VMware vSphere

I have been trying to set up PVLANs on a vDS, and in doing so I've followed the ESX admin guide. I set up a Primary PVLAN (VLAN ID 1), and a secondary community PVLAN (ID 11). I then associated a Port Group to the(1,11) PVLAN entry. The test VM on this port group is not reachable. It is reachable if I set the PVLAN type on the PG to "None", so it seems to me the dVS is working properly.

On the physical side, the dvUplink connect to a Cisco C3750 switch. I would like to know what, if anything, needs to be stup on the physical switch to get the traffic through the PVLAN.The C3750 is PVLAN - capable, do PVLAN IDs need to be set on the physical switch as well. ?

You will need to create the primary private plvan and community private vlan on the switch. Assign address space to your primary pvlan. Associate your community private vlan with your primary pvlan. Then map your community pvlan to the primary pvlan. Trunk your ESX servers physical switch ports and add your community plvan.

Example...Hope this helps.

VLAN 1 is the PVLAN primary

VLAN 11 is the PVLAN community

Pick a subnet for the PVLAN

1. Switch setup#

vlan 11

name My_Cluster_PVLAN_Community

private-vlan community

vlan 1

name My_Cluster_PVLAN_Primary

private-vlan primary

private-vlan association 11

interface Vlan1

description My_Cluster_PVLAN_Primary

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

no ip redirects

private-vlan mapping 11

standby 48 ip xxx.xxx.xxx.xxx

standby 48 priority 99

standby 48 preempt

end

1. ESX switch ports #

interface GigabitEthernet1/2

description ESX_VM_Trunk

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport trunk allowed vlan 11

switchport mode trunk

no ip address

speed 1000

duplex full

spanning-tree portfast trunk

spanning-tree bpduguard enable

end

My switches are Cisco 6509, in accordance with your configuration, but still not work. What is it you see?

1.Switch setup#

vlan 602

name My_Cluster_PVLAN_Community

private-vlan community

vlan 601

name My_Cluster_PVLAN_Primary

private-vlan primary

private-vlan association 602

interface Vlan601

description My_Cluster_PVLAN_Primary

ip address 172.16.6.254 255.255.255.0

no ip redirects

private-vlan mapping 602

end

1.ESX switch ports #

interface fa3/17

description ESX_VM_Trunk

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 601

switchport trunk allowed vlan 602

switchport mode trunk

no ip address

end

We are also working with 6509s...Dont forget to set your Speed/Duplex and enable spanning-tree trunk portfast. How are your VMware dv portgroups setup? I would create 3 dv portgroups for testing- promiscuous dv portgroup (601/601), community dv portgroup (601/602), isolated portgroup (601/xxx) (if you setup a isolated PLVAN). Place one of your VMs in the promiscuous dv portgroup just to make sure it is getting out to the switch, then move onto the community dv portgroup. In our environment we set the native vlan on the ESX VM trunk ports to the vlan of our ESX service console vlan, then we trunk the VM vlans on the ports. FYI..There is a know issue with 6509s and PVLANs..issue is related to sticky arp..even though you may have sticky arp disabled on the switch a VM's MAC/IP may stick in the switch arp table...a workaround that worked for us...create a static arp entry to over write the sticky and the remove the static arp entry.

the first Step:

1. Launch the vSphere Client, and connect to a vCenter Server instance.

2. On the vSphere Client home screen, select the Networking option under Inventory. Alternately,from the View menu, select Inventory _ Networking, or press the CtrlShiftN hotkey.

3. Select an existing dvSwitch in the Inventory pane on the left, select the Summary tab in the pane on the right, and click the Edit Settings option in the Commands section.

4. Select the Private VLAN tab.

5. Add a primary VLAN ID to the list on the left. 601

6. For each primary VLAN ID in the list on the left, add one or more secondary VLANs to the list on the right. 601 602

the second Step:

After the PVLAN IDs have been entered for a dvSwitch, create a dvPort group that takes advantage of the PVLAN configuration

private vlan

promiscuous(601,601)

the third Step:

Virtual machine NIC port options should be chosen Step 2 have already created the dvPort group .

The fourth step:

vlan 602

name My_Cluster_PVLAN_Community

private-vlan community

end

vlan 601

name My_Cluster_PVLAN_Primary

private-vlan primary

private-vlan association 602

end

interface Vlan601

description My_Cluster_PVLAN_Primary

ip address 172.16.6.254 255.255.255.0

no ip redirects

private-vlan mapping 602

end

interface FastEthernet3/17

description ESX_VM_Trunk

no ip address

duplex full

speed 100

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 601

switchport trunk allowed vlan 602

switchport mode trunk

spanning-tree portfast trunk

spanning-tree bpduguard enable

end

Where I made mistakes out?

I forgot we don’t normally tag a vlan on a portgroup if that’s the native vlan on the switch port. To test try updating the native vlan on the VM trunk port to something else besides the pvlan....

interface FastEthernet3/17

description ESX_VM_Trunk

no ip address

duplex full

speed 100

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 1 <<I just picked 1

switchport trunk allowed vlan 601,602

switchport mode trunk

spanning-tree portfast trunk

spanning-tree bpduguard enable

end

it works. thank you very much.

Good...Dont forget what I said about sticky arp when changing a pvlan VM's IP or swapping out a pvlan VM entirely. When we had the issue we spent about 8 hours or so troubleshooting and opened cases with VMware and Cisco.

Talked to Cisco about the sticky arp issue... With Release 12.2(18)SXF and later releases, you can configure sticky ARP on a per-interface basis. There are now two options to correct this issue...1- Manually modify the arp table when there is a HA event... Router(config)# no arp 10.10.10.10...or.... disable stick arp on a per-interface basis... Router(config-if)# ip sticky-arp ignore...in whichever vlan you are using...

If this information helped please award points.

-C

Other steps I have made reference to the