I have a group of CentOS 7.2 servers running as VMs under VMware's ESXi 6.0. These all reside on the same subnet and we have no problem communicating between the different servers. In addition, each of these servers run a number of libvirt-based LXC containers, also based on CentOS 7.2. The hosts can communicate with their containers without issues and the containers on a given server can communicate with each other. However, containers hosted on two different servers cannot communicate with each other or with other servers.

When we duplicate this setup on real hardware we do not have any communication issues between the containers. Likewise, if we duplicate the setup using KVM based VMs instead of ESXi VMs everything works fine--there is no problem communicating between containers regardless of which VM hosts them

In another test, we configured an AWS based installation with our containers running under AWS instances. In this instance, we encountered the same problem as we hit with ESXi where the containers running on different hosts (AWS instances) could not communicate with each other. We solved the problem in AWS using proxy arp. Specifically, we set the following CentOS options on each of our servers:

echo 1 > /proc/sys/net/ipv4/conf/br0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp_pvlan
echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/br0/send_redirects

With these configured, the containers running under the various AWS instances are able to communicate with each other without problems regardless of who is hosting them. Unfortunately, we tried the same set of options on our ESXi based setup without success. The only solution we've found is to enable promiscuous mode on the vSwitch we've defined in our vSphere environment. However, this is not an ideal solution since this means all traffic, regardless of where it originates, is allowed through to hosts and containers. This is not ideal from a security perspective.

So the question is can this issue be solved with a proxy arp solution like we used with AWS, or is there another approach entirely? As I mentioned, our KVM based cluster works without needing proxy arp or promiscuous mode, so perhaps there is something in ESXi that would work similar to KVM. Any help in this matter would be very much appreciated.

Peter