AFAIK, ‘Port Groups’ is a VMware specific term. A lot of beginners with virtualization get confused with port groups in context of a vSwitch.
A ‘Port Group’ is a group of ports on a vSwitch. A ‘PortGroup’ is created in a ‘vNetwork Standard Switch’ (also refered to as ‘virtual switch’ or ‘vSwitch’) and ‘vNetwork Distributed Switch’ (often refered to as ‘distributed switch’ or ‘dvSwitch’). It acts as a logical segmentation of a vSwitch. Every ‘Port Group’ has a name also known as the ‘Network Label’.
A Port Group is:
1. An management object for aggregation of multiple ports (on a virtual switch) under a common configuration.The configuration options possible for a port group include:
Security, Traffic Shaping, NIC Teaming
2. An endpoint for connecting VMs. In the vSphere client, the workflow actually connects VMs to a ‘Port Group’ name. When you edit the VM settings, the ‘Port Group’ Name (Network Label) is listed as a drop down option under the ‘Network Connections’ option for a virtual network adapter, on a VM.
All VMs which are connected to the same port group can communicate with each other. By default a ‘Port Group’ does not segment the broadcast domain. So VMs which are connected to a port group say ‘PG1’ can communicate with other VMs connected to other port group ‘PG2’ if there are part of the same IP subnet.
If you need network isolation (restrict traffic) between port groups, you will need to configure appropriate VLAN ID on your port groups. On configuring different VLAN IDs on different port groups you will restrict traffic between these port groups. Please note port groups with same VLAN ID will be able to communicate with each other if they are on the same physical/virtual switch.
When you assign a VLAN ID to a port group, packets are tagged as they leave a VM and are untagged as they reach the VM. This is known as VST mode (virtual switch VLAN tagging).
When you assign a VLAN ID ‘4095’, it has a special meaning which says that:
VMs connected to this port group will see all the VLAN IDs that are configured/seen on the vSwitch that owns the said port group. This is also known as VLAN trunking on vSwitch (this is different from VLAN trunking configured on a physical switch). Now you can configure VMs connected to this port group to tag/untag packets from within the guest OS. This is known as VGT mode (virtual guest VLAN tagging). To perform virtual guest tagging and untagging of packets you will need to use guest OS specific tools.
There is another type of VLAN tagging supported by an ESX server thats called as ‘External Switch Tagging’. This is typically transparent to ESX server and no special configuration is necessary on the ESX host. Here packets are tagged as they leave ESX host and reach the physical switch, while they are untagged are they leave the physical switch and reach the ESX host.
When to use Trunk Ports?
If you are planning to use VST or VGT on a vSwitch which is connected to a physical Switch via an uplink (physical adapter on your ESX host). Then you will need to configure the physical-switch-port to which the uplink is connected in a trunk mode.
- For detailed information on virtual switch VLAN tagging, please refer KB1004074
- Also refer to the VLAN tagging whitepaper from VMware, although this is for ESX-3.x most information is still valid for vSphere-4.x.