Testing the "Private VLAN" feature on the VMware Network

Connect to the above

http://wangchunhai.blog.51cto.com/225186/1857192

When using the vsphere virtual Datacenter, there are multiple virtual machines in the same network segment. Sometimes, the security policy does not allow these same network segments of the virtual machines to communicate with each other, this time you can use the "Private VLAN" function.

5.1 Private VLAN Introduction

Dedicated VLAN, known as Pvlan, is known as the Mux VLAN. The names are different, but the functions and principles are the same. One of the Cisco private VLANs is divided into 5-1 as shown.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/88/29/wKioL1frCa-QKlzyAABz_w-5JiE158.png "/>

Figure 5-1 Cisco Pvlan

Each Pvlan includes two VLANs: "Primary VLAN" and "secondary VLAN", and the secondary VLAN is divided into two types: Isolated VLAN, Federated VLAN.

The secondary VLAN belongs to the primary VLAN, and a primary VLAN can contain multiple secondary VLANs. There can be only one isolated VLAN in a primary VLAN and multiple federated VLANs

The Huawei Mux VLAN is divided into 5-2 as shown.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/88/2D/wKiom1frCa-CJehFAAB7mAIPRsA883.png "/>

Figure 5-2 Huawei Mux VLAN

The MUX VLAN is divided into "primary vlan" and "Slave vlan", "Slave vlan" and "interworking from VLAN" and "isolated from VLAN".

The "Primary VLAN" and "Slave VLAN" can communicate with each other, and different "slave VLANs" cannot communicate with each other. "Interworking from VLAN" ports can communicate with each other, "isolated from VLAN port" cannot communicate with each other.

The MUX VLAN provides a mechanism for two-layer traffic isolation between ports on a VLAN. For example, in a corporate network, the client port can communicate with the server ports, but the client port cannot communicate with each other. In the new firmware version of the Huawei Switch, the "primary VLAN" configured with the Mux VLAN is the IP address of the VLAN that can be configured, so that the isolated VLAN and the interoperable VLAN can be configured with gateways and communicate with other VLANs and external networks.

Whether it's Cisco's Pvlan or the mux VLAN of Huawei, it's just a different term, and its implementation is the same.

5.2 Physical Switch Configuration

This section takes the Huawei S5700 switch as an example to configure a MUX VLAN for dedicated VLAN functionality.

In this example, VLAN 1030, 31, 32, 33 are created, where VLAN 1030 is "primary VLAN", "31" is an isolated vlan,32 and 33 is an interoperable VLAN.

Log in to the Huawei Switch, create a mux VLAN, and the main configuration commands are as follows:

#

VLAN batch 1016 to 1020 1022 1030 to 1031

#

VLAN 1030

Mux-vlan

Subordinate separate 31

Subordinate Group 33

#

#

Interface Vlanif1030

IP address 172.16.30.254 255.255.255.0

#

"description" The V2, R3 version of the S5700 switch added a mux VLAN support vlanif, which was not supported in previous versions.

5.3 Virtual Switch Configuration

Log in to the vsphere client or vsphere Web client to modify the virtual Switch configuration. In this example, a distributed switch named Dvswitch, where the uplink is connected to the trunk port of the physical switch, the administrator needs to modify the distributed switch to enable and add the private VLAN.

(1) Log in to vcenter Server using vsphere client, in home → list → network, select the distributed switch on the left, and on the Summary tab, click Edit Settings, 5-3-1.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/88/29/wKioL1frCa-RWJhgAADMYwXnth0005.png "/>

Figure 5-3-1 Editing settings

(2) In the Private VLAN tab, click the Enter private VLAN ID link here, and then enter the primary VLAN ID, as shown in 1030,5-3-2 in this example.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/88/29/wKioL1frCbDx_3UaAACbRlA89GE599.png "/>

Figure 5-3-2 Dedicated VLAN

(3) On the right, enter or edit the secondary private VLAN ID and type, enter the secondary private VLAN ID in turn, and select the correct type (as opposed to the physical switch configuration), where the VLAN ID 31 type is "isolated", with IDs 32 and 33 as "community", 5-3-3 as shown. After setting, click the OK button.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/88/2D/wKiom1frCbDgUyR2AAC5iGrnFpo086.png "/>

Figure 5-3-3 Entering the secondary private VLAN ID and type

Return to the vsphere Client, and in the Summary tab, click New Port group, as shown in 5-3-4. After that, you add the primary VLAN, from the VLAN, to the port group.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/88/2D/wKiom1frCbDjijyJAAFmsfVj7ww791.png "/>

