Cisco Catalyst – Configure Ports for VMware ESXi NICs using VLANS

KB ID 0001065 

Problem

If you don’t need different virtual machines to be in different VLANS on your vSphere/ESXi servers then you probably just connect everything together and it all works fine. I was trying to carve off some hosts into their own VLAN today, and setup a new vSwitch.

or if you prefer to work in the fat client.

Now you can see (above), I’ve presented one physical NIC to this vSwitch (vmnic1). This is patched into a Cisco 3750 Catalyst switch. I configured this switch as an ‘access port’ in VLAN 200, I made sure VLAN 200 had an IP address (an SVI address on the switch). and hit a brick wall!

No entries in the switch MAC address table, no bytes being transmitted from the VM, nothing?

Solution

I was pondering on this during my drive home, and the thought struck me, “I’ve got a ‘port group’ in VLAN 200. I had made the port on the Cisco switch an ‘access port’, so I could never add another port group with another VLAN, that’s probably why it’s not working”.

Now if I was connecting two ‘real’ switches together and wanted to do this, I would need to create a ‘trunk’ port between the two switches, and ‘allow’ VLANs across the trunk, (or allow all VLANs).

Just because you are connecting to a VMware virtual switch the process is the same, even if you only have one port group and VLAN connecting to the vSwitch! You CANT configure trunking on the virtual switch (because it does not support DTP), so you need to do everything on the Cisco Catalyst Switch.

In the example below you will need to change the port and VLAN to match your own (highlighted in red).

[box]

interface FastEthernet1/0/2
description Connected to ESX vmnic1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

[/box]

Here’s me carrying out the procedure on my 3750;

[box]

User Access Verification

Password:
Petes-3750>enable
Password:********
Petes-3750#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-3750(config)#interface fastEthernet 1/0/2
Petes-3750(config-if)# description Connected to ESX vmnic1
Petes-3750(config-if)# switchport trunk encapsulation dot1q
Petes-3750(config-if)# switchport trunk allowed vlan 200
Petes-3750(config-if)# switchport mode trunk
Petes-3750(config-if)# switchport nonegotiate
Petes-3750(config-if)# spanning-tree portfast trunk
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

Petes-3750(config-if)#exit
Petes-3750(config)#exit
Petes-3750#write mem
Building configuration...
[OK]
Petes-3750#

[/box]

ESX/Cisco ‘Switchport Mode Access’

So can you do this? Yes you can, as long as you DO NOT specify the VLAN number on the vSwitch ‘port group’.

To prove it here’s another switch, connected to vmnic2, it has NO VLAN ID, and it’s connected to port FastEthernet 1/0/5 on my switch. Here is the configuration for that, (again this assumes you have VLAN 201 created with an SVI);

[box]

Petes-3750#show run Interface FastEthernet 1/0/5
Building configuration...

Current configuration : 148 bytes
!
interface FastEthernet1/0/5
description Connected to ESX vmnic2
switchport access vlan 201
switchport mode access
spanning-tree portfast
end

Petes-3750#

[/box]

Related Articles, References, Credits, or External Links

NA