VMware NSX

Back to discussions
Expand all | Collapse all

How 2 vlan can communicate

  • 1.  How 2 vlan can communicate

    Posted May 20, 2018 05:00 PM

    Dear Team,

    Just wanted to know how 2 vVLANs communicate wit each other.

    for example i have 2 VLANs on a router

    VLAN1 10.10.10.1

    VLAN2 20.20.20.1

    By default can 2 different VLANs VMs can communicate with each other. or we have to do somthing extra on the router.

    Not: This question is related to the physical router not logical router.



  • 2.  RE: How 2 vlan can communicate

    Posted May 20, 2018 06:02 PM

    As long as the default gateway of the VMs is the router ip address, the VMs can communicate because the router forwards the packets received from one vla to the other as it knows both subnets which are directly connected.



  • 3.  RE: How 2 vlan can communicate

    Posted May 21, 2018 05:18 AM

    as mentioned both the machines have to have their D.G pointing  to its corresponding router interface.

    By default the router will route between its directly connected network without any special configuration change.

    Just ensure that the D.G is configured & up running.  Machines pointing to its corresponding IP address of the router which is the D.F



  • 4.  RE: How 2 vlan can communicate

    Posted May 21, 2018 07:38 AM

    Thanks Rajeev / Canero for the prompt response.,

    By default the router will route between its directly connected network without any special configuration change.

    If this is the case then why we create a VLAN, we can keep those 2 VMs in a single VLAN if we won't want to restrict communication.

    in our environment we can't ping/communicate with those VMs which are in a different VLAN,

    Currently my understanding is  (might be it may wrong) we create VLANs so that we can restrict communication between VMs. if we want to restrict communication between VLANs  what configuration we have to do and where . Do we need to do some configuration on a router or on a physical switch.



  • 5.  RE: How 2 vlan can communicate

    Posted May 21, 2018 08:54 AM

    There's a slight difference between VLANs and subnets.

    You may run systems with IP addresses in different subnets in the same VLAN. They will however still require routing to be able to communicate with each other.

    A VLAN on the other hand is used to separate broadcast traffic, and to allow routing devices to configure e.g. separate gateways per VLAN, PVST, and other things.

    Separating subnets in VLANs also adds security to your network, because only properly configured systems will be able to communicate with systems on other VLANs.

    Example: You have 2 VLANs, one for servers, and one for clients. If a client changes his IP address to one in the server range, it will not affect the server, because the client will effectively be isolated in its VLAN.

    André



  • 6.  RE: How 2 vlan can communicate

    Posted May 21, 2018 12:27 PM

    Is it possible to send IP/Subnet mask and default gateway IPs of 2 machines that can not ping each other? If VM-1  and VM-2 on same vlan pings each other as well as VM-3 and VM-4 on the other Vlan, there could be subnet mask problem on the router, or Access Control List, on the router. Can the VMs ping their default gateway (which should be the router IP)

    If they can't ping each other, there could be host firewall on the VMs that is preventing the ICMP.

    NSX Microsegmentation is the firewall rules on a VM vnic level, so it could provide firewall rules for all the VMs, even they are on the same Vlan. NSX Edge also has firewall feature, in general physical routers ACLs are difficult to manage.

    Vlans (and Vxlan logical switches) are used to seperate different VM roles, and they are seperate subnets and port groups. Putting VMs on different subnets on the same subnet also makes them unreachable between VMs on IP level, but it is not a recommended way as it does not keep broadcasts etc. seperate.



  • 7.  RE: How 2 vlan can communicate

    Posted May 21, 2018 04:10 PM

    Thanks Andre and Canero,

    Sorry I'm newbie in a network technology might be i'm not able to describe my question properly.

    What i want to understand is

    - for example we have created 2 new vlans in a network i.e. vlan1 and vlan2. Then we have added new VMs in our environment. Few VMs are part of Vlan1 and rest r part of VLAN2. Just wanted to understand after creating these 2 vlans, by default will these 2 vlan VMs will be able to communicate with each other , if yes then how we can restrict the same so that 2 different VLAN VMs should not communicate with each other.

    Kindly note this question is related to the physical switch/router, I'm not asking anything related to NSX.

    Thanking You.



  • 8.  RE: How 2 vlan can communicate

    Posted May 21, 2018 04:18 PM

    by default will these 2 vlan VMs will be able to communicate with each other

    With the physical router in place and properly configured, the VMs will be able to communicate with each other if they have the required settings (e.g. default gateway = router address).

    if yes then how we can restrict the same so that 2 different VLAN VMs should not communicate with each other.

    Either disable routing the two subnets in the router (best option), or don't set a default gateway on the VMs.


    André



  • 9.  RE: How 2 vlan can communicate

    Posted May 22, 2018 03:13 AM

    If the VMs not need to communicate outside their own Vlans, not putting a router, or no gateway configuration as recommended previous could be the solution. If they need to communicate outside while restricting between the two Vlans, there could be two solutions:

    First is to use host firewalls on VMs, linuxand windows have firewall, but this would be difficult to manage and orchestrate the rules and ensure that the firewall is enabled and running on each VM.

    Another solution could be to use Access Control Lists(ACL) on the router. This feature could be used with as

    deny ip Subnet_VlanA to Subnet_VlanB

    deny ip Subnet_VlanB to Subnet_VlanA

    permit ip Subnet_VlanA to any

    permit ip Subnet_VlanB to any

    and applying this ACL to the routers VlanA and VlanB interfaces. Since there is single place to configure, this could be simpler.

    If the VMs were on the same subnet, the same could be achived by using Private Vlans with Isolated VlanA and Isolated VlanB which belong to Primary VlanC. Private Vlans are supported with dVS ( Distributed Virtual Switch):

    These links could be helpful

    https://www.vladan.fr/private-vlans-vmware-vsphere/

    VMware Knowledge Base

    VMware Knowledge Base



  • 10.  RE: How 2 vlan can communicate

    Posted May 22, 2018 09:24 AM

    Thanks Andre and Canero,

    So most of the enterprise environment this type of deny rules(acl) are created and applied on the router/switch interface , so that 2 different vlans vms/device won't be able to communicate with each other also we can isolate different types of traffic , kindly correct me if i'm wrong.



  • 11.  RE: How 2 vlan can communicate

    Posted May 22, 2018 10:08 AM

    ACLs are not stateful, so if stateful isolation needed, which may be required, gateway could be replaced with a DC firewalll whichvlans  currently ends up router or L3 switch. This may be preferred for enterprise solution.

    NSX provides the same functionality to this segmentatioon solution, aditionally where firewall rules can be cinfigured even for VMs on the same Vlan (Microsegmentation). It is also scale out solution, where capacity is increased while additional ESX hosts are added, where hardware Firewll is scale-up with fixed capacity.