Unsolved
This post is more than 5 years old
3 Posts
0
22948
VLAN Configuration
OK, VLAN/PowerConnect gurus, I've been banging my head against the monitor for a couple of days now, and can't figure out why this is not working. Here's the scenario:
I have a DELL R710 server running VMWare 5.0.0. I have a vSwitch configured on 2 of the NICS (VLAN: 10). These NICs are connected to a 3-unit stack of 6248P PowerConnect swithes (on ports 3/g2 and 3/g7) (I know, they need to be on different units for failover best practices, but that's a different story, so please don't bash me on that!). This VLAN is my backup network that handles all of my backup traffic from all the various agents on the physical and virtual servers. Here is the configuration settings for the switchport:
coreswitch#show interfaces switchport port-channel 3
Port: ch3
VLAN Membership mode:Access Mode
Operating parameters:
PVID: 10
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Default Priority: 0
GVRP status:Disabled
Port ch3 is member in:
VLAN Name Egress rule Type
---- --------------------------------- ----------- --------
10 Backup Network Untagged Static
Static configuration:
PVID: 10
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Port ch3 is statically configured to:
VLAN Name Egress rule
---- --------------------------------- -----------
10 Backup Network Untagged
Forbidden VLANS:
VLAN Name
---- ---------------------------------
coreswitch#
And each of the individual ports:
coreswitch#show interfaces switchport ethernet 3/g2
Port: 3/g2
VLAN Membership mode:Access Mode
Operating parameters:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Default Priority: 0
GVRP status:Disabled
Protected:Disabled
Port 3/g2 is member in:
VLAN Name Egress rule Type
---- --------------------------------- ----------- --------
1 Default Untagged Default
Static configuration:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Port 3/g2 is statically configured to:
VLAN Name Egress rule
---- --------------------------------- -----------
Forbidden VLANS:
VLAN Name
---- ---------------------------------
coreswitch#show interfaces switchport ethernet 3/g7
Port: 3/g7
VLAN Membership mode:Access Mode
Operating parameters:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Default Priority: 0
GVRP status:Disabled
Protected:Disabled
Port 3/g7 is member in:
VLAN Name Egress rule Type
---- --------------------------------- ----------- --------
1 Default Untagged Default
Static configuration:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Port 3/g7 is statically configured to:
VLAN Name Egress rule
---- --------------------------------- -----------
Forbidden VLANS:
VLAN Name
---- ---------------------------------
coreswitch#
I have a firewall (Watchguard), configured to allow VLAN 10 on it's interface eth6. That interface is connected to the coreswitch on 2/g20, which is a member (the only member) of port-channel 5. The settings for the port-channel and ehternet port are:
coreswitch#show interfaces switchport port-channel 5
Port: ch5
VLAN Membership mode:Trunk Mode
Operating parameters:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: VLAN Only
Default Priority: 0
GVRP status:Disabled
Port ch5 is member in:
VLAN Name Egress rule Type
---- --------------------------------- ----------- --------
10 Backup Network Tagged Static
Static configuration:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: VLAN Only
Port ch5 is statically configured to:
VLAN Name Egress rule
---- --------------------------------- -----------
10 Backup Network Tagged
Forbidden VLANS:
VLAN Name
---- ---------------------------------
coreswitch#show interfaces switchport ethernet 2/g20
Port: 2/g20
VLAN Membership mode:Access Mode
Operating parameters:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Default Priority: 0
GVRP status:Disabled
Protected:Disabled
Port 2/g20 is member in:
VLAN Name Egress rule Type
---- --------------------------------- ----------- --------
1 Default Untagged Default
Static configuration:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Port 2/g20 is statically configured to:
VLAN Name Egress rule
---- --------------------------------- -----------
Forbidden VLANS:
VLAN Name
---- ---------------------------------
coreswitch#
Now, the real problem - I cannot ping either device from the other. I can ping both from coreswitch, but no connectivity otherwise.
