48      1,6,9

Port        Vlans allowed and active in management domain
Te1/1       1,6,8-9,15,50
Gi3/41      1,6,8-9,15,50
Gi5/4       1,8
Gi5/6       1,6,8
Gi5/48      1,6,9
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Host 2 NIC3 connected to which port on the CISCO switch

Thanks
HaroldNetwork EngineerAuthor Commented:
5/48 passing 1,6,9 VLANs. Currently all my machines are still on 1.  I still need to add a port to the VLAN even if it trunking?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
No need as the port is already in trunk mode. You may need to check the VM virtual NIC port config and vSwitch port config

All set on the Cisco switch side.

Thanks
HaroldNetwork EngineerAuthor Commented:
ok thanks
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
just connect that spare nic that cisco physical port.

label the virtual machine portgroup VLAN9 no need to add any numbers so leave as none.

leave config as is, Access VLAN.

Give your VM, a DMZ IP Address, and you are done.
HaroldNetwork EngineerAuthor Commented:
all that's done
ELS-network.png
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Is that resolved??

Thanks
HaroldNetwork EngineerAuthor Commented:
"Is that resolved??"  which part? my initial problem, just carried over to this port and NIC.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
no need for a VLAN ID or 9, because ESX will tag it as 9, you are not tagging on that port, it's default VLAN is already 9.

We only use the VLAN number, on a trunk, which is carrying many VLAN tags.
HaroldNetwork EngineerAuthor Commented:
@Andrew with or without VLAN 9 defined in VM port group, I can still only reach GW. I've gone over firewall settings with tech as well. They said I had all this correct. Guess I should call them back.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The number is not required, because this is an access port.

If you can reach the gateway, networking is working.
HaroldNetwork EngineerAuthor Commented:
How can an access port trunk?

So problem is most likely in my Firewall?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@hdoolittle

Currently from your VM to switch is going thru Trunk port.

Again, since you are able to ping the Gateway, the networking between VM to Physical switch is perfectly fine

Thanks
HaroldNetwork EngineerAuthor Commented:
thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.