VLANs vs Vswitches

Let’s say you want to separate out some VMs from other VMs in the network inside of an ESX server. How should you do it? Should you:

• Create a new vswitch and put one group in vswitch A and the other group in vswitch B?
• Create separate VLANs within the same vswitch and put the different VMs into VLAN A and VLAN B

Both will give you separation of traffic. And with the caveat of bugs in the security implementation of the hypervisor, both are reasonably secure. So is there a strong reason to go one way or the other?

VLANs are more flexible than Vswitches just because the VLAN setting is easier to change. If we want to move a VM from one Vswitch to another, either we have to shutdown the VM, delete the portgroup from the first vswitch, create another portgroup in another vswitch with the same name, and then start the VM again. Or you can shutdown the VM, and then change the portgroup the VM is in and start it again. Either way, you have to shutdown the VM.

To move the VM to another VLAN, all you have to do is change the VLAN tag of the portgroup. No need to shutdown the VM.

You get the most flexibility if you put each VM into its own portgroup. Then you can move a single VM to another VLAN. Otherwise, you have to move all the VMs in the portgroup, since you only have one slot for VLAN tag on the portgroup.

Advertisement