Automation

 View Only
Expand all | Collapse all

VLAN tagging without PortGroups?

Arnim Lieshout

Arnim LieshoutFeb 01, 2011 07:13 PM

  • 1.  VLAN tagging without PortGroups?

    Posted Feb 01, 2011 06:24 PM

    Is it possible to VLAN tag a vSwitch port without using a PortGroup using PowerCLI?  Similar to how you'd tag a port on a physical switch.



  • 2.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 06:33 PM

    No you need a port group, vmkernel port or service console port to assign a vlan tag -

    If you find this or any other answer useful please consider awarding points



  • 3.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 06:43 PM

    VM guests only interact with the vSwitch at the PortGroup level, right?  Which means I'm stuck with PortGroups.



  • 4.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 07:09 PM

    Correct, the vNic is assigned to the vSwitch via the portgroup. 



  • 5.  RE: VLAN tagging without PortGroups?

    Broadcom Employee
    Posted Feb 01, 2011 07:13 PM

    What's the problem with using portgroups?



  • 6.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 07:24 PM

    I work for a web host.  Each client gets at least one VLAN, sometimes more, and our VLAN count is expected to hit the thousands for our ESXi cluster.

    Creating a  PortGroup for each VLAN is a lot of extra management overhead we would like to avoid by using the traditional switch approach of tagging a single port with a VLAN ID.  I suppose once I drill down into PortGroups it may be the same amount in the end, it's just not the way our network admin would like it to work.

    We can do the tagging manually via the vSphere Center so I'm sure there's a way via the SDK/API.  Just not with PowerCLI, it would seem.



  • 7.  RE: VLAN tagging without PortGroups?

    Broadcom Employee
    Posted Feb 01, 2011 09:11 PM

    How do you mean no PowerCLI?

    Creating a portgroup is easy as 123:

    Get-VirtualSwitch -VMHost "myESX" -Name "vSwitch0" | New-VirtualPortGroup -Name VM220 -VLanId 220

    Connect your VM to this portgroup using:

    Get-VM "myVM" | Get-NetworkAdapter | Where {$_Name -eq "Network adapter 1"} | Set-NetworkAdapter -NetworkName VM220 -Confirm:$false



  • 8.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 09:17 PM

    The point is that we don't want to create separate PortGroups and tag the VLAN's at that level. We'd like to tag the individual dvPorts themselves (done in the GUI via an override). That doesn't seem to be possible via powerCLI. I wondering, if because it's not possible in the powerCLI, we're missing some other reason that we shouldn't be tagging the ports themselves and using PortGroups ...

    Again, in this environment, we could create just 1 PortGroup with 128 ports for instance, and each port could potentially be a different VLAN (much like you'd do for a physical switch). If we used PortGroups, that's 128 PortGroups to manage instead of just 1.



  • 9.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 09:32 PM

    Did you consider using Private VLANs on distributed Switches ?

    That would solve the portgroup per VLAN problem, on the other hand it does require Enterprise Plus licenses.

    Have a look at my dvSwitch scripting – Part 6 – Private VLAN post to see how this can be done with PowerCLI.



  • 10.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 09:37 PM

    We have looked at private vlans, but there are a few drawbacks since we have hybrid environments. We'd prefer to simply tag the individual ports themselves.



  • 11.  RE: VLAN tagging without PortGroups?
    Best Answer

    Broadcom Employee
    Posted Feb 02, 2011 04:30 PM

    OK, you're using dvSwitches!.

    I now understand what you want to achieve, although using portgroups has more benefits then the VLAN ID only.

    Ofcourse this can be accomplished using PowerCLI too.

    Try something like this:

    $dvSwitchName = "dvSwitch0"
    $dvPortId = "100"
    $VLAN = 220
    
    $portSpec = New-Object VMware.Vim.DVPortConfigSpec
    $portSpec.operation = "edit"
    $portSpec.key = $dvPortId
    $portSpec.setting = New-Object VMware.Vim.VMwareDVSPortSetting
    $portSpec.setting.vlan = New-Object VMware.Vim.VmwareDistributedVirtualSwitchVlanIdSpec
    $portSpec.setting.vlan.inherited = $false
    $portSpec.setting.vlan.vlanId = $VLAN
    
    $dvSwitch = Get-View -ViewType 'VmwareDistributedVirtualSwitch' -Filter @{'Name'=$dvSwitchName}
    $dvSwitch.ReconfigureDVPort_Task($portSpec)
    


  • 12.  RE: VLAN tagging without PortGroups?

