ESX VLAN Configuration: VST Mode 802.1q
Comments (0) 
Recently, I tried to configure vSphere VLAN 802.1q VST Mode with external Netgear switch. On Netgear side, VLAN (ID=10) was set correctly on ports by using Tagged Port (ie, 802.1q), the same VLAN ID is also assigned to ESX Portgroup, but the connected VMs couldn’t visit the outside Internet.
I did a simple test by giving a private IP 10.0.18.10 to VM1 on ESX Host 1 which is on vlan 10, then I did the same for VM2 on ESX Host 2 which is also on vlan 10.
Guess what? They can ping each other!
To future prove my original Netgear VLAN setting is correct, I did the following tests as well:
Test 1. Change vlan 10 to vlan 20 on ESX Host 1, now VM1 cannot ping VM2, so original VLAN tagging or 802.1q is working!
Test 2. Change Netgear Port 11 & Port 12 (both on ESX Host 1) to Untag, now VM1 cannot ping VM2, so original VLAN tagging or 802.1q is working indeed!
After researching for several days, I found the following, BINGO!
For example, consider the organization whose servers plug into distribution layer switches. These distribution layer switches then connect to a core switch. If the connections between the core switch and the distribution switch are not already configured as VLAN trunks, i.e., are capable of carrying multiple VLANs simultaneously, then using VST is impossible. Each of the distribution switches only carries a single VLAN and is only capable of carrying a single VLAN.
I thought I don’t need to get my Netgear to talk to data center’s core switch in order to have ESX VST working, this is exactly I was wrong! After talking to my data center, I got it working finally, but I still decided not to use VLAN (VST mode) on public IP addresses as it doesn’t provide real benefits and ESX Portgroup won’t allow traffic sniffer anyway, so it’s pretty secure, rather I found a private or local 802.1q VLAN is more useful say to configure a Private LAN between VMs (sometimes, you need a private LAN for backup)
