Netgear Vlan setup for VMware Virtual Switch Tagging

In this article we’ll review the Netgear Vlan configuration settings we can use for Vlan tagging. The idea is to pair this setup with VMware Virtual Switch Tagging (VST) to help separate and isolate on a layer 2 the different types of network traffic.

In this scenario I will be working with 4 Netgear Switches based on Netgear GS108Ev3.

In my home lab I will have something like:

• 4 Physical VMware Hosts
• 1 Uplink for Management Traffic
• 1 Uplink for Provisioning Traffic (Hot and Cold)
• 1 Uplink for VM Traffic (Production, External and Nested VM)
• 1 Uplink iSCSI 01 Traffic (Primary connection)
• 1 Uplink iSCSI 02 Traffic (Secondary connection)

In total we have something like 5 Uplinks per VMware Host where the first 3 will be associated to a virtual Distributed Switch for the Infrastructure and the remaining 2 to another virtual Distributed Switch dedicated to the Storage.

So the picture below represents a small sample of the configuration:

In particular in this scenario we have the following for Host 01 on Switch 01:

• 1 Network for Management Traffic (Blu line)
• 1 Network for vMotion Traffic (Green Line)
• 1 Network for Provisioning Traffic (Green Line)
• 1 Network for VM External Traffic (Orange Line)
• 1 Network for VM Production Traffic (Orange Line)
• 1 Network for VM Nested Traffic (Orange Line)
• 1 Network for iSCSI Primary Traffic (Red Line)
• 1 Network for iSCSI Secondary Traffic (Purple Line)

On Switch 02 for Host 02 we have the same configuration with the following differences:

• Port 5 on the Switch 02 serves as iSCSI Secondary Traffic for Host 01
• Port 8 on the Switch 02 serves as Uplink to Switch 03 where Switch 03 has a similar configuration as Switch 01

Now Switch 03 mirrors the same configuration as Switch 01 and uploads to Switch 04. The latter mirrors the configuration as per Switch 02.

Another thing to mention and throw into the mix are the NAS devices which will be physoclaly hosting the LUN’s where the VMware Datastores are sitting. It’s two of them (Production and Backup Storage) and both have two connections for Active and Failover.

So on Switch 01 and Switch 02 respectively we’ll connect the Active (Black line) and Failover (Pink) connections for Production Storage (Synology DS916).

On Switch 03 and Switch 04 respectively we’ll connect the Active (Black line) and Failover (Pink) connections for Backup Storage (Synology DS416+).

To summarise all these connections I have prepared a picture which outlines the network physical topology of the home lab.

Now considering we want to use Vlans tagging from the VMware vSphere Switch (VST) we need to configure the ports on the Netgear Vlan to accept 802.1Q packets which include the Tag information in their headers. Otherwise such network packets will be discarded with obvious consequences for the entire vSphere and VMs environments. This is one of the easiest and most popular configurations because the actual tagging is done on the VMware virtual Switch level with no action to be perfomed on the VMs. Each VMware Port Group then can have the Vlan tag configured in Egress before reaching the physical Network Switch.

As per previous picture each one of these Networks is assosciated with a “Vlan Tag” number. This is exactely the Vlan tag number we need to create and configure on the Netgear Switches. Vlan Tags separate and isolate the traffic on a Layer 2. This means for example Workstations on one Vlan cannot communicate with Servers sitting on a separate Vlan. In essence each Vlan is a logical segment of an exisiting physical LAN segment. Different Vlans share the same attributes of the physical LAN but simply cannot see each other as all unicast, multicast and broadcast packets are only flooded to Ports on the Switch which share the very same Vlan tag. Another big advantage is the ability to bring traffic across different switches just by using “Trunk” Ports across different devices. That means a group of machines in a particular Vlan can communicate with another group of machines on the same Vlan but connected with a different switch.

If routing between two Vlans is required it will happen on a Layer 3 Host on the Network like Routers or Layer 3 Switches.

There might also be situations where the communication between hosts sitting on different Vlans is required. For such scenarios we can use the Private Vlans. Private Vlans are a further segmentation of the “Primary Vlans” into Primary and Secondary Vlans. Yep I know is starting to be confusing!

There are three possible configurations for Private Vlans:

Promiscuous Mode: A promiscuous port belongs to the Primary VLAN and can communicate with all ports, including the Community and Isolated ports that belong to the secondary VLANs associated with the primary VLAN.

Isolated Mode: An isolated port belongs to an Isolated Secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports.

Community Mode: A community port belongs to a Community Secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports.

