Page 1 of 1
Private VLAN ESXi (vCenter 6.7) CCR2004-1G-2XS-PCIe
Posted: Mon Oct 09, 2023 3:13 pm
by em2397a
Hello, I have the following configuration: an ESXi 6.7 server running vCenter 6.7, connected directly to the CCR2004-1G-2XS-PCIe router via SFP ports (trunk). Private VLAN is configured on the server (screenshots of the settings in the attachment), virtual machines are added to this group of ports (Isolated 100, 1001). Task: block all connections between virtual machines, but allow connections to the gateway (VLAN 100 interface on the router). A Google search only offers instructions on how to configure Private VLAN on switches. Is it possible to set up such a scheme?
Re: Private VLAN ESXi (vCenter 6.7) CCR2004-1G-2XS-PCIe
Posted: Mon Oct 09, 2023 3:19 pm
by mkx
This is rather question for DSwitch ... traffic within same VLAN between those VMs will not even reach CRS. And if it does, it won't go back. Routing between the two VLANs is different topic though.
Re: Private VLAN ESXi (vCenter 6.7) CCR2004-1G-2XS-PCIe
Posted: Mon Oct 09, 2023 4:14 pm
by em2397a
Thank you for your answer, I found the information on the vmware website: "For this reason, it is a requirement that each physical switch, where ESX with PVLANs are connected, must be PVLAN aware.", but in my case the router does not have a switch chip, is it possible to configure this?
https://kb.vmware.com/s/article/1010691
Re: Private VLAN ESXi (vCenter 6.7) CCR2004-1G-2XS-PCIe
Posted: Mon Oct 09, 2023 11:23 pm
by mkx
Every ROS device is capable of VLANs. Either use bridge with vlan-filtering enabled (read
this tutorial to get inspiration) or, if your CRS is pure router, configure VLAN interfaces directly off physical ports. Which oštion is the right one depends on topology of the rest of network.
Re: Private VLAN ESXi (vCenter 6.7) CCR2004-1G-2XS-PCIe
Posted: Tue Oct 10, 2023 8:22 am
by em2397a
Perhaps we misunderstand each other, I have classic VLANs configured and working, but I need to configure a Private VLAN (when one VLAN contains several others, but they are all located on the same IP network).
I found information only about switches:
https://wiki.mikrotik.com/wiki/Manual:S ... ivate_VLAN
Re: Private VLAN ESXi (vCenter 6.7) CCR2004-1G-2XS-PCIe
Posted: Tue Oct 10, 2023 8:46 am
by mkx
Again: since all VMs are behind single CRS port, it's not something to be done on CRS ... it's ESXi Dswitch that has to perform it.
If there were multiple ESXi hosts, connected to same CRS (via multiple physical ports, members of same bridge), then you would have to set horizon property on affected bridge ports to separate different ESXi machines.