Steps to configure PVLANs in combination of Cisco, HP VC, and VMware dVS


This article explains the steps to configure Private VLANs in combination of Cisco uplink switches, HP Virtual connect Flexfabric (VC FF) and VMware distributed switch.
Just an overview of various PVLAN types as per VMware documentation is as follows.
PVLANs in VMware

Assumptions before staring the configuration:

1.       Network specialist has created PVLANs at the uplink switch level which includes Promiscuous, Isolated and community networks
2.       In this example, VLAN150 is promiscuous, 151 is isolated and 152 is community VLAN
3.    You have VMware  vSphere Enterprise Plus license to support vNetwork Distributed Switch/ PVLANs

Steps:

Before doing anything further in production/ working environment, take the backup of Virtual Connect (Flexfabric) as per this link

1         Confirm with Network specialist that he has configured PVLAN at Nexus/ uplink switch level with VLAN150 as promiscuous, 151 as isolated and 152 as community VLAN
2         Login to HP virtual connect module console and create Shared Uplink Set (SUS) with VLAN 150, 151, 152 and any other VLANs as per your requirement. Create two sets of SUS with the same VLANs if you are configuring active-active configuration at VC level and failover is defined at NIC level
If you have existing setup and would like to add VLANs to SUS, refer this article for steps
3         After creating or editing the SUS, create Server Profile and present VLAN 150, 151, 152 and any other VLANs to the blade network port as per your design. In my case, I have presented PVLANs to port #3 and #4 as multiple networks (With VLAN150, 151 and 152) as per following screenshots. 
PVLANs with HP VC for VMware ESXI

4         With this, you are done with presenting PVLANs at VC level. Then login to vCenter
5         Navigate to Home- Inventory- Networking in vCenter and define PVLANs
6         Right-click on dvSwitch and select Edit Settings
Dirstibuted Vswitch PVLAN config


7         In the next step, navigate to “Private VLAN” tab and Click on “Enter a private VLAN ID here” and enter Promiscuous / Primary VLAN ID i.e. VLAN 150 in the left pane

DvSwitch PVLANS configuration steps

8         And in the right pane, enter isolated and community VLAN IDs as per below screenshot. Then click OK


9         Then create a port group for each of the PVLAN type or one of them as per your requirement. Navigate to Home – Inventory - Networking and right-click on “dvswitch” to create a port group


10     Then type the name of the port group name, the number of ports and VLAN type.
11     As soon as you select VLAN type as “Private VLAN”, you will be able to see PVLANS you have configured on dVswitch at above steps. Select one of the PVLANs (Promiscuous or isolated or Community) as per your design and click next to proceed to the next step.


12     Then click Finish to complete the PVLAN port group creation at the Distributed vSwitch level.


13     If you need PVLAN port group of each PVLAN, you need to repeat steps 9-12, for each PVLAN i.e. VLAN 151( isolated) and 152 ( Community)
14     After creating PVLAN port groups, you should be able to see new port groups in the list of port groups under dVswitch.


15     Then in the next step, make sure that that right vNICs/ uplinks ports are selected in the respective port group- failover order. In our example, it’s dvuplink3 and 4

16     With this, you are finished configuring PVLANs at dvswitch level.
17     Then to utilise the PVLAN for VM, select  respective PVLAN port group for VM network as per the following screen

With this, you are finished configuring PVLANs at HP Virtual Connect and VMware dVswitch.

Couple of  things to note:
·         HP virtual connect is not aware of Cisco PVLANs, you just need to configure them as normal VLANs while creating Shared Uplink Sets or vNets.
·         Actual configuration of PVLANs is performed at dVswitch.

Please share on social media if you found this post helpful. If you have a comment or question, please post and add your voice to the conversation.

1 comment:

  1. This seems to work fine in an all VMware enclosure, but what about if you have a mix of VMware hosts, and a few blades running a full OS (such as RHEL) in the enclosure? Virtual Connect seems to hijack the isolated VLAN and still allow it between the other blade servers since VC knows nothing about the PVLAN configuration. This is our situation. I'm going to try to set up the SUS in tunnel mode and see if that works. According to the VC documentation, VC prevents hair-pinning, so this may not work as desired either. PVLANs are tricky when you are running a mix of VMware, Hyper-V, and non-hypervisor OSs all running in the same enclosure, and all of them need to respect the PVLAN isolation!

    ReplyDelete