Vlans provide segmentation and isolation on a Layer 2. That means that multiple Vlan tags can be used on the same network segment to achieve this purpose. While we can still use multiple Vlans we need to also make sure such Vlans are configured for different subnets as they operate on Layer 3. So typically Promiscous Modes is associated to router interfaces so that routing packets to different networks is possible. All other “network segments” can be configured with Community (can have many per Primary Vlan) and Isolated modes (can have only one per Primary Vlan). So effectively Private Vlans give the option to use the same network and still achieve separation and isolation of network segments based on Vlan tag numbers.

Unfortunately it is not possible to configure Private Vlans on this particular model Netgear GS108Ev3 as to be fair this functionality is an advanced one that we can find only with fully managed switches or enterprise ready switches. Primary Vlans are still supported along with full 802.1Q protocol. So in this case we have still configure the Netgear Vlan to support VMware virtual switch tagging. If we want to enable communication from the “outside world” to the VMs behind the virtual Switch we need to put each one of these Port Groups on different networks and route them using a router. In my case I will use a virtual router appliance running on ClearOS. Each virtual machine allows up to 10 virtual network cards. This means that potentially we can configure our ClearOS router with up to 10 different virtual nics. Not bad for a home lab!

Of course in real life we want to simplify the management of multiple networks and their routings. So in real life multiple Private Vlans are used to create Vlan segments on the same “physical LAN” making the routing decisions a lot easier to implement. Also this means to reduce effectively the number of cables and physical Ports on the physical Switches and these tend to be expensive!

For this particular scenario we’ll configure Netgear Vlan using Primary Vlans only.

Configure Netgear Vlan for VMware Virtual Switch Tagging (VST)

Before proceeding with changing the configuration of the Netgear switch we might want to make sure all the switches we are going to use are running on the latest version of the firmware. We can simply check this on the main page on System > Management > switch information.

Another important step I would recommend is to take a Backup of the actual configuration before proceeding with configuration changes. In case of wrong configuration we can restore the previous setup. Failing this we can always hard reset the switch which might not be convenient if are using a different IP addressing. By default Netgear switch uses the 192.168.0.x/24 network.

Let’s navigate to System > Management > Maintenance > Save Configuration.

From here we can hit on the “Save” button and a few seconds later we can simply download the Configuration Backup file directly from the browser.

Likewise if we intend to restore the Netgear Switch to a previous configuration all we have to do is just to import the Backup file from the System > Maintenance > Restore Configuration option.

At this point we are ready to start with Netgear Vlan setup. From the VLAN menu we can choose two main configurations: Port Based or based on 802.1Q protocol.

Each one of them has a Basic and Advanced mode. For our scenario since we have to specify Vlan tags let’s go for the 802.1Q.

Next is to navigate to Advanced > VLAN configuration. By default this one is disabled and effectively every Network Switch uses a “Management Vlan” generally with tag “1”.

Let’s click on “Enable” and “OK” to erase the current Vlan settings and create new ones.

In VLAN Configuration we can now see the default Vlan Management tag “1” set on all ports. what we need to is to create Primary Vlan tags as per picture above.

Let’s enter the VLAN ID in the text box and hot on “Add”.

Let’s do the same also for the other ones like 11, 12, 13, 14, 20, 30, 40.

Now that we have declared the Netgear Vlan tags we want to use let’s associate them to desired ports on the switch. We can do this from the VLAN Membership menu.

For each port we can assisgn the desired Vlan tags. By default all port are set to Untagged. Basically it means the switch will untag the packets in Egress.

For operations in bulk we can also use the “Group Operation” menu to “Untag All”, “Tag All” and “Remove All” The latter meaning that particula port(s) will not participate to the Vlan tags.

Now as per picture above let’s select the Vlan tag “10” and assign it to Port 1 on the Netgear Switch. This means that Port will either expect or tag any packet with Vlan 10 in Ingress. Default policy for the Switch is to leave the packets as they are. Should these packets go to another Port (for example the ones configured in Trunk mode where multiple Tags are assigned to a single Port) we need to use the same “T” for tag or “U” for untag should the packets leave the switch in untagged mode and reach another host that is not using or soes not understand tags.

If we repeat the same configuration based on the picture above for the Switch 01 we should end up with something similar to this where we can the Netgear VLAN Membership with Ports.

In this picture the Netgear VLAN Membership for Swith 02.

In this picture the Netgear VLAN Membership for Swith 03.

And finally in this picture the Netgear VLAN Membership for Swith 04.

I would not recommend to remove Vlan tag “1” as this will deny access to the switch. Actually let’s make sure the computer we are using is always on the same vlan as per the switch and remove this one only when tested the configuration. In fact next step is to create the Vlan configuration in vSphere to use with virtual Switch Tagging configuration.