Figure 5-3-4 New Port Group

(1) In the Create Distributed Port Group dialog box, in name, enter the name of the new port group, for example, Vlan1030-33, which is VLAN 33, the Slave VLAN that belongs to vlan1030, select Private VLAN in the VLAN type drop-down list, and in the Private VLAN entry drop-down list, select the VLAN ID that corresponds to this name, as shown in "Community (1030,33)", 5-3-5.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/88/29/wKioL1frCbCSZFUlAACItxyWMqk523.png "/>

Figure 5-3-5 Creating a distributed port Group

(2) in the "Coming to Completion" dialog, verify the settings of the new port group, check the error, and click the "Finish" button, 5-3-6.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/88/29/wKioL1frCbGCAZzwAABwgrpLHYU777.png "/>

Figure 5-3-6 is about to complete

Then refer to the previous steps to create a port group named vlan1030, the private VLAN entry is "promiscuous (1030,1030)", the name is vlan1030-31, the private VLAN entry is "isolated (1030,31)" (5-3-8), As well as the name Vlan1030-32, the dedicated private VLAN entry is "isolated (1030,32)" for the port group (shown in 5-3-9).

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/88/2D/wKiom1frCbHwEGtUAAB4dkLyy0g221.png "/>

Figure 5-3-7 Creating a port Group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/88/29/wKioL1frCbGBxQ3mAAB4X4wrVME496.png "/>

Figure 5-3-8 Creating a port Group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/88/2D/wKiom1frCbHSao6QAAB4Kvi95-g244.png "/>

Figure 5-3-9 Creating a port Group

Once created, back to the vsphere Client, you can see the new virtual port group, shown in 5-3-10.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/88/2D/wKiom1frCbLQ4wBrAAGAtmp3Elk815.png "/>

Figure 5-3-10 New 4-Port group

5.4 Creating a virtual machine for testing

After the physical switch, Virtual switch is configured, create a test virtual machine for Windows Server R2, assign it a port group of VLAN 1030, create 4 windows 7 virtual machines, assign them VLAN31, VLAN32, VLAN33 port groups To test its functionality. DHCP is enabled in the Windows Server R2 virtual machine. These 5 virtual machines are allowed to ping through.

(1) In vsphere Client, deploy a virtual machine named Ws08r2-lab01 Windows Server R2, 4 windows 7 virtual machines (named Win7x-lab11, WIN7X-LAB12, Win7x-lab13, WIN7X-LAB14), shown in 5-4-1.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/88/29/wKioL1frCbKyLHIxAAC69sxRGpA491.png "/>

Figure 5-4-1 Preparing 5 virtual machines

(2) Modify the WS08R2-LAB01 virtual machine configuration to allocate the "vlan1030" port Group for this virtual machine NIC, as shown in 5-4-2.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/88/2D/wKiom1frCbLjWcCQAAEwkudYL-U115.png "/>

Figure 5-4-2 Assigning VLAN 1030 to a virtual machine

(2) Open the WS08R2-LAB01 virtual machine console, set the 172.16.30.200 for this virtual machine, the subnet mask to 255.255.255.0, the IP address of the gateway 172.16.30.254, and 5-4-3 as shown.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/88/29/wKioL1frCbTC1fsdAAPuZesLTJs144.png "/>

Figure 5-4-3 Setting a static IP address for the server

(3) Install DHCP server for this server, add scopes, set the scope address range to 172.16.30.1~172.16.30.99, and the subnet mask as shown in 255.255.255.0,5-4-4.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/88/2D/wKiom1frCbTjKhYBAAISd8p-uJw558.png "/>

Figure 5-4-4 Adding scopes

Then start win7x-lab11~win7x-lab14 a total of 4 VMS, assign vlan1030, vlan1030-31, vlan1030-32, vlan1030-33 port groups to these 4 virtual machines, These virtual machines will obtain an IP address from the WS08R2-LAB01 virtual machine, and then use the ping command to test connectivity. Verify the primary VLAN, isolated VLAN, and interoperability VLAN, which are no longer described.

The test results are as follows:

"to" It's an isolated type . VLAN , + with the - It's an interoperability type . VLAN .

when a virtual machine is assignedVLAN31(i.e. isolated typeVLAN), the virtual machine can beDHCPGetIPaddress (because the server isVLAN3001), this virtual machine can only be used withVLAN3001of theIPAddress and Gateway (172.16.30.254) communication. cannot be associated withVLAN32,VLAN33communication. Nor can it be set with the otherVLAN31Virtual machine communication.

vlan dhcp get ip address, this virtual machine can be associated with vlan3001 , vlan33 or other vlan32 Virtual machine communication, also can communicate with the gateway.

whether it's assigning VLAN31 , or is VLAN32 (interoperability), these virtual machines have access to other VLAN , and can access it through the gateway Internet .

about the VSphere for video operation of the network, please watch

Http://edu.51cto.com/course/course_id-4898.html

This article from "Wang Chunhai blog" blog, declined reprint!

Testing the "Private VLAN" feature on the VMware Network