VMware vSphere

Hello

I’m trying to implement a configuration using VMware vSphere and I need to configure Private VLAN on my Blade Switch SB9 (on Fujitsu Siemens BX 600 S3).

Unfortunately this kind of switch doesn’t support PVLAN.

Please find attached The Configuration schema.

My question is : Can I use another feature to link the vDS Switch and the CISCO Switch without losing PVLAN frames.

Thanks in advance for your help

Yours

You can try Cisco Catalyst switches.

But tell us please why do you need PVLAN? Why don`t you use usual VLAN?

Anatoly Vilchinsky

Starwind Software Developer

If you want to use PVlans, you'll have to use hardware that supports them.

PVlans basically provide vm isolation on ther same subnet . . If you want to provide isolation without a change of IP (In which case normal VLans would work), you'd have to set up some sort of encryption or firewall.

Of course you can continue to maintain isolation from within the VM environment as the DV switches do support PVLans.

You can configure ESX to use VLan 4095 which passes all traffic . . or 4096 which will manage all Vlans and keep the VLan info intact . . though I am not sure if this includes PVlan info.

Hello,

Thanks for your replies.

In fact, I need PVLANs to prevent VMs, in the same VLAN, from communicating between each others. I can't change the hardware configuration and I must find a solution for that.

I have a Firewall that's situated outside the CISCO Switch (See Schema). Can I set rules on this Firewall to prevent VMs from communicating? I think the traffic between VMs go through the vDS and doesnt' reach the Firewall !

Locally, VMs on the same VLan will be in the same subnet - isolating traffic on the subnet would require PVlans.

A firewall would require routing . .therefore all traffic would need to go to default gateways . . .so across subnets.

Is there a reason that you can't seperate them onto different VLans? (New Ip range and a port group required . . no extra hardware) - You could isolate Subnets on VMware and use a firewall appliance . . so manageall traffic?

The alternative is local application firewalls on your VMs?

If you want PVLANs on a vSwitch you are going to have to migrate to either the VMware DVS or the Cisco Nexus 1000V. I understand what you are trying to do. It's just not possible with the current vSwitch.

Take a look both the VMware DVS and the Cisco N1KV. They will both do what you want. Unfortunately they both require ESX 4.0 and the Enterprise + license.

louis

bulletproof fool has addressed the problem with the physical Blade switch not supporting PVLAN. condor01 did indicated in his original post that he is using the distributed virtual switch as required, so the vSwitch is not the problem, the Blade switch is.

Yes I confirm that.

My problem is with the Blade Switch. I want to know if a simple Trunk between the blade switch and the 2 other switch will resolve the problem. So that I can access the Isolated PVLAN from the CISCO switch.

Can a trunk port carry the traffic including the PVLANs frames?