VCAP-DCA Objective 2.2 – Configure and Maintain VLANs, PVLANs and VLAN Settings

  • Identify types of VLANs and PVLANs
Skills and Abilities
  • Determine use cases for and configure VLAN Trunking
  • Determine use cases for and configure PVLANs
  • Use command line tools to troubleshoot and identify VLAN configurations
  • vSphere Command-Line Interface Installation and Scripting Guide
  • ESX Configuration Guide
  • ESXi Configuration Guide
  • Product Documentation
  • vSphere Client
  • vSphere CLI
    • vicfg-*

Identify types of VLANs and PVLANs

What is a VLAN?

Source Wikipedia,

A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices.

To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and switches/hubs which are kept separate from the primary network. However unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can both suffer reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untagging when exit from VLAN.)

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.

This is also useful if someone wants to create multiple Layer 3 networks on the same Layer 2 switch. For example, if a DHCP server (which will broadcast its presence) is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won’t use that DHCP server and will obtain link-local addresses, or obtain an address from a different DHCP server.

VLANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. VLANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.

By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.

What is a PVLAN?

Source Wikipedia,

A private VLAN is a technique in computer networking where a VLAN contains switch ports that are restricted, such that they can only communicate with a given “uplink”. The restricted ports are called “private ports”. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource.

The switch forwards all frames received on a private port out the uplink port, regardless of VLAN ID or destination MAC address. Frames received on an uplink port are forwarded in the normal way (i.e., to the port hosting the destination MAC address, or to all VLAN ports for unknown destinations or broadcast frames). “Peer-to-peer” traffic is blocked. Note that while private VLANs provide isolation at the data link layer, communication at higher layers may still be possible.

A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increasing the potential for damage due to misconfiguration.

Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet. In such a case direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.

VMware has created a KB document about Private VLAN (PVLAN) on vNetwork Distributed Switch – Concept Overview. See VMware KB:1010691

The definition of Private VLAN is:

  • Virtual LAN (VLAN) is a mechanism to divide a broadcast domain into several logical broadcast domains.
  • Private VLAN is an extension to the VLAN standard, already available in several (most recent) physical switches. It adds a further segmentation of the logical broadcast domain, to create “Private” groups.
  • Private means that the hosts in the same PVLAN are not able to be seen by the others, except the selected ones in the promiscuous PVLAN.
  • Standard 802.1Q Tagging indicates there is no encapsulation of a PVLAN inside a VLAN, everything is done with one tag per packet.
  • No Double Encapsulation indicates that the packets are tagged according to the switch port configuration (EST mode), or they arrive already tagged if the port is a trunk (VST mode).
  • Switch software decides which ports to forward the frame, based on the tag and the PVLAN tables.

A Private VLAN is further divided into the groups:

  • Primary PVLAN – The original VLAN that is being divided into smaller groups is called Primary, and all the secondary PVLANs exist only inside the primary.
  • Secondary PVLANs – The secondary PVLANs exist only inside the primary. Each Secondary PVLAN has a specific VLAN ID associated to it, and each packet travelling through it is tagged with an ID as if it were a normal VLAN, and the physical switch associates the behavior (Isolated, Community or Promiscuous) depending on the VLAN ID found in each packet.

Note: Depending upon the type of the groups involved, hosts are not able to communicate with each other, even if they belong to the same group.

Three types of Secondary PVLANs:

  • Promiscuous – A node attached to a port in a promiscuous secondary PVLAN may send and receive packets to any node in any others secondary VLAN associated to the same primary. Routers are typically attached to promiscuous ports.
  • Isolated – A node attached to a port in an isolated secondary PVLAN may only send to and receive packets from the promiscuous PVLAN.
  • Community – A node attached to a port in a community secondary PVLAN may send to and receive packets from other ports in the same secondary PVLAN, as well as send to and receive packets from the promiscuous PVLAN.


