VCAP5-DCA Objective 2.2 : Configure and Maintain VLANS, PVLANs, and VLAN Settings

  • Determine use cases for and configure VLAN Trunking

VLAN trunking is where you allow multiple VLANs to run over a single port…. Simple When this comes up most people just talk about the physical VLAN trunking which carries the physical up-links from the ESXi host. In most cases you will be running VLAN trunking in a VMware environment more so if your using blades as they will have up-links from the enclosure and these up-links will be configured for every VLAN you require in the environment  And that is your use case if you require to run multiple VLANs in a virtual environment specially if there is more VLANs than physical NICs then you will require VLAN trunking at the physical switch level.

Now what about VLAN trunking at the port group level?

This was introduced with vSphere 5 Distributed Switches and allows VLAN trunking at the port group, Usually you would assign a VLAN to a port group but this way allows you to assign multiple VLANs to a port group

VLAN Trunking

This allows you to pick any number of VLAN combinations or ranges.

VLAN Trunking range a

Below can see the port group with VLAN trunking enabled that allows VLAN 10 to 15

VLAN Trunking range

What different to having it this way and having multiple port groups with a single VLAN assigned… well nothing but you only have 1 port group  This would be handy if say production ran over multiple VLANs and to lessen confusion as to where they sit or get built, just have a single port group with all of production in it.

Obviously this would most defiantly require VLAN trunking to be enabled on the physical switch where the up-links for the virtual switch connect to.

  • Determine use cases for and configure PVLANs

PVLANs or Private VLANs are basically VLANs within a VLAN. Each Private VLAN can have Secondary VLANs within it, There is 3 types of Secondary VLANs you can have:

    • Isolated – Only allows the communication between the VM and the Primary Private VLAN, VM’s can not communicate with each other or any other secondary VLAN. There can only be 1 isolated Secondary VLAN per Primary VLAN.
    • Community – Allows communication between all the VM’s the the secondary VLAN and to the Primary Private VLAN but not to any other Secondary VLAN.
    • Promiscuous – This is created by default when a PVLAN is created and has the same VLAN ID as the PVLAN.


Use case for this where you would have separate areas of a business that have different privacy needs but require a common connection. I will use a Hotel here as an example.

In a Hotel we have Rooms, Foyer and Reception (obviously there would be more areas but this is just an example.

    • Rooms – Can not communicate with each other but are able to get to the internet and hotel intranet.
    • Foyer – Anyone in the foyer can communicate with each other and to the internet and hotel intranet
    • Reception – Talk to other computers in reception, Foyer and Rooms as well as IT systems internet and Hotel intranet

We would assign Primary VLAN of say 100 for the Hotel, We would place all rooms into a Secondary VLAN 101 which is set to isolated so they can only communicate with VLAN 100 and communication within Secondary VLAN 101.

Anyone connecting to the the Foyer network would be placed in Secondary VLAN 102, this will allow for communication between all machine is the Secondary VLAN 102 as well as anything in VLAN 100.

Finally assign reception machines to the promiscuous VLAN 100 which will allow them to talk to all the machines in both Secondary VLANs 101 and 102 as well as 100.

  • Use command line tools to troubleshoot and identify VLAN configurations

Please See VCAP5-DCA Objective 2.1 : Implement and Manage Complex Virtual Networks

Leave a Reply

Your email address will not be published. Required fields are marked *


Anti SPAM BOT Question * Time limit is exhausted. Please reload CAPTCHA.