Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Part 1 How to Build a Nested ESXi Lab: The Ultimate Networking Guide

While building nested VMware virtualization lab, I wanted to use VLANs in the nested ESXi networking. In my lab I have only single physical ESXi server. For nested ESXi VM, passing VLAN directly from physical network was not an option for me due to limited access to physical switch and router. To tackle the limitation I am using different architecture, In the setup I will use virtual router in the LAB to setup support multiple VLANs which will allow me to have full control over virtual router. In this step by step guide I have created first requirement by creating a complete new Virtual Switch (vSwitch) with a PortGroup (Green_LAN_trunk_nesting) without any network adapter added. 

Note: My main network vSwitch0 is intact and not doing any changes to it

A technical network diagram illustrating VMware ESXi nested virtualization networking configuration. The image depicts a Physical ESXi Server hosting two virtual switches: vSwitch0, containing Management (IP 192.168.34.101) and WAN (VM Network) port groups, and vSwitch1, featuring a LAN port group named 'Green_LAN_trunk_Nesting'. Key configuration details for the nested LAN include VLAN 4095 (VGT mode) with security policies set to Allow for Promiscuous mode, Forged Transmit, and MAC address changes to support nested traffic.

Complete Series
Part 1 How to Build a Nested ESXi Lab: The Ultimate Networking Guide
Part 2 Nested ESXi Networking with VyOS Virtual Router: A Step-by-Step Guide
Part 3 Deploying a Dual-Homed Jump Server for Secure Nested Lab Access

For simplicity I am configuring all the settings on PortGroup only. VLAN must be set to 4095, Security settings for all the option (Promiscuous mode, Forged transmit, MAC address changes) should be set to allow. Just note no network adapter on vSwitch1. Here is the complete configuration snapshot how it looks after configuration.

A step-by-step technical guide screenshot of the VMware vSphere Client interface showing how to configure Virtual Switch security policies. The image highlights the navigation to Configure > Networking > Virtual Switches and specifically shows the Edit Settings dialog for a port group named 'Green_LAN_trunk_Nesting'. The Security tab is active, showing Promiscuous mode, MAC address changes, and Forged transmits all set to Override and Accept, which is a common configuration for nested virtualization.

For security settings you can check more on Second VMKernel port not working or reachable on nested ESXi server in VMware ESXi server
To Install ESXi check: Fix CPU Support Error: Installing VMware ESXi 9 on Unsupported CPUs

Below PowerCLI script helps you to create second vSwitch with required PortGroup and its mandatory setup for this lab. With this you can automate the deployment efficiently with accuracy.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
$vCenterServer = 'dccomics.vcloud-lab.com'
$vCenterUsername = '[email protected]'
$vCenterPassword = 'Computer@123'

$new_vSwitchName = 'vSwitch1'
$new_PortGroupName = 'Green_LAN_trunk_Nesting'

Import-Module VCF.PowerCLI

Write-Host '- Login vCenter: $vCenterServer'
Connect-VIServer -Server $vCenterServer -User $vCenterUsername -Password $vCenterPassword | Out-Null

Write-Host '- Get list of ESXi Server'
$vmHosts = Get-VMHost
foreach ($vmHost in $vmHosts)
{
    Write-Host "- ESXi: $($vmHost.Name) - Create SSwitch: $new_vSwitchName"
    $vSwitch1 = $vmHost | New-VirtualSwitch -Name $new_vSwitchName

    Write-Host "- ESXi: $($vmHost.Name) - Create Portgroup: $new_PortGroupName (VLAN 4095) on vSwitch"
    $vPortGroup = $vSwitch1 | New-VirtualPortGroup -Name Green_LAN_trunk_Nesting -VLanId 4095

    Write-Host "- ESXi: $($vmHost.Name) - Portgroup configuration: Green_LAN_trunk_Nesting - Security Policies to Allow Override"
    $portgroupName = $vPortGroup.Name
    $portgroupConf = New-Object VMware.Vim.HostPortGroupSpec
    $portgroupConf.VswitchName = $new_vSwitchName
    $portgroupConf.VlanId = 4095
    $portgroupConf.Name = $new_PortGroupName
    $portgroupConf.Policy = New-Object VMware.Vim.HostNetworkPolicy
    $portgroupConf.Policy.Security = New-Object VMware.Vim.HostNetworkSecurityPolicy
    $portgroupConf.Policy.Security.AllowPromiscuous = $true
    $portgroupConf.Policy.Security.ForgedTransmits = $true
    $portgroupConf.Policy.Security.MacChanges = $true
    #$portgroupConf.Policy.ShapingPolicy = New-Object VMware.Vim.HostNetworkTrafficShapingPolicy
    #$portgroupConf.Policy.NicTeaming = New-Object VMware.Vim.HostNicTeamingPolicy
    $vmHostNetworking = Get-View $vmhost.ExtensionData.ConfigManager.NetworkSystem
    $vmHostNetworking.UpdatePortGroup($portgroupName, $portgroupConf)
    #$vmHostNetworking.NetworkConfig.Vswitch | Where-Object {$_.Name -eq 'vSwitch1'}
}

Write-Host '- Logout vCenter: $vCenterServer'
Disconnect-VIServer -Server * -Confirm:$false

Useful Articles
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 2 : BUILDING AND HARDWARE BUYING GUIDE IDEAS FOR VMWARE LAB
PART 3 : MY VSPHERE LAB CONFIGURATION ON VMWARE WORKSTATION
PART 4 : CONFIGURING VMWARE WORKSTATION NETWORKING IN HOME LAB
PART 5 : CONFIGURING STORAGE IN VMWare WORKSTATION FOR OPTIMAL SPEED
PART 6 : CONFIGURE VMWARE WORKSTATION TO SAVE SSD SPACE AND TIME
PART 7 : CREATING NESTED VMWARE ESXI SERVER VM IN HOMELAB ON VMWARE WORKSTATION
PART 8 : CPU COOLING SOLUTION FOR MY HOME LAB ON VMWARE WORKSTATION
Part 9: Guide to building a Home Lab

Go Back

 Posted in MY Home LAB

Comment

Protected by Mathcha

Blog Search

Page Views

1 4 6 7 6 5 0 4

Archive

Comments

Follow me on Blogarama