The VLAN tagging options with VMware vSwitches. How the 802.1Q tagging works for internal and external VLAN traffic in vSphere standard vSwitches and what “VLAN trunking / tagging” is.
There are multiple different way to configure VLAN tagging 802.1Q in VMware vSphere ESXi. The VLAN settings at ESXi vSwitches are very important to get configured correct to have a working and secure network.
For more information about the 802.1Q tag and how it actually modifies the frames see this article.
The most common and simple way is as above, in this example two portgroups and the VLAN id:s set to 100 and 200. The virtual machines does not need to know which VLAN they are member of and the vSwitch will expect only untagged default sized frames incoming from the VMs.
Internal traffic is untagged
If a virtual machine sends a frame destinated to another VM on the same VLAN and on the same vSwitch the frame will be delivered untagged and unmodified. No tagging is needed either by the VM or the vmkernel.
To keep the traffic internally at the ESXi host the destination VM must be on the same vSwitch, but it could be located on another portgroup as the sender VM, as long as both portgroups has the same VLAN number configured. If however two VMs are on two different vSwitches on the same ESXi host the traffic must always hit the physical switches and return, even if the same VLAN id are on both vSwitches.
If two VMs are on the same vSwitch, but different portgroups with different VLANs the traffic must always be routed at some location. The vmkernel could never lift a frame from one VLAN to another as frames from one specific Layer Two broadcast domain must be processed by a Layer Three router before entering a new VLAN. The router could be either a physical or virtual, but the vSwitch itself has no L3 capabilities.
External traffic will be tagged
If a virtual machine (on a portgroup with a VLAN id) sends a frame that should be delivered to something outside of the virtual switch the vmkernel will modify the frame and add the 802.1Q tag to the frame before sending it to the physical network through the vmnic1 uplink. The VM is not involved in any tagging action and does not even know it takes place.
(The tagging action on outgoing frames is often offloaded by ESXi to the physical network adapter and by that is minimal in performance overhead. The tag do consume 4 extra byte for each frame for the 802.1Q tag, but that is also negligible.)
When the ESXi host sends any 802.1Q tagged frame to the network the physical switch port must be correctly configured. If not the frame will be dropped at the switch level. On Cisco devices a port allowing tagged frames is called a “trunk port“. HP Procurve switches uses the words “tagged“. In the next part of the VLAN vSwitch articles we will look in detail at the physical switch configuration.
When a tagged response arrives from the physical network the vSwitch (in vmkernel memory) has to untag the frame before sending it into the virtual machine. If the vSwitch should send a 802.1Q tagged frame into a default configured VM the frame would be dropped by the VM network card driver.
Broadcast frames are both tagged and untagged
One special case is also that if a virtual machine sends a broadcast frame (MAC destination FF-FF-FF-FF-FF-FF). The broadcast frame must be delivered to all other stations on the Layer Two LAN (the “broadcast domain”) where one untagged copy will be sent into each virtual machine on the local vSwitch and one tagged copy of the frame will be sent on the uplink.
If using vSwitch NIC teaming with two or more physical NIC ports (vmnics) connected still only one copy of the tagged broadcast frame will be sent from the vSwitch. This is to avoid MAC flapping at the physical switches.
Tagged frames from VMs are dropped
The vSwitch demands that virtual machines must only send untagged frames (with one exception, discussed in part 3 of this article.)
If a virtual machine would send tagged frames, even with the correct VLAN id, the frames will be dropped. Typically there are no reason for a VM to tag frames at all and the ESXi behavior to drop unexpected tagged frames protects from VLAN hopping attacks.
In the example above, if the VM uses the VMware VMXNET3 network card and sets a 802.1Q tag with VLAN id 100 which is the same VLAN as the VM is a member of, the frame would still be dropped.
The next part of the vSwitch and VLAN tagging articles will discuss the setup at physical switches from HP Procurve and Cisco.