When setting up VLANs makes sense in your virtual data center

Modern hypervisors offer alternatives for creating isolated traffic streams, but there are still some important use cases for a virtual LAN.

Although it is easy to think of a virtual LAN as a relic from the days predating virtual networking, VLANs are still widely used on production networks. Since both physical and virtual networking hardware support VLANs, it is good exercise to look at when it is worth setting up VLANs in your virtual environment.

VLANs are a networking standard based on 802.1Q. VLANs are designed to partition a single Layer 2 network in a way that creates two or more distinct broadcast domains. This allows traffic to remain isolated, even if the flows share physical hardware. In the physical world, VLANs have been used as mechanisms for ensuring privacy, providing multi-tenancy and isolating "chatty" hosts.

Although most major hypervisors support the use of VLANs, a VLAN might not always be the best choice for creating an isolated traffic stream. Modern hypervisors offer traffic isolation mechanisms that simply did not exist when VLANs were invented, such as virtual switches and other software-defined networking mechanisms. Even so, there are still use cases for VLANs in a virtual data center.

Setting up VLANs is probably most useful for bridging virtual networks with physical networks where VLANs already exist. For example, suppose that an organization initially only had a physical network and they made extensive use of VLANs. Now suppose that the organization later decided to virtualize some of its servers. Those virtual servers will need a way to connect to the appropriate VLANs on the physical network. In other words, hypervisors offer VLAN support primarily for backward compatibility purposes and for easier coexistence with physical networks.

Of course this raises the question of how an administrator might extend a VLAN to a virtual network. Obviously, the exact method will vary from one hypervisor to the next, but there are similarities.

In a Hyper-V environment, VLAN configurations are based around virtual network interface card (NIC) and virtual switch configurations.

Connecting an existing VLAN on a physical network to a virtual network requires the creation of an external virtual switch. In Hyper-V, an external virtual switch binds to a physical network adapter and connects the physical network to a virtual network segment. Of course, sometimes the physical network adapter and the virtual switch must meet.

The physical network adapter must support VLAN tagging, and the VLAN tagging feature must be enabled. Although it is possible to assign a VLAN ID to the physical network adapter, you should not do so because the physical network adapter will only be able to communicate with the specified VLAN. Since a single host server may contain virtual machines (VMs) that need to communicate across a variety of VLANs, it is best not to put any restrictions on the physical network adapter.

Assigning a VLAN ID

Physical to virtual network bridging is provided by an external virtual switch that is bound to the physical network adapter. You can assign a VLAN ID directly to the virtual switch. Before doing so, however, there are a few important things to know.

First, each virtual switch can only accommodate a single VLAN ID. Therefore, if you need to provide connectivity to multiple VLANs then you will need to create multiple virtual switches. You do not necessarily have to use a dedicated physical network adapter for each virtual switch. A single physical network adapter can accommodate multiple virtual switches. The total number of virtual switches that can be bound to a physical network adapter varies based on a few different factors, but the limit is typically either four or eight.

Production servers are almost always part of a cluster, so a VM could potentially be live migrated to any host within the cluster. The only way to avoid breaking VLAN connectivity is to create identical virtual switches on each host within the cluster. The virtual switches should have identical names and identical VLAN IDs.

Finally, when setting up VLANs, remember that each virtual machine contains one or more virtual NICs. If you create a virtual NIC that is connected to a virtual switch that's servicing a VLAN, then the virtual NIC must be configured with the same VLAN ID as the virtual switch to which it is connected. Each virtual switch supports a single VLAN ID and each virtual NIC also supports a single VLAN ID.

As you can see, it is relatively easy to extend an existing VLAN to a virtual network. However, it does require proper planning and an understanding of how your hypervisor supports VLANs.

Dig Deeper on Network virtualization