Would somebody please point out my mistake?
Thanks,
Mark
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
October 29th, 2013 10:00
Hi Mark,
You are trying to get your backup server and this Vmware server to communicate correct?
Ports 3/g2 and 3/g7 are part of port channel 3 and are connected to the Vmware host.
Traffic then goes out port channel 5, port 2/g20 through the firewall on interface 6 then where does it go? To a remote location with another firewall and switch, or is the backup device connected to the firewall directly?
Mark Usrey
3 Posts
0
October 29th, 2013 11:00
Hi Josh. From the firewall, it exits out the public interface (eth0) on the firewall to the office backup service we use. We're not getting any traffic between the firewall and VM backup agent and I'm pretty sure it has to do with the VLAN config. If I put everything on VLAN, it works like a champ, but I want to restrict my backup traffic to that VLAN only.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
October 29th, 2013 12:00
It does sound like a VLAN issue. They are in the same subnet right? The traffic from the firewall to the server might be getting dropped by the switchport mode access as it is designed to accept untagged traffic and drop tagged traffic, the firewall might be sending the traffic back tagged. You could try changing the switchport mode on port channel 3 to general and allow it to accept VLAN 10 tagged and see if that works.
spodeboy
3 Posts
0
December 4th, 2013 20:00
Mark, from what I see, your VLANs are configured correctly. What I don't see is whether your port channels are configured correctly. Let's see the output from a "show int po 3" and "show int po 5" to make certain that the ports are properly added to the port channels. Also, there is no reason to have only one port in a port channel; since a port channel must be configured on both ends, and you didn't state whether you have a port channel set up on eth6 of the firewall, I would recommend removing port 2/g20 from port-channel 5. Then it would be necessary to set this port to trunk mode and allow VLAN 10.
Mark Usrey
3 Posts
0
December 12th, 2013 12:00
OK, I finally am able to circle back around to this problem. Sorry for the delay.
Here are the port-channel configuration output you asked for:
coreswitch#show interfaces port-channel 3
Channel Ports Hash Algorithm Type
------- ----------------------------- -------------------
ch3 Inactive: 3/g2, 3/g7 3
Hash Algorithm Type
1 - Source MAC, VLAN, EtherType, source module and port Id
2 - Destination MAC, VLAN, EtherType, source module and port Id
3 - Source IP and source TCP/UDP port
4 - Destination IP and destination TCP/UDP port
5 - Source/Destination MAC, VLAN, EtherType, source MODID/port
6 - Source/Destination IP and source/destination TCP/UDP port
coreswitch#show interfaces port-channel 5
Channel Ports Hash Algorithm Type
------- ----------------------------- -------------------
ch5 Inactive: 2/g20 3
Hash Algorithm Type
1 - Source MAC, VLAN, EtherType, source module and port Id
2 - Destination MAC, VLAN, EtherType, source module and port Id
3 - Source IP and source TCP/UDP port
4 - Destination IP and destination TCP/UDP port
5 - Source/Destination MAC, VLAN, EtherType, source MODID/port
6 - Source/Destination IP and source/destination TCP/UDP port
coreswitch#
There is no way to set up a port channel on eth6 of the firewall. So it sounds like I certainly need to remove 2/g20 from port channel 5 and then set the ethernet port to allow VLAN 10. Is this what you're saying?
spodeboy
3 Posts
0
December 12th, 2013 16:00
Mark
First step: yes, remove port 2/g20 from port channel 3. Next, if the firewall is expecting tagged traffic, then you will want to change the switchport mode of port 2/g20 to trunk or general mode (tagged vlan 10); if the firewall is expecting untagged traffic, then you should not have to do anything further (port channel 5 was set to trunk switchport mode, port 2/g20 is currently set to access switchport mode). Finally, if the firewall is expecting tagged traffic, then be certain it is allowing vlan 10, like you said.