Isolated PVLANS will not work with Cisco UCS and VMware vDS

This is something  I came up against several years ago but never got around to posting it, the workaround is to deploy a Nexus1000v, the PVLANs will be defined within the Nexus and will never traverse the upstream network.

Here’s the response from Cisco

“In a nutshell in End Host mode on the Fabric Interconnects have no unknown unicast flooding functionality and does not learn Mac addresses on the uplinks.

Because the Vmware DVS cannot terminate the PVLANs they will need to extend into the external LAN switching infrastructure.
Therefore, all community/isolated VLANs have to be defined on UCS and on the external LAN switch(es) as well.

This is fine if no communication is required between the isolated PVLAN and any external host on the Primary VLAN.

Where the design requires an external promiscuous port then you need to set the UCS Fabric Interconnects in switch mode. That is traffic that enters the promiscuous port is classified in the primary VLAN. Therefore from a UCS perspective there are no server-side MAC-table entries in the primary VLAN because servers are in an isolated PVLAN. So no communication is possible.

As such, switch mode is a must for bi-directional communication. Here the fabric interconnects will do Mac-Learning on the uplink ports as well as the server ports.”


4 thoughts on “Isolated PVLANS will not work with Cisco UCS and VMware vDS

    1. vapprentice Post author

      Hi, I don’t think the issue is related to the firmware, it’s more to do with the mode in which the fabric interconnects are deployed, i.e. switch mode or end host mode. If the FI’s are deployed in end host mode i’m not sure if this will ever work.

  1. Kass

    Thanks for your reply.

    i got in touch with Cisco & they sent me the following:

    – Yes you would be able to setup Private VLANs on a VMWare vDS with UCS running firmware 2.2.2c & later.
    – The reason this is possible is due to the PVLAN enhancements in the release that allows for the vNICs to carry the private VLAN traffic and also support for community VLANs which was previously not available.

    i will give this a try.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s