Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Oct 19, 2015

VMWare, VLAN and LTM VE

Hi,   I created some test setup and was surprised by result. So either I don't get something or there is a bug...   Scenario:   ESX 5.1 host VM with W2K8 R2 VM with LTM 11.5.2HF2 One vSw...
application delivery
design
LTM
TMOS
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Oct 19, 2015

You can't have both tagged and untagged VLANs on one VMware vNIC. The vSwitch is either VST(virtual switch tagged) or VGT(Virtual guest tagged - VLAN 4095). You can't do both on one port group in VMware.

 

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Oct 19, 2015
    Hi, I guess my explanation was not clear enough. So here it is: On LTM I have VLAN200 defined as: tag 200, Interface 1.1 untagged Setup not working (ping failing): W2K8VM---vNIC---VLANX (tag 100)---vSwitch---VLANX (tag 100)---LTM (Interface 1.1 assigned to VLAN200) Setup working (ping OK) W2K8VM---vNIC---VLANX (tag 100)---vSwitch---VLANY (tag 4095)---LTM (Interface 1.1 assigned to VLAN200) So only change between two is attaching Interface 1.1 to VLANY on vSwitch. VLANY is for me equal to trunk port - delivering any VLAN tagged packet to vNIC on VM. VM is responsible for handling tags in frame. For not working scenario frame delivered to Interface 1.1 should be untagged, tag stripped by vSwitch before passing frame to vNIC used by LTM Interface 1.1 - or I am wrong? However for scenario working frame delivered to Interface 1.1 should be tagged so LTM should handle tag - but why? Interface 1.1 is attached to VLAN200 as untagged. So it should only accept untagged frames and then (not sure about it) add tag 200 for internal handling by LTM. Where Am I wrong? Piotr