VLAN tagging and PVLAN’s in vSphere 6

VLAN’s enable a single physical LAN segment to be further isolated so that groups of ports are isolated from one another as if they were on physically different segments. Using VLAN’s, administrator get following advantages:

  • Integrates the host into a pre-existing environment
  • Isolate and secure network traffic
  • Reduce network traffic congestion

In a physical environment, servers are equipped with dedicated physical NIC that are in turn connected to a physical switch. VLANs in physical world are usually controlled by setting the VLAN ID on the physical switch port and then setting the server’s IP address to correspond to that NIC’s VLAN.

In a virtual environment, dedicating a physical NIC (pNIC) to each VM that resides on the host is not possible. In reality, a physical NIC of the Esxi host service many VMs, and these VM’s may need to be connected to different VLANs. So the method of setting a VLAN ID on the physical switch port doesn’t work.

To counter this issue, 802.1Q VLAN tagging comes in picture in virtual environment.

How 802.1Q VLAN tagging for vSphere VLANs works

802.1Q VLAN tagging allows use of multiple VLANs on a single physical NIC. This capability can greatly reduce the number of pNICs needed in the host. Instead of having a separate pNIC for each VLAN, you can use a single NIC to connect to multiple VLANs. Tagging works by applying tags to all network frames to identify them as belonging to a particular VLAN.

VLAN methods available in vSphere 6

There are 3 types of tagging methods available in Vmware vSphere:

1: Virtual Machine Guest Tagging (VGT): With this mode, the 802.1Q VLAN trunking driver is installed inside the virtual machine. All the VLAN tagging is performed by the virtual machine with use of trunking driver in the guests os. Tags are understandable between the virtual machine networking stack and external switch when frames are passed to and from virtual switches. vSwitch only forwards the packets from Virtual machine to physical switch and will not perform any operation.

Note: For configuring VGTPort group of the virtual machine should be configured with VLAN ID 4095.

2: External Switch Tagging (EST): In this mode, physical switches does the VLAN tagging. The tag is appended when a packet arrives at a switch port and stripped away when a packet leaves a switch port toward the server.

Since the tagging is done at physical switch so virtual switch have no information of this and you do not need to configure any VLAN at portgroup level. VM network Packet is delivered to physical switch without any tagging operation performed at virtual switch level.

Note: There is one caveat in this approach. You can only create those many numbers of VLAN’s equal to number of physical NIC’s present/connected to your Esxi host.

Also the physical switch port connecting the uplink from the ESX should be configured as Access port assigned to specific VLAN.

Virtual Switch Tagging (VST) – In this mode, VLANs are configured on port groups of the virtual switch. The vNIC of the virtual machine is then connected to the appropriate port group. The virtual switch port group tags all outbound frames and removes tags for all inbound frames.

This approach reduces the number of Physical NIC’s on the server by running all the VLANs over one physical NIC. Since less physical NIC’s are used, it also reduces the number of cables from Esxi host to physical switch.

Prerequisite for configuring VGT

  • The physical switch port connecting the uplink from the Esxi should be configured as Trunk port.
  • Port groups on the virtual switch must have VLAN ID between 1 – 4094

Private VLAN’s

Sometimes the use of VLANs isn’t enough to satisfy a design requirement. If you are a hosting/cloud provider company, you are more likely to hit the limit of 4094 usable VLAN in your environment. What next if you have hit this limit? How are you going to provide a new VLAN for a new customer to maintain the isolated multi-tenancy. Answer of this is by making use pf private VLAN.

Private VLANs (PVLAN) solves the limitation of 4094 VLAN ID by adding further segmentation of the logical broadcast domain into smaller broadcast sub domains. Private VLAN concept is not limited to vSphere. It’s a networking technique that has been employed on switches for quite some time. It adds a layer of security and enables network admins to restrict communication between servers in the same network segment (VLAN).

Simple use case example to understand use of private VLAN

Suppose you have an email and a web server in your environment both sitting on same VLAN and you don’t want your email server talking to your web server, but want both of them to communicate with the outside world. Traditional way of doing this is to place each server in a separate VLAN and use ACLs to prevent communication between the two VLANs.

In this approach you need multiple VLANs and IP subnets. It may also requires you to re-IP the servers in an existing environment. But what if you are running out of VLANs or IP subnets and/or re-IPing is too disruptive? This is when private VLAN’s comes into picture.  Below diagram illustrates a possible use case of private VLAN


                        Graphic thanks to darshanaj.wordpress.com

A Private VLAN consists of:

  • Primary PVLAN: The original VLAN is divided into smaller groups knows as Primary Private VLAN.
  • Secondary PVLANs: The secondary PVLANs exist within the Primary PVLAN.

Private VLANs needs to be configured at the physical switch level (the switch must support PVLANs) and also on the vDS. A PVLAN is identified by its primary VLAN ID and then the primary VLAN ID can have multiple secondary VLAN IDs.

The primary VLAN are in Promiscuous mode and kinda acts as a router. All packets from secondary needs to go out through primary VLAN.  Secondary PVLANs are of theree type:

  • Promiscuous: VMs in this PVLAN can talk to any other VMs in the same Promiscuous PVLAN or any other secondary PVLANs.
  • Isolated: A VM in this secondary PVLAN cannot communicate with any VM in the same Isolated PVLAN nor with any VM in the Community PVLAN. It can only communicate with the Promiscuous PVLAN.  You can only have one secondary isolated VLAN per Private VLAN.
  • Community: VMs in this secondary PVLAN can communicate with any VM in the same Community PVLAN and it can communicate with the Promiscuous PVLAN as explained above. However VMs in this PVLAN cannot talk to the Isolated PVLAN.

How to configure Private VLAN

In my lab, I do not have any physical switch where I can configure private VLAN. I will demostrate the VMware side of configuration which is needed for making a private VLAN to work.

To create a PVLAN, login to vSphere Web Client and switch to networking view. Select the vDS and navigate to Manage > Settings > Private VLAN and click on Edit button.


Click on Add button to add a primary VLAN


Provide a VLAN ID for primary PVLAN.


You will see a secondary promiscuous VLAN with same ID get created with primary. You can add additional secondary VLAN by click on Add button and selecting appropriate VLAN type for the secondary.


Hit OK to finish the PVLAN creation wizard and verify the configuration before moving to next step.


Next is to create a new distributed port group which will be connected to newly created PVLAN.


Under VLAN type, select Private VLAN


Select the VLAN ID from the dropdown list and hit next.


Now to test the configuration, you can attach VM’s to the newly created portgroup and try pinging stuffs and verify it is working as per design.


Sources and Inspirations

Understanding vSphere Private VLANs

vSsphere Private VLAN

Understanding Secondary VLAN Trunk Ports and Promiscuous Access Ports on PVLANs

Video Tutorials

Mastering VLAN Tagging in VMware vSphere

Using VLAN Tagging with VMware vSphere

Configure Private VLAN IDs

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