A few days ago a customer asked me about VLAN tagging in VMware virtual switches and how configurations are reflected at physical switch level. I already discussed about VLANs and vSwitches in a previous article but in this post I would like to have a brief look at various VLAN tagging methods that could be implemented in a VMware infrastructure.
There are three different ways in which Ethernet frames can be VLAN tagged: External Switch VLAN Tagging (EST), Virtual Switch VLAN Tagging (VST) and Virtual Guest VLAN Tagging (VGT).
In EST Ethernet frames are VLAN tagged only at physical switch level, virtual switches are unaware of VLANs and every physical NIC can be statically configured to carry only one VLAN at a time.
Due to this 1:1 vmnic to VLAN association this tagging method is not the most flexible one and can only be used in environments where the number of VLANs is quite small and no, or minor changes, could occurr in networking.
Even small modifications at physical switch level (i.e. a switch port should carry more than one VLAN) will introduce a major amount of work bringing in a potential complete redesign of the entire virtual networking.
External Switch VLAN Tagging is completely transparent to virtual switches, no VLAN ID has to be set. VLAN must be configured at physical switch level only.
VST is the most common way used to perform VLAN tagging. Working principles has been already explained in the aforementioned article but I will summarize them here again: VLAN tag is added to frames just before they leave the virtual switch.
Every PortGroup can tag frames on a specific VLAN comprised between 1 and 4094 allowing in this way a physical NIC to carry more than one VLAN therefore reducing hardware requirements: no need of a 1:1 mapping like in EST.
Physical switch must be properly configured in order for a particular port to carry more than one VLAN at the same time. These ports are known in Cisco language as trunk ports.
In VGT the VLAN tagging is performed at guest OS level using a specific 802.1Q VLAN trunking driver. Guest OS adds VLAN tag to frames before they leave virtual machine's virtual NIC.
VM PortGroups in virtual switches must be configured with VLAN ID 4095 (i.e trunk) as they can carry frames from any VLAN, this configuration must be reflected in respective ports in physical switch.
Like in VST a single physical NIC can carry more than one VLAN reducing hardware requirements.