  • Promiscuous PVLANs have the same VLAN ID both for Primary and Secondary VLAN.
  • Community and Isolated PVLANs traffic travels tagged as the associated Secondary PVLAN.
  • Traffic inside PVLANs is not encapsulated (no Secondary PVLAN encapsulated inside a Primary PVLAN Packet).
  • Traffic between virtual machines on the same PVLAN but on different ESX hosts go through the Physical Switch. Therefore, the Physical Switch must be PVLAN aware and configured appropriately, to allow the secondary PVLANs to reach destination.
  • Switches discover MAC addresses per VLAN. This can be a problem for PVLANs because each virtual machine appears to the physical switch to be in more than one VLAN, or at least, it appears that there is no reply to the request, because the reply travels back in a different VLAN. For this reason, it is a requirement that each physical switch, where ESX with PVLANs are connected, must be PVLAN aware.

More information on how to configure Private VLAN (PVLAN) on vNetwork Distributed Switch see VMware KB:1010703

Determine use cases for and configure VLAN Trunking

See VMware KB:1010778 Configuring Virtual Switch VLAN Tagging (VST) mode on a vNetwork Distributed Switch.

Set the physical port connection between ESX and physical switch to TRUNK mode. ESX only supports IEEE 802.1Q (dot1q) trunking.

VLAN configuration is required on ESX side. Define ESX VLANs on the physical switch. Set ESX dvPortgroup to belong to a certain VLAN ID.

Caution: Native VLAN ID on ESX VST Mode is not supported. Do not assign a VLAN to a portgroup that is the same as the native VLAN ID of the physical switch.

Native VLAN packets are not tagged with VLAN ID on the out going traffic toward ESX host. Therefore, if ESX is set VST mode, it drops the packets that are lacking a VLAN tag.

To configure VST on dvPortGroup:

  1. In vCenter, go to Home > Inventory > Networking.
  2. Right-click dvPortGroup and click Edit Settings.
  3. Under dvPortGroup > Settings > VLAN > Policies, set the VLAN type to VLAN.
  4. Select a VLAN ID between 1- 4094
    Note: Do not use VLAN ID 4095.
  5. Click OK.

Why not to use VLAN ID 4095, see Duncan Epping blog Yellow Bricks. He has written an article about the VLAN ID 4096, see

This particular VLAN ID is only to be used for “Virtual Guest Tagging” (VGT). It basically means that the VLAN ID is stripped off at the Guest OS layer and not at the portgroup layer. In other words the VLAN trunk(multiple VLANs on a single wire) is extended to the virtual machine and the virtual machine will need to deal with it.

When will you use this? To be honest there aren’t many use cases any more. In the past it was used to increase the number of VLANs for a VM. The limit of 4 NICs for VI3 meant a maximum of 4 portgroups / VLANs per VM. However with vSphere the maximum amount of NICs went up to 10 and as such the amount of VLANs for a single VM also went up to 10.

Also see VMware KB:1004074 Sample configuration of virtual switch VLAN tagging (VST Mode) and ESX

To configure Virtual Switch (vSwitch) VLAN Tagging (VST) on ESX host:

  1. Assign the VLAN on vSwitch and or portgroup. Supported VLAN range (1-4094)
  2. Set the switch NIC teaming policy to Route based on originating virtual port ID, this is set by default.
    • VLAN ID 0 (Zero) Disables VLAN tagging on port group (EST Mode)
    • VLAN ID 4095 enables trunking on port group ( VGT Mode)

Note: Incoming traffic NIC teaming is called Ether-channel / LACP. For more information, see Sample configuration using EthernetChannel, ESX 3.0 and a Cisco switch (1004048).

To configure VLAN on the portgroup within the Virtual Infrastructure Client:

  1. Highlight the ESX host.
  2. Click the Configuration tab.
  3. Click the Networking link.
  4. Click Properties.
  5. Highlight the virtual switch in the Ports tab and click Edit.
  6. Click the General tab.
  7. Assign a VLAN number in VLAN ID (optional).
  8. Click the NIC Teaming tab.
  9. From the Load Balancing dropdown, choose Route based on originating virtual port ID.
  10. Verify that there is at least one network adapter listed underActive Adapters.
  11. Verify VST configuration by utilizing the ping command to confirm connection between ESX host and gateway interfaces and other host on the same VLAN.