    Posted Feb 02, 2011 04:42 PM

    Yes - dvSwitches in play here. Probably an important piece of info we should have shared.

    Arnim v Lieshout wrote:

    I now understand what you want to achieve, although using portgroups has more benefits then the VLAN ID only.

    Can you elaborate? We want to be sure we not missing something, but as far as I can tell, for our network model, this should work well. I suppose we lose the ability to set traffic shaping, security, and fail-over policies on a per-VLAN basis, but I don't think we necessarily need that.

    One last powerCLI related question. That code assumes you have a dvPort number - is it possible to get that port number from an existing network adapter? Ie. something in the Get-NetworkAdpater namespace? In order to set the VLAN appropriately, we need to know which port the VM's connected to.



  • 13.  RE: VLAN tagging without PortGroups?

    Posted Feb 02, 2011 04:55 PM

    owjeff wrote:

    One last powerCLI related question. That code assumes you have a dvPort number - is it possible to get that port number from an existing network adapter? Ie. something in the Get-NetworkAdpater namespace? In order to set the VLAN appropriately, we need to know which port the VM's connected to.

    $VmNic = Get-NetworkAdapter -VM $VmName
    $VmPort = $VM.ExtensionData.Backing.port.portkey

    $VmvPG = Get-VirtualPortGroup -vm $VmName


    @avlieshout

    We have a few large vPortGroups on the dvSwitch.  I can get the correct vPG and port number, but how do I tell the dvSwitch which vPG to change the port on?

    Kind of off topic, but what do you use for the PowerShell syntac highlighting? I didn't see a built-in PS option.



  • 14.  RE: VLAN tagging without PortGroups?

    Posted Feb 02, 2011 06:54 PM

    Nevermind, I'm a dunce.  Too much time in code and not enough in the UI.

    Here's the final code:

    $VmName = "TEST"
    $dvSwitchName = "dvSwitch01"
    $VLAN = 220

    $VmNic = Get-NetworkAdapter -VM $VmName
    $dvPortId = $VmNic.ExtensionData.Backing.port.PortKey

    $portSpec = New-Object VMware.Vim.DVPortConfigSpec
    $portSpec.operation = "edit"
    $portSpec.key = $dvPortId
    $portSpec.setting = New-Object VMware.Vim.VMwareDVSPortSetting
    $portSpec.setting.vlan = New-Object VMware.Vim.VmwareDistributedVirtualSwitchVlanIdSpec
    $portSpec.setting.vlan.inherited = $false
    $portSpec.setting.vlan.vlanId = $VLAN

    $dvSwitch = Get-View -ViewType 'VmwareDistributedVirtualSwitch' -Filter @{'Name'= "$dvSwitchName"}
    $dvSwitch.ReconfigureDVPort_Task($portSpec)

    Full points to avlieshout :smileyhappy:



  • 15.  RE: VLAN tagging without PortGroups?

    Broadcom Employee
    Posted Feb 04, 2011 10:10 AM

    Glad to here that everything worked out fine.

    For the highlighted code I use PowerGUI's "Copy as HTML" option.

    On the forum use the HTML editor and paste the code from PowerGUI.



  • 16.  RE: VLAN tagging without PortGroups?

    Posted Feb 04, 2011 10:31 AM

    Fyi, I documented this, and other procedures to copy code in a post, in Some ways to enter PowerCLI code under the new forum SW some time ago.



  • 17.  RE: VLAN tagging without PortGroups?

    Posted Feb 04, 2011 02:19 PM

    Thanks again to both of you.  While I am not new to PowerShell I am very new to PowerCLI and scripting against the ESXi environment.  I installed PowerCLI for the first time last week so I am still getting my bearings in the VMware PowerCLI community.

    So far the response has been phenomenal, and I really do appreciate the help on this on thread. I just need to figure out how to monitor running tasks better and I'll be golden for now :smileyhappy:



  • 18.  RE: VLAN tagging without PortGroups?

    Posted Feb 01, 2011 07:29 PM

    Is there a drawback (other than no PowerCLI) to tagging individual dvPorts with VLAN's instead of PortGroups from a best practices standpoint?