How Vmware Untagged Traffic is handled by Cisco switch
How Vmware Untagged Traffic is handled by Cisco switch
Sometimes in Vmware VM Port groups are not assigned to any Vlan or they have VLAN0, when the VM traffic gets to Cisco Switch how does the switch knows to where to send it.
Assuming VM1 is trying to communicate with VM2 and both are in default VLAN0
Thank you
Sometimes in Vmware VM Port groups are not assigned to any Vlan or they have VLAN0, when the VM traffic gets to Cisco Switch how does the switch knows to where to send it.
Assuming VM1 is trying to communicate with VM2 and both are in default VLAN0
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1/ yes
2/ correct
it will also work if vlan100 is the native VLAN of port facing the vmware host which hosts the guest in vlan0 and the guest on vlan 100 is hosted on a different vmware host.
if both machines are hosted on the same vmware host, i'm unsure but probably not.
3/ because you're expected to use firewalls between vlans, not routers. likewise assigning ip to switches in each vlan makes them behave like routers and defeats the purpose of using vlans in the first place.
note that there are other working topologies such as having no router/firewall at all in some vlans and plugging "back" interfaces of some vms directly in said vlans. this is unsafe though. the same using intermediate load balancers with an interface in each of the needed vlans is acceptable though. in that case the "back" vms usually do not have a gateway at all.
2/ correct
it will also work if vlan100 is the native VLAN of port facing the vmware host which hosts the guest in vlan0 and the guest on vlan 100 is hosted on a different vmware host.
if both machines are hosted on the same vmware host, i'm unsure but probably not.
3/ because you're expected to use firewalls between vlans, not routers. likewise assigning ip to switches in each vlan makes them behave like routers and defeats the purpose of using vlans in the first place.
note that there are other working topologies such as having no router/firewall at all in some vlans and plugging "back" interfaces of some vms directly in said vlans. this is unsafe though. the same using intermediate load balancers with an interface in each of the needed vlans is acceptable though. in that case the "back" vms usually do not have a gateway at all.
ASKER
Sorry I was quite busy to comment..
I believe if on the Vmware side if all VMs are not assigned to any VLAN, and on the physical switches there are VLANs set up, then the traffic will still flow between VMs that are on the same ESX host in normal perfomance
Probably the traffic can also flow between VMs that are in different ESX hosts.
However it can be a big broadcast domain, that might impact the performance.
I believe if on the Vmware side if all VMs are not assigned to any VLAN, and on the physical switches there are VLANs set up, then the traffic will still flow between VMs that are on the same ESX host in normal perfomance
Probably the traffic can also flow between VMs that are in different ESX hosts.
However it can be a big broadcast domain, that might impact the performance.
if all VMs are not assigned to any VLAN, and on the physical switches there are VLANs set up, then the traffic will still flow between VMs that are on the same ESX host in normal perfomance
yes. even if the switch is not plugged at all. same would happen if their interfaces are in the same vlan/portgroup.
Probably the traffic can also flow between VMs that are in different ESX hosts.
that would depend on the config of both the physical switch and the vmware hosts. if no vlans are declared anywhere, obviously yes.
However it can be a big broadcast domain, that might impact the performance.
you seldom use vlans for that reason. it is usually a matter of network isolation rather than performance. at least not with a bunch of vmware hosts on a couple of switches in the same room.
but obviously that would matter when linking remote locations together or when your network covers a huge building with many switches and hundreds of machines. which is why we use l3 routing.
ASKER
Probably the traffic can also flow between VMs that are in different ESX hosts.
that would depend on the config of both the physical switch and the vmware hosts. if no vlans are declared anywhere, obviously yes.
Example :
ESX1 has 60 VMs no VLANs
ESX2 has 80 VMs no Vlans
ESX1 and ESX2 are trunked to 2 separated Cisco physical Switches that use VLANs
Now VM1(10.10.10.11) wants to talk to VM2 (20.20.20.22) will have to transit through VLAN1(Default Native Vlan) on Cisco Switches then through L3 device probably Cisco Switch is L3, then reach VM2 20.20.20.22.
Correct ?
if that's correct then:
what would be different than when VMs are assigned to VLANs at the ESX level instead of no VLANs assigned ? I believe the only difference is the VM1 will not have to go through the Native VLAN on Cisco physical switch to reach VM2 ,, I mean it will go to its appropriate VLAN configured on Cisco Switch then the L3 will route the traffic to the VLAN where VM2 resides.
i do not really get your point.
vlans are made for isolation.
if you only consider communication between 2 specific hosts, using one vlan, or another, or no vlan at all, or a combination of native vlan, access modes, a couple of trunks or possibly even changing the tagging on the fly does not really make a difference ( except for a slight MTU change which does not matter much ). it either works or does not work.
i fail to see the point of covering every single possible case in this thread and that would require listing all the involved ports modes. if you do list them, you'll find the answer in each case quite easily.
for each port
ingress untagged -> access vlan or native vlan
ingress tagged -> same tag if the port is a trunk and the vlan is allowed. nothing otherwise
egress untagged or default vlan -> goes through untagged if the port is in access/native mode on the default vlan. nothing otherwise
egress tagged -> becomes untagged if the port is access/native in that vlan, goes through with the same tag if the port is a trunk and the vlan is allowed, nothing otherwise
vlans are made for isolation.
if you only consider communication between 2 specific hosts, using one vlan, or another, or no vlan at all, or a combination of native vlan, access modes, a couple of trunks or possibly even changing the tagging on the fly does not really make a difference ( except for a slight MTU change which does not matter much ). it either works or does not work.
i fail to see the point of covering every single possible case in this thread and that would require listing all the involved ports modes. if you do list them, you'll find the answer in each case quite easily.
for each port
ingress untagged -> access vlan or native vlan
ingress tagged -> same tag if the port is a trunk and the vlan is allowed. nothing otherwise
egress untagged or default vlan -> goes through untagged if the port is in access/native mode on the default vlan. nothing otherwise
egress tagged -> becomes untagged if the port is access/native in that vlan, goes through with the same tag if the port is a trunk and the vlan is allowed, nothing otherwise
any reason this question is left open ?
are the above rethorical/educative questions or are you actually trying to solve a real life problem you did not mention ?
are the above rethorical/educative questions or are you actually trying to solve a real life problem you did not mention ?
ASKER
Thank you
ASKER
2 - If one VM is not assigned to any VLAN and the other VM is in VLAN 100, then they still can talk to each other as long as there is an L3 switch or a router . Correct ?
-3 if bullet 2 is correct , then why bother assigning VMs to specific VLANs?