Note: For additional information on VLAN configuration of a VirtualSwitch (vSwitch) port group, see Configuring a VLAN on a portgroup (VMware KB:1003825).

To configure via command line:

esxcfg-vswitch -p “<portgroup name>” -v <VLAN_ID> <virtual switch name>

The illustration attached to this article is the sample VST mode topology and configuration with two ESX hosts, each with two NICs connecting to the Cisco switch.

Other good reads for VLAN Trunking are:


Determine use cases for and configure PVLANs

See VMware KB:1010703 Configuration of Private VLAN (PVLAN) on vNetwork Distributed Switch.

For more information about PVLAN concept, see Private VLAN (PVLAN) on vNetwork Distributed Switch concept (1010691).

To create the PVLAN table in the dvSwitch:

  1. In vCenter, go to Home > Inventory > Networking.
  2. Click Edit Setting for the dvSwitch.
  3. Choose the Private VLAN tab.
  4. On the Primary tab, add the VLAN that is used outside the PVLAN domain. Enter a private VLAN ID and/or choose one from the list.
  5. On the Secondary tab, create the PVLANs of the desired type. Enter a VLAN ID in the VLAN ID field.
  6. Select the Type for the Secondary VLANID. Choose one of the options from the dropdown menu.
    • Isolated
    • Community
  7. Click Ok.

Note: There can be only one Promiscuous PVLAN and is created automatically for you.

Beware: Before deleting any primary/secondary PVLANs, make sure that they are not in use or the operation is not be performed.

To set PVLAN in the dvPortGroup:

  1. Highlight dvPortGroup and click Edit Settings.
  2. Click General> VLAN > Policies.
  3. Using the dropdown, set the VLAN type to Private.
  4. Select VLAN from the Private VLAN Entry dropdown.

Note: The VLANs created in step 1 are listed here.

Eric Sloof from has created a training video on his blog at: 

See also Trainsignal VMware vSphere Troubleshooting Training, lesson 17.


Use command line tools to troubleshoot and identify VLAN configurations

See the vSphere Command-Line Interface Installation and Scripting Guide, chapter 10 Managing vSphere Networking.

The important commands are:

  • vicfg‑vswitch
  • vicfg-vmknic
  • vicfg‑nics


vicfg-vswitch – create and configure virtual switches and port groups.

The vicfg-vswitch command adds or removes virtual switches or modifies virtual switch settings. A virtual switch is an abstracted network device. It can route traffic internally between virtual machines and link to external networks. The ESX Configuration Guide and the ESXi Configuration Guide discuss virtual switches, vNetwork Distributed Switches (vDS), port groups, and vDS port groups. The vSphere CLI manual presents some sample scenarios.

By default,each ESX/ESXi host has a single virtual switch called vSwitch0.

See for more information about this command,


vicfg-vmknic – configure virtual network adapters

The vicfg-vmknic command configures VMkernel NICs (virtual network adapters).

Use the esxcli swisis nic command to specify NIC bindings for VMkernel NICs.

See for more information about this command,


vicfg-nics – get information, set speed and duplex for ESX/ESXi physical NICs

The vicfg-nics command manages uplink adapters, that is, the Ethernet switches used by an ESX/ESXi host. You can use vicfg-nics to list the VMkernel name for the uplink adapter, its PCI ID, driver, link state, speed, duplex setting, MAC address and a short PCI description of the card. You can also specify speed and duplex settings for an uplink adapter.

See for more information about this command,



Carlos Vargas has created a video about this objective see: 

Documents and manuals

ESX Configuration Guide:

ESXi Configuration Guide:

vSphere Command-Line Interface Installation and Scripting Guide:


Related articles:

The information in this article is provided “AS IS” with no warranties, and confers no rights. This article does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.


Marco works for ViaData as a Senior Technical Consultant. He has over 15 years experience as a system engineer and consultant, specialized in virtualization. VMware VCP4, VCP5-DC & VCP5-DT. VMware vExpert 2013, 2014,2015 & 2016. Microsoft MCSE & MCITP Enterprise Administrator. Veeam VMSP, VMTSP & VMCE.