VLANs with ESXi over physical switch

Question

I'm trying to setup a VLAN across my ESXi network and my physical switch network, but fail to get the VMs on the ESXi port group communicate with physical network. Specifically, my VM doesn't see responses from physical network.

The setup:

• VLAN 112 on the ESXi port group
• VLAN 112 on the switch attached to a firewall interface in the same VLAN
• Firewall also works as a DHCP server for that VLAN/subnet

I'm failing to get IP address on ESXi VM in VLAN112 via DHCP.

From what I see:

• VM repeats DHCP Discover packets
• Firewall sees DHCP requests and responds with DHCP Offer (confirmed via PCAP)
• Packet capture on ESXi vmnic1 confirms that these offers arrive on physical NIC of ESXi. Transaction IDs match, so I'm seeing correct traffic.

What am I missing here?

EDIT: What I might be missing is that ESXi is a guest VM (nested) on a Windows machine with VMware Workstation. But the interface is bridged.

EDIT2: Adding second picture to show switch config. Port5 - connected to the firewall Port12 - test raspberry pi on tagged VLAN112 - gets dhcp address from the firewall interface Port 23 - host machine with esxi

Below Ubiquiti port schematic is the firewall interfaces config showing tagged eth3 interface with VLAN tag 112 (Check Point firewall)

Answer 1

VLAN 112 on the switch attached to a firewall interface in the same VLAN

Make sure VLAN 112 is tagged towards the ESXi and allowed on all required ports.

If in doubt, check whether the switch has associated the VM's MAC address with both the ESXi port and the desired VLAN.

Whether you tag VLAN 112 towards the firewall depends on the firewall's port configuration. Again, check the switch's MAC table to be sure.

If DHCP fails, temporarily try a static configuration. If that works, your DHCP service is off or there's a filter in between (DHCP snooping?).

If the static configuration doesn't work either but MAC/port/VLAN associations look fine, ping the firewall and look for its MAC in the ARP table. If ARP works there's an IP filter in between.

if i plug a raspberry pi instead of ESXi host to a switch port, it gets an IP inside that VLAN 112 subnet.

That looks like you're not tagging the VLAN towards the host. If you enter a VLAN ID on the vSwitch port group, that means tagged.

From comment:

esxi is a guest machine on a vmware workstation (windows pc) with a bridged network.

Ugh - OK... That changes everything.

With VMware workstation, VLAN tagging is likely not working at all - without the ESXi knowing that. So, outgoing frames don't get tagged but incoming, untagged frames are never forwarded into the original port group. Pretty much explains the effects you're seeing. Should also reflect on the switch's MAC table.

And there might be no way to get it working. Best bet with Windows is a vendor tool for your NIC, create virtual NICs and connect those to the ESXi individually - do not use VLAN ID/tagging on the ESXi then. Windows doesn't do tagging and you can't force it retroactively by running a virtual ESXi.