How does routing between different port group work using same vswitch?

I am in the process of deploying a new virtual firewall and trying to work out what is the most performant method of implementing it in terms of traffic routing/switching within VMWare. I would like to understand how routing/switching works in ESXi under a couple scenarios.

Firstly, if I have two port group which has two VMs connected to it, how is trafficked routed between VMs. I assume ESXi handles this at a hypervisor/kernel level or is traffic processed on the physical nic (ie hairpin).

Second scenario is if I have a port group for servers on VLAN 10, and then have a second port group which permits all vlans (trunked) for a virtual firewall (both port groups are on the same vswitch), how does traffic route/switch if a server was to try and communicate with the firewall on vlan 10? Is esxi able to determine it does not send the packet external (ie to the NIC or the switch the server is connected to?

essentially I am trying to deploy a virtual firewall and trying to work out if I should attach multiple nics to each port group I have, or create a new one and trunk all vlans though it.


View Reddit by zh12aView Source

Related Articles


  1. 1) Traffic on the same host on the same vlan will be handled internally within the host. It does not hit the physical network because there is no need to.

    2) Traffic between two vms on different vlans (assuming these vlans are different subnets) will hit the default gateway of both vlans, which may or may not live on the same host. If you’re using routers external to the virtual infrastructure, that traffic will leave the hosts. If you’re setting up a virtual router (like pfsense) then that traffic will stay on the host, but will go through the router.

    Don’t think of the vswitch as anything other than a regular switch. If you have a dumb switch, then traffic between two computers plugged into the same switch doesn’t leave the switch. If you have a managed switch, then you’re hitting routers, etc. if you’re leaving your subnet.

  2. Your second question is a little confusing but I’ll take a stab at it. You did not clarify if the the server VM and firewall VM are connected to the same port group.

    ESXi will not route traffic to an external router if the traffic does not need to leave the port group, period. If it does, traffic will go to the default gateway for the port group, wherever it may be. If it needs to leave the host to get there, then it will go to the physical nic. If not, it will be handled at vmkernel and passed to the appropriate vswitch port to reach its destination.

Leave a Reply

Your email address will not be published. Required fields are marked *