I'm experiencing an issue while trying to pass double tagged through a vSwitch.
A physical interface on the VMWare host machine is receiving double tagged traffic - the outer tag differentiates multiple switches (mirroring remote tag) and the inner tags are from the switches' own internal traffic. The internal traffic can be both tagged and untagged depending if the mirrored port was an access port or a trunk.
A vSwitch is configured with multiple networks (each for a different outer tag from a different switch) and a guest machine should see only (single) tagged traffic.
The problem is that the guest machine isn't receiving any of the traffic that was received (on the phy) as double tagged. If the original internal traffic wasn't tagged (phy on host machine receives only 1-tag) the guest sees that traffic correctly.
I also did a test and configured a network on the vSwitch with tag 4095 where any tagged traffic should be passed (VGT). Again the guest machine receives only the single tagged traffic as received from phy, only difference is that the guest sees it as tagged. This proves the guest OS correctly sees tagged traffic and leads me to conclude the problem is in the vSwitch.
So is there a way to force the vSwitch to ignore the inner tags and pass traffic to guest regardless of the inner tag?
vSphere/vcenter/ESXi version 5.1.0 in question.
I looked through the documentation and found no mention support for QinQ VLAN tagging (802.1ad) for either vSwitches or Distributed Switches and have to conclude that it is not supported in vSphere. I had high hopes that Cisco's Nexus 1000v virtual switch would support QinQ but it also appears that it is not supported. Apparently, QinQ support isn't even available in the Nexus 5000 series but it looks like it is in the Nexus 7000 series.
I would confirm this with VMware and Cisco's support before making any design decisions but it seems like this is not a possible configuration.
The problem is actually with the vmware concept how it handles tagged traffic on the exiting port group. If it strips the outer VLAN then it also discards any inner VLAN should there be such. The only solution is to prevent vmware into tapping/modifying packets as they arive - meaning no vlan adding or stripping should be performed. I managed to achieve this by using a vDSW and VLAN trunking in each port group. In such a setup the VM gets double tagged traffic unmodified. For mirroring and trafic analysis this is acceptable, but for production systems this is not a viable solution. There should be a VLAN tunneling option of sorts available on v(D)SW.