Hello all,
The topology goes like this:
node <--nx1G--> L2switch <--2x1G--> ESXi (5.1)
Unlike other setups of this type, configuring dot1q tunneling on switch causes problems with virtual machines, since vswitch self-assures that any double-tagged frame is an attack and must be dealt with swiftly. Not only have I come across this old thread (http://communities.vmware.com/thread/176962) but vSphere 5.1 documentation also confirm this behavior still exists:
"Double-encapsulation attacks
Occur when an attacker creates a double-encapsulated packet in which the VLAN identifier in the inner tag is different from the VLAN identifier in the outer tag. For backward compatibility, native VLANs strip the outer tag from transmitted packets unless configured to do otherwise. When a native VLAN switch strips the outer tag, only the inner tag is left, and that inner tag routes the packet to a different VLAN than the one identified in the now-missing outer tag."
I'm not questining this to be the default behavior, however I strongly believe the lack of altering this behavior being problematic since it limits the vlan-ranges and numbering for large setups. Imagine you have multiple nodes while these nodes are also connected to other devices via the same L2 switch. We normally assign a vlan-id per connection and tunnel 1-4094 within, thus not limiting any users to a particular set of vlan/vlans.
My question is, is there any way to convince vSwitch that is OK to give way to double tagged frames?
Cheers,
Erdem