VLAN ID 4095 in VMware

What is VLAN ID 4095? When is it used?

  • VLAN ID 4095 is a special purpose VLAN ID.
  • When configured it acts Like a trunk port for the vSwitch.
  • When configured with a  VLAN ID 4095, all packets from all the port groups are forwarded to this VLAN/ port group.
  • When configured with VLAN ID 4095, No tagging would be done and no packets would be discarded.
  • VLAN ID 4095 Enables trunking on port group (VGT Mode)
  • Use a sniffing tool, have the portgroup assigned with VLAN ID 4095 to troubleshoot a specific VLAN problems

Use cases for VLAN ID 4095?

  • Most important use case for VLAN ID 4095 is to Packet sniffing and IDS.
  • When the promiscuous mode is enabled on a specific port group and use one of the Virtual Machine in this port group to listen to the traffic , this cloud leads to additional security risks as Promiscuous mode lets all VMs of this port group to detect all frames passed on the vSwitch in allowed VLAN. The Promiscuous mode enabled on a Porgroup/vSwitch doesn’t let you to sniff traffic from different VLANs simultaneously.
  • So for this reason always recommended to use port group with VLAN ID 4095 and have the Promiscuous mode enabled, and then connect your Virtual Machine NIC to the portgroup to Sniff the packets and for the IDS.
  • Use Sniffing tools like tcpdump or wireshark, where no VGT is required. 
To configure a portgroup or virtual switch to allow promiscuous mode:
  1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
  2. Select the ESXi/ESX host in the inventory.
  3. Click the Configuration tab.
  4. In the Hardware section, click Networking.
  5. Click Properties of the virtual switch for which you want to enable promiscuous mode.
  6. Select the virtual switch or portgroup you wish to modify and click Edit.
  7. Click the Security tab.
  8. From the Promiscuous Mode dropdown menu, click Accept.

Leave a Reply