Private VLAN (PVLAN) traffic dropped on ESXi uplink with "fwdcheckpolicy" and "vlantag mismatch" errors.
search cancel

Private VLAN (PVLAN) traffic dropped on ESXi uplink with "fwdcheckpolicy" and "vlantag mismatch" errors.

book

Article ID: 429803

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • Virtual Machines configured on a Secondary Private VLAN (Isolated or Community) lose network connectivity. Packet capture tools (pktcap-uw) running on the ESXi host uplink indicate that ingress packets are being dropped.

  • The drop reason is reported as fwdcheckpolicy with details indicating a vlantag mismatch.

Symptom:

  • The VM is configured on a Secondary VLAN (e.g., ##91).

  • The VDS is configured with a Primary VLAN (e.g., ##90).

  • Ingress traffic from the physical switch arrives tagged with the Secondary VLAN ID (##91).

  • "pktcap-uw --trace --mac [MAC_Address_Of_Target_VM]" output example:

Environment

VMware vCenter Server.

VMware vSphere ESXi.

Cause

This issue occurs because the upstream physical switch is configured to tag traffic with the Secondary VLAN ID (e.g., ##91) instead of the Primary VLAN ID (e.g., ##90).

In a vSphere Distributed Switch PVLAN implementation, the VDS handles the translation between Secondary and Primary VLANs. The physical uplink of dvSwitch expects all PVLAN ingress traffic to be tagged with the Primary VLAN ID only. If the physical switch sends packets tagged with the Secondary VLAN ID, the ESXi host's forwarding check policy rejects the packet because it does not match the valid VLAN encapsulation expected on the uplink for that PVLAN domain.

Resolution

To resolve this issue, reconfigure the upstream physical switch ports connected to the ESXi hosts.

  1. Identify the Primary VLAN ID associated with the PVLAN.

  2. Configure the Physical Switch Port to Trunk/Allow both the Primary VLAN ID (e.g., ##90) and Secondary VLAN ID (e.g., ##91).

  3. Ensure the physical switch acts as a standard trunk and returns traffic tagged with the Primary VLAN ID only. Do not configure switchport trunk private-vlan secondary or switchport vlan translation out on the physical interface. The distributed virtual switch (dvSwitch) handles all necessary VLAN translation.

  4. Verification Step: Run pktcap-uw on the uplink to confirm traffic is now arriving with the Primary VLAN tag.

    pktcap-uw --uplink vmnicX --dir 0 --vlan [Primary_VLAN_ID] --mac [MAC_Address_Of_VM] -o - | tcpdump-uw -enr -

Additional Information

Using the pktcap-uw tool in ESXi (375097).

Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept Overview (311718).

Powered by Wolken Software