VLAN Configuration

Question

OK, VLAN/PowerConnect gurus, I've been banging my head against the monitor for a couple of days now, and can't figure out why this is not working.  Here's the scenario: I have a DELL R710 server running VMWare 5.0.0.  I have a vSwitch configured on 2 of the NICS (VLAN: 10).  These NICs are connected to a 3-unit stack of 6248P PowerConnect swithes (on ports 3/g2 and 3/g7)  (I know, they need to be on different units for failover best practices, but that's a different story, so please don't bash me on that!).  This VLAN is my backup network that handles all of my backup traffic from all the various agents on the physical and virtual servers.  Here is the configuration settings for the switchport: coreswitch#show interfaces switchport port-channel 3 Port: ch3VLAN Membership mode:Access Mode Operating parameters:PVID: 10Ingress Filtering: EnabledAcceptable Frame Type: UntaggedDefault Priority: 0GVRP status:Disabled Port ch3 is member in: VLAN Name Egress rule Type---- --------------------------------- ----------- --------10 Backup Network Untagged Static Static configuration:PVID: 10Ingress Filtering: EnabledAcceptable Frame Type: Untagged Port ch3 is statically configured to: VLAN Name Egress rule---- --------------------------------- -----------10 Backup Network Untagged Forbidden VLANS:VLAN Name---- --------------------------------- coreswitch# And each of the individual ports: coreswitch#show interfaces switchport ethernet 3/g2 Port: 3/g2VLAN Membership mode:Access Mode Operating parameters:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: UntaggedDefault Priority: 0GVRP status:DisabledProtected:Disabled Port 3/g2 is member in: VLAN Name Egress rule Type---- --------------------------------- ----------- --------1 Default Untagged Default Static configuration:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: Untagged Port 3/g2 is statically configured to: VLAN Name Egress rule---- --------------------------------- ----------- Forbidden VLANS:VLAN Name---- --------------------------------- coreswitch#show interfaces switchport ethernet 3/g7 Port: 3/g7VLAN Membership mode:Access Mode Operating parameters:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: UntaggedDefault Priority: 0GVRP status:DisabledProtected:Disabled Port 3/g7 is member in: VLAN Name Egress rule Type---- --------------------------------- ----------- --------1 Default Untagged Default Static configuration:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: Untagged Port 3/g7 is statically configured to: VLAN Name Egress rule---- --------------------------------- ----------- Forbidden VLANS:VLAN Name---- --------------------------------- coreswitch# I have a firewall (Watchguard), configured to allow VLAN 10 on it's interface eth6.  That interface is connected to the coreswitch on 2/g20, which is a member (the only member) of port-channel 5.  The settings for the port-channel and ehternet port are: coreswitch#show interfaces switchport port-channel 5 Port: ch5VLAN Membership mode:Trunk Mode Operating parameters:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: VLAN OnlyDefault Priority: 0GVRP status:Disabled Port ch5 is member in: VLAN Name Egress rule Type---- --------------------------------- ----------- --------10 Backup Network Tagged Static Static configuration:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: VLAN Only Port ch5 is statically configured to: VLAN Name Egress rule---- --------------------------------- -----------10 Backup Network Tagged Forbidden VLANS:VLAN Name---- --------------------------------- coreswitch#show interfaces switchport ethernet 2/g20 Port: 2/g20VLAN Membership mode:Access Mode Operating parameters:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: UntaggedDefault Priority: 0GVRP status:DisabledProtected:Disabled Port 2/g20 is member in: VLAN Name Egress rule Type---- --------------------------------- ----------- --------1 Default Untagged Default Static configuration:PVID: 1Ingress Filtering: EnabledAcceptable Frame Type: Untagged Port 2/g20 is statically configured to: VLAN Name Egress rule---- --------------------------------- ----------- Forbidden VLANS:VLAN Name---- --------------------------------- coreswitch# Now, the real problem - I cannot ping either device from the other.  I can ping both from coreswitch, but no connectivity otherwise.   Would somebody please point out my mistake? Thanks, Mark

DELL-Josh Cr · Answer

Hi Mark,

You are trying to get your backup server and this Vmware server to communicate correct?

Ports 3/g2 and 3/g7 are part of port channel 3 and are connected to the Vmware host.

Traffic then goes out port channel 5, port 2/g20 through the firewall on interface 6 then where does it go? To a remote location with another firewall and switch, or is the backup device connected to the firewall directly?

Mark Usrey · Answer

Hi Josh.  From the firewall, it exits out the public interface (eth0) on the firewall to the office backup service we use.  We're not getting any traffic between the firewall and VM backup agent and I'm pretty sure it has to do with the VLAN config.  If I put everything on VLAN, it works like a champ, but I want to restrict my backup traffic to that VLAN only.

DELL-Josh Cr · Answer

It does sound like a VLAN issue. They are in the same subnet right? The traffic from the firewall to the server might be getting dropped by the switchport mode access as it is designed to accept untagged traffic and drop tagged traffic, the firewall might be sending the traffic back tagged. You could try changing the switchport mode on port channel 3 to general and allow it to accept VLAN 10 tagged and see if that works.

spodeboy · Answer

Mark, from what I see, your VLANs are configured correctly. What I don't see is whether your port channels are configured correctly. Let's see the output from a 'show int po 3' and 'show int po 5' to make certain that the ports are properly added to the port channels. Also, there is no reason to have only one port in a port channel; since a port channel must be configured on both ends, and you didn't state whether you have a port channel set up on eth6 of the firewall, I would recommend removing port 2/g20 from port-channel 5. Then it would be necessary to set this port to trunk mode and allow VLAN 10.

Mark Usrey · Answer

OK, I finally am able to circle back around to this problem. Sorry for the delay.

Here are the port-channel configuration output you asked for:

coreswitch#show interfaces port-channel 3

Channel Ports Hash Algorithm Type
------- ----------------------------- -------------------
ch3 Inactive: 3/g2, 3/g7 3

Hash Algorithm Type
1 - Source MAC, VLAN, EtherType, source module and port Id
2 - Destination MAC, VLAN, EtherType, source module and port Id
3 - Source IP and source TCP/UDP port
4 - Destination IP and destination TCP/UDP port
5 - Source/Destination MAC, VLAN, EtherType, source MODID/port
6 - Source/Destination IP and source/destination TCP/UDP port

coreswitch#show interfaces port-channel 5

Channel Ports Hash Algorithm Type
------- ----------------------------- -------------------
ch5 Inactive: 2/g20 3

Hash Algorithm Type
1 - Source MAC, VLAN, EtherType, source module and port Id
2 - Destination MAC, VLAN, EtherType, source module and port Id
3 - Source IP and source TCP/UDP port
4 - Destination IP and destination TCP/UDP port
5 - Source/Destination MAC, VLAN, EtherType, source MODID/port
6 - Source/Destination IP and source/destination TCP/UDP port

coreswitch#

There is no way to set up a port channel on eth6 of the firewall. So it sounds like I certainly need to remove 2/g20 from port channel 5 and then set the ethernet port to allow VLAN 10. Is this what you're saying?

spodeboy · Answer

Mark

First step: yes, remove port 2/g20 from port channel 3. Next, if the firewall is expecting tagged traffic, then you will want to change the switchport mode of port 2/g20 to trunk or general mode (tagged vlan 10); if the firewall is expecting untagged traffic, then you should not have to do anything further (port channel 5 was set to trunk switchport mode, port 2/g20 is currently set to access switchport mode). Finally, if the firewall is expecting tagged traffic, then be certain it is allowing vlan 10, like you said.

Networking General

Was this post helpful?