Highlighted
tgasch
1 Copper

VLAN configuration question with virtual machines (Hyper-V) and physical hosts

Jump to solution

Hello,

I have a failover cluster configuration running with two Microsoft Hyper-V hosts and two redundant PowerConnect 5448 switches that provide all necessary connections (iSCSI, HyperV-connections, client connections). Everything is working so far for quite a while. Now I wanted to achieve a more sophisticated separation of the networks by integrating an additional internal router/firewall (software in VM) and more VLANs. But one of the newly configured routes is not working properly, so let me explain in short (really?) what I want to achieve, please:

Current state of the PowerConnect configuration:

I have connected the Hyper-V hosts (several virtual machines with Windows Server 2008 R2 on two physical hosts) to the switch ports 23-25. These ports should (and already do) support several VLANs.

A hardware internet router box (LANCOM) is connected to port 44.

I'm using link aggregation with network switches (HP) for the client nodes, which was configured on ports 45-48 and is working properly.

 

Achievement:

One new virtual machine should act as a the mentioned additional firewall (running Microsoft TMG 2010 – and no, it’s not necessary to discuss if running TMG in a VM is a “smart” security scenario emoticon.Smile.title ) and should route traffic to the hardware router box (with “edge” firewall) for accessing the internet. The client and server nodes should get access to the TMG-VM, but not to the hardware router directly.

 Now I added the following VLAN/tagging configuration:

  • client nodes don't tag, but the PowerConnect switches must tag packets from clients to other nodes (and untag in the other way);
    clients should be in VLAN 20
  • TMG has access to VLANs 20 (intranet) and 21 (edge network with hardware router) by having configured two vNICs with active tagging,
    one for each VLAN
  • Internet router is not tagging but should be accessible by VLAN 21 only, so VLAN tags should be removed when packets are outgoing from the switch to the router, and packets from router going into the switch should get tagged (with VLAN 21).

 

And this is my problem:

Clients cannot access (e.g. ping) either the internet router box, nor any WAN address by going through TMG; but all nodes in VLAN 20 (including the server VMs) can be accessed by them correctly.

But the new VM-firewall (TMG) can access (e.g. ping) every VLAN it is supposed to, including the internet router and any external addresses. And all other virtual nodes (having VLAN 20 configured on their single vNIC) can communicate with all other nodes, physical or virtual, in VLAN 20 and with the internet router and any external addresses (crossing TMG), too. The rules in TMG are configured properly, by the way.

I suppose that client node tagging of VLAN 20 is not configured correctly in the PowerConnect switches for my purpose.

Here are the relevant configuration script parts concerning the VLAN port configurations:

 

 

Ports 23-25 for Hyper-V  hosts:

interface range ethernet g(23-25)

switchport mode general

switchport general allowed vlan add 20 untagged

switchport general allowed vlan add 21-25 tagged

switchport general pvid 20

no switchport general acceptable-frame-type tagged-only

exit

 

Port 44 for internet router:

interface ethernet g44

switchport mode general

switchport general allowed vlan add 21 untagged

switchport general pvid 21

no switchport general acceptable-frame-type tagged-only

exit

 

Ports 45-48 for link aggregation with client switches

interface port-channel 2

switchport access vlan 20

exit

interface range ethernet g(45-48)

channel-group 2 mode auto

exit

 

Is the desired VLAN configuration (e.g. adding tags in untagged packets and removing tags on allowed outgoing packets) supported by PowerConnect 5448 at all?

If so, is the VLAN 20/21 configuration (as scripted) correct? I assume NOT.

 

Thanks for any help in advance.

 

Many regards

tgasch

0 Kudos
1 Solution

Accepted Solutions
tgasch
1 Copper

Re: VLAN configuration question with virtual machines (Hyper-V) and physical hosts

Jump to solution

Problem solved!

2 Replies
tgasch
1 Copper

Re: VLAN configuration question with virtual machines (Hyper-V) and physical hosts

Jump to solution

Problem solved!

dpisa01
1 Copper

Re: VLAN configuration question with virtual machines (Hyper-V) and physical hosts

Jump to solution

Hi,

I have the same problem with an Hyper-v 2012 cluster.

