I came across this just this week working with on a virtual desktop deployment. One of the requirements is to disallow virtual desktops in the same subnet to talk to each other. The most efficient way to do this was to make use of Private VLANs and put the desktops in an Isolated PVLAN. It was relatively easy to configure this on the distributed switch in vCenter Server. Please check out this KB article (1010703) if you need some guidance.
Just to help illustrate in this post, the Primary Promiscuous PVLAN was defined to be 100, and the Secondary Isolated PVLAN, 101.
Now, just making the configuration on the Distributed vSwitch is not enough. We have to make sure that the physical network is also PVLAN aware, and knows the relationship between 100 and 101. Why you may ask? simply because anything in PVLAN 101 must be able to talk to anything in PVLAN 100 across all the hosts. The physical switches must be able to move these packets between hosts to make this happen. Additionally, the physical switches must honour the Isolation requirement for PVLAN 101. So it is logical that there must be some configuration needed on the physical switches.
It was probably the first time the Network engineer is working on PVLANs and I had to give him the above explanation to convince him that there’s something that he needs to do on the physical side.
The environment had a pair of Extreme Networks switches. I have had no prior experience with these and found 2 pieces of information to work with the Network Engineer.
- VMware KB Article (2077275) for Extreme Networks
- Extreme Networks Documentation for Layer 2 networking
We studied the materials and did some testing, and finally got the minimal settings needed to get things working.
The KB article had steps which we discovered to be unnecessary. Below is an example of what was applied for PVLAN to be fully operational.
create vlan VDIPri configure vlan VDIPri add port XXXX 'where XXXX are the ports connected to the ESXi hosts configure vlan VDIPri tag 100 create vlan VDIDesktops configure vlan VDIDesktops add port XXXX configure vlan VDIDesktops tag 101 'at this point the VLANs have simply been created, tagged and associated with the relevant ports create private-vlan VDIPrivate configure private-vlan "VDIPrivate" add network "VDIPri" configure private-vlan "VDIPrivate" add subscriber "VDIDesktops"
That’s all. In the KB article and documentation, there were additional commands for “translation” which we learnt were not needed in our case.