TOPOLOGY

[router] --trunk-- [switch] --trunk-- [vsphere esxi hypervisor]

ROUTER CONFIGURATION

interfaces {
    ge-0/0/0 {
        description SWITCH:0/0/0;
        vlan-tagging;
        unit 1000 {
            vlan-id 1000;
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
}

SWITCH CONFIGURATION

interfaces {
    ge-0/0/0 {
        description ROUTER:0/0/0;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members PRIMARY_PRIVATE_VLAN;
                }
            }
        }
    }
    ge-0/0/1 {
        description ESXI:VMNIC1;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members PRIMARY_PRIVATE_VLAN;
                }
            }
        }
    }
}

vlans {
    PRIMARY_PRIVATE_VLAN {
        vlan-id 1000;
        interface {
            ge-0/0/0.0;
            ge-0/0/1.0 {
                pvlan-trunk;
            }
        }
        no-local-switching;
    }
    SECONDARY_VLAN_COMMUNITY {
        vlan-id 1100;
        primary-vlan PRIMARY_PRIVATE_VLAN;
    }
    SECONDARY_VLAN_ISOLATED {
        vlan-id 1200;
        primary-vlan PRIMARY_PRIVATE_VLAN;
    }
}

VSPHERE ESXI CONFIGURATION

Using Private VLANs with VMware vSphere ESXI requires the Distributed Switch functionality which is currently only available with the Enterprise Plus edition of vSphere EXSI.

For this example, we are going to configure an Isolated Private VLAN. If you want to create a Community Private VLAN, the configuration is the same, just choose Community instead of Isolated when creating the Secondary Private VLANs.

The basic steps for configuring ESXI to use Private VLANs are:

  1. Start vSphere Client and connect to VMware VCenter Server.

  2. Select Inventory > Networking.

  3. In the left pane, right click on a Datacenter and select New vSphere Distributed Switch.

  4. Edit the created Distributed Switch. Under the Private VLAN tab, create a Primary VLAN on the left and Secondary VLANs on the right.

  5. Right click on the Distributed Switch and select New Port Group.

  6. Port Group Settings: General, Change name to be more descriptive dvPortGroup - Isolated - 1000/1200, VLAN type to Private VLAN - Entry Isolated (1000, 1200).

  7. Select Inventory > Hosts and Clusters.

  8. Right click on a Virtual Machine > Edit Settings.

  9. Select the Network Adapter (or add a new one), change the Network Connection dropdown to dvPortGroup - Isolated - 1000/1200.