Join Log in
Score:1
kreso avatar Server

VLANs with ESXi over physical switch

mx flag
kreso

I'm trying to setup a VLAN across my ESXi network and my physical switch network, but fail to get the VMs on the ESXi port group communicate with physical network. Specifically, my VM doesn't see responses from physical network.

The setup:

  • VLAN 112 on the ESXi port group
  • VLAN 112 on the switch attached to a firewall interface in the same VLAN
  • Firewall also works as a DHCP server for that VLAN/subnet

I'm failing to get IP address on ESXi VM in VLAN112 via DHCP.

From what I see:

  • VM repeats DHCP Discover packets
  • Firewall sees DHCP requests and responds with DHCP Offer (confirmed via PCAP)
  • Packet capture on ESXi vmnic1 confirms that these offers arrive on physical NIC of ESXi. Transaction IDs match, so I'm seeing correct traffic.

What am I missing here?

EDIT: What I might be missing is that ESXi is a guest VM (nested) on a Windows machine with VMware Workstation. But the interface is bridged.

EDIT2: Adding second picture to show switch config. Port5 - connected to the firewall Port12 - test raspberry pi on tagged VLAN112 - gets dhcp address from the firewall interface Port 23 - host machine with esxi

Below Ubiquiti port schematic is the firewall interfaces config showing tagged eth3 interface with VLAN tag 112 (Check Point firewall)

enter image description here

enter image description here

50
1 + 4
vidarlo avatar
ar flag
vidarlo
It's set to tagged on the switch?
0
Reply
kreso avatar
mx flag
kreso
it is, otherwise I wouldn't see DHCP offer from a VLAN interface on a firewall. if i plug a raspberry pi instead of ESXi host to a switch port, it gets an IP inside that VLAN 112 subnet.
0
Reply
vidarlo avatar
ar flag
vidarlo
Is it set to tagged? *Show us*. The fact that an rpi gets IP in the correct VLAN would suggest it's *not* set to tagged.
0
Reply
kreso avatar
mx flag
kreso
correction - rpi gets ip on a tagged interface, but port towards firewall and port towards esxi machine is trunk.
0
Reply
Score:1
Zac67 avatar Server
ru flag
Zac67

VLAN 112 on the switch attached to a firewall interface in the same VLAN

Make sure VLAN 112 is tagged towards the ESXi and allowed on all required ports.

If in doubt, check whether the switch has associated the VM's MAC address with both the ESXi port and the desired VLAN.

Whether you tag VLAN 112 towards the firewall depends on the firewall's port configuration. Again, check the switch's MAC table to be sure.

If DHCP fails, temporarily try a static configuration. If that works, your DHCP service is off or there's a filter in between (DHCP snooping?).

If the static configuration doesn't work either but MAC/port/VLAN associations look fine, ping the firewall and look for its MAC in the ARP table. If ARP works there's an IP filter in between.

if i plug a raspberry pi instead of ESXi host to a switch port, it gets an IP inside that VLAN 112 subnet.

That looks like you're not tagging the VLAN towards the host. If you enter a VLAN ID on the vSwitch port group, that means tagged.

From comment:

esxi is a guest machine on a vmware workstation (windows pc) with a bridged network.

Ugh - OK... That changes everything.

With VMware workstation, VLAN tagging is likely not working at all - without the ESXi knowing that. So, outgoing frames don't get tagged but incoming, untagged frames are never forwarded into the original port group. Pretty much explains the effects you're seeing. Should also reflect on the switch's MAC table.

And there might be no way to get it working. Best bet with Windows is a vendor tool for your NIC, create virtual NICs and connect those to the ESXi individually - do not use VLAN ID/tagging on the ESXi then. Windows doesn't do tagging and you can't force it retroactively by running a virtual ESXi.

+ 3
kreso avatar
mx flag
kreso
doesn't work with static ip address. but i do see dhcp offers from the tagged firewall interface VLAN112 when capturing traffic on vmnic1. packets arrive to the esxi hosts, but are not forwarded to the VM?
0
Reply
kreso avatar
mx flag
kreso
i have added screenshots as well. also not sure if it's relevant, but esxi is a guest machine on a vmware workstation (windows pc) with a bridged network.
0
Reply
vidarlo avatar
ar flag
vidarlo
I would suggest using HyperV and not VMWare Workstation on Windows. HyperV actually integrates with the networking stack, and allows you to let VM's tag traffic.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.