Demo: Configure private VLANs - vSphere Tutorial

- [Instructor] In this video, I'll demonstrate how to configure private VLANs in vSphere Distributed Switch. And as you can see here, I'm logged into the vSphere HTML5 client in a lab kit that I'm accessing through hol.vmware.com. So if you want to try this out, you can get your own free lab kit at hol.vmware.com to try it. And so I'm just going to browse to the networking view, and there should be a couple distributed switches already created here. Here we see a distributed switch that's already built and I'm going to go to Configure. And under Configure we have a menu option for private VLAN. So what I'm going to do is utilize this screen to edit and modify and create private VLANs. But before I do that, I'm actually going to create some new distributed port groups. So I'm going to add a new distributed port group and I'm just going to call it Isolated. I'm going to stick with all of the defaults here, including the VLAN type for the moment, and I'll go ahead and hit finish. I'm going to create a second port group called Community1, again using all of the default settings. I'm going to create a third port group called Community2, again choosing all the default settings. And then finally I'll create a port group called Promiscuous again using all of the default port group settings. So now I've created four different port groups here, inside of my vSphere distributed switch. And I want you to think of these port groups that I've created sort of like this; so Community1 is maybe one part of my organization and anything that I connect to the Community1 port group should be able to communicate with anything else that's in that Community1 port group. Same thing with Community2. It's a certain department of my company and any machines that are connected to the Community2 port group should be able to communicate amongst themselves. However, Community2 and Community1 should not be able to communicate with each other. And then I've got a port group here called Isolated. So with Isolated, these are virtual machines that I'm going to connect to this port group and they should not be able to communicate with each other. So I may have 50 virtual machines connected to this Isolated port group, none of those virtual machines can communicate with each other. The only thing that they can communicate with are machines connected to this Promiscuous secondary VLAN, this port group. And same thing with Community1 and Community2, all of these port groups can communicate with anything connected to the Promiscuous port group. So let's go ahead, back to our vSphere distributed switch and start to establish some of this private VLAN structure. And I'm going to hit Edit here and I'm going to establish a Primary VLAN. I'm going to call it VLAN 50. So this is a VLAN that my Community and my Isolated and my Promiscuous port groups, they'll all be a part of this primary VLAN. So basically, any machine in any of those port groups that I just mentioned is going to be on the same IP address range. Any machine connected to either of those Community port groups, the Isolated or the Promiscuous port group, they're all going to be part of the same VLAN and they're all going to have IP addresses in the same IP address range. But within VLAN 50, I'm going to create some secondary VLANs. So I'm going to create a secondary VLAN called 150, that's going to be a community secondary VLAN. A secondary VLAN called 250, that's going to be another community secondary VLAN. And a secondary VLAN, 350, and I'm going to set that as an isolated secondary VLAN. So the type of secondary VLANs that I choose here are going to impact the behavior of the virtual machines connected to them. Anything connected to the Promiscuous secondary VLAN can communicate with anything connected to any of these other secondary VLANs. Secondary VLAN 150 is marked as community, therefore anything connected to that secondary VLAN can communicate amongst themselves and they can communicate with the Promiscuous VLAN. Same thing with community secondary VLAN 250. Anything within that community secondary VLAN can communicate. They can also communicate with the Promiscuous secondary VLAN. And then our isolated secondary VLAN, anything connected to this cannot communicate amongst themselves but they can communicate with the Promiscuous secondary VLAN. And so now I can go to these port groups that I've created, I can click on Configure, so for my Isolated port group, I can click on Configure, I can click on Edit, and I can establish the VLAN membership and I'm going to establish a private VLAN here. So, now I've associated this port group with that isolated secondary VLAN. And I can go through to Community1 and Community2 and do the same thing. On each of these I'm just going to click on the port group, edit the VLAN settings, configure a private VLAN and associate them with the appropriate secondary VLAN. And so what I'm basically doing here, is I have this one big VLAN, VLAN 50. That's my primary VLAN. All of these virtual machines connected to all four of these port groups are going to be part of primary VLAN 50 but they also each have a secondary VLAN associated with them that is basically there to segment traffic within VLAN 50. So I'm taking VLAN 50 and I'm further segmenting it by establishing VLANs within a VLAN. Final port group is the Promiscuous port group. I kind of think of this like a shared services port group. So this is something that contains virtual machines that all of the devices need to be able to communicate with, whether they're in the communities or the isolated VLANs, it doesn't matter, they can all communicate with this Promiscuous secondary VLAN.