Cisco – When are VLAN access maps actually applied to packets

Keep in mind that, fundamentally, if two hosts are configured with IP addresses in different subnets those hosts will need to communicate through one or more routers with interfaces in their respective subnets in order to communicate. A "layer 3 switch" isn't anything more than a router with the ability to create virtual interfaces that are exposed to the broadcast medium of a VLAN.

re: #1 - To conceptualize VLANs, just imagine that the ports in each VLAN are a physically disperate switch. In a flaw-free VLAN implementation (where traffic can't "leak" between VLANs) that's the effective behavior-- each VLAN acts as a separate switch. ACLs applied at layer 2 will name only MACs (and, if the switch supports quasi-layer 1 ACLs, ports). Any ACLs naming IP addresses, TCP ports, etc, aren't layer 2 ACLs. (There may be switches that have "layer 2.5" functionality whereby they examine the payloads of IP packets without actually being able to route packets, but I'd be wary of such things.)

re: #2 - VLAN tags allow the traffic of multiple VLANs to be carried on a single port, typically called a "trunk". You can conceptualize them as virtually subdividing a connection between two devices into smaller "ports" that each carry the traffic for a single VLAN. There's nothing you can do with "trunking" that you couldn't do by using multiple non-trunked ports, but using trunk ports and tagging packets allows you to carry the traffic of multiple VLANs between physically disperate switches w/o using a large number of physical ports for inter-switch links.

re: #3 - Routing IP between different subnets (irrespective of VLANs-- it's typically convenient to have a 1:1 relationship between VLANs and subnets, but it's not required) requires a routing capability. If you need to route IP between different subnets then you need a router. It could be an embedded layer 3 entity in a switch, or it could be a "router on a stick". Anything that can route IP between different subnets is a router. re: ACLs - Like I said in #1-- I'd be wary of a device that did "quasi layer 3" functions. Either it's a router or it isn't.

A couple decent background questions:

• What are the implications of having two subnets on the same switch?

• Best way to segment traffic, Vlan or subnet

There's a lot of ways to do this, it depends on how paranoid you want to be about it.

If you're already trunking VLANs up to one or more Port Groups on a VM vSwitch and are happy to live with the security of VLAN separation then you can use the simplest method. This is just to create a new Port Group, assign it the appropriate VLAN ID and add the W2K8 VM's vNIC to that Port Group - that's all, told you it was easy.

If you already have a 'VLAN-gnostic' vSwitch/Port Group that everything else uses then simply enter the appropriate 'default' VLAN ID in that Port Group's VLAN setting, this shouldn't impact the existing VMs. Then just create a new Port Group for the W2K8 VM, assign it the right VLAN ID and point the W2K8 VM's vNIC at that new Port Group.

If you want physical cable separate just link a spare ESXi host NIC to the switch, set the switch to trunk the W2K8 VM's new VLAN, then create a new vSwitch linked to that NIC, then create a new Port Group with the new VLAN ID set as that Port Group's VLAN and point the W2K8 VM's vNIC at that new Port Group and its underlying new vSwitch.

If you want a something else you'll need to let us know more.

Oh and the W2K8 VM is a 'guest' not a 'host, ESXi is the host.