VLAN configuration on virtual switches, physical switches, and virtual machines

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article describes the various VLAN tagging methods used with ESXi/ESX.

Virtual LAN (VLAN) implementation is recommended in ESXi/ESX networking environments because:

It integrates ESXi/ESX into a pre-existing network
It secures network traffic
It reduces network traffic congestion
iSCSI traffic requires an isolated network

Environment

VMware vCenter Server 5.5.x
VMware ESX 4.0.x
VMware vCenter Server 4.0.x
VMware vSphere ESXi 5.1
VMware ESX 4.1.x
VMware VirtualCenter 2.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server 5.0.x
VMware ESXi 3.5.x Embedded
VMware vSphere ESXi 7.0.0
VMware ESXi 4.0.x Embedded
VMware ESXi 4.0.x Installable
VMware vSphere ESXi 6.5
VMware ESXi 4.1.x Embedded
VMware ESX Server 3.5.x
VMware ESX Server 3.0.x
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.7
VMware vSphere ESXi 5.0
VMware VirtualCenter 2.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 4.1.x
VMware vCenter Server 6.5.x
VMware vCenter Server 5.1.x
VMware ESXi 4.1.x Installable
VMware ESXi 3.5.x Installable

Resolution

Video tutorial for various VLAN tagging methods used with ESXi/ESX:

VLAN tagging methods used with ESXi/ESX:

There are three methods of VLAN tagging that can be configured on ESXi/ESX:

External Switch Tagging (EST)
Virtual Switch Tagging (VST)
Virtual Guest Tagging (VGT)

External Switch Tagging (EST)

All VLAN tagging of packets is performed on the physical switch.
ESXi/ESX host network adapters are connected to access ports on the physical switch.
The portgroups connected to the virtual switch must have their VLAN ID set to 0.
For more information, see Sample Configuration - ESXi/ESX connecting to physical switch via VLAN access mode and External Switch VLAN Tagging (EST Mode) (1004127).
See this example snippet of a code from a Cisco switch port configuration:

switchport mode access switchport access vlan x

Virtual Switch Tagging (VST)

All VLAN tagging of packets is performed by the virtual switch before leaving the ESXi/ESX host.
The ESXi/ESX host network adapters must be connected to trunk ports on the physical switch.
The portgroups connected to the virtual switch must have an appropriate VLAN ID specified.
For more information, see:
- Configuring a VLAN on a portgroup (1003825)
- Configuring Virtual Switch VLAN Tagging (VST) mode on a vNetwork Distributed Switch (1010778)
For a sample of VST, see Sample configuration of virtual switch VLAN tagging (VST Mode) (1004074).
See this example snippet of code from a Cisco switch port configuration:

switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan x,y,z spanning-tree portfast trunk

Note: The Native VLAN is not tagged and thus requires no VLAN ID to be set on the ESXi/ESX portgroup.

Virtual Guest Tagging (VGT)

All VLAN tagging is performed by the virtual machine.
You must install an 802.1Q VLAN trunking driver inside the virtual machine.
VLAN tags are preserved between the virtual machine networking stack and external switch when frames are passed to/from virtual switches.
Physical switch ports are set to trunk port.
For more information, see Sample configuration of virtual machine (VM) VLAN Tagging (VGT Mode) in ESX (1004252).
See this example snippet of code from a Cisco switch port configuration:

switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan x,y,z spanning-tree portfast trunk

For additional information on these configurations, see VMware ESX Server 3: 802.1Q VLAN Solutions.

Additional Information

For translated versions of this article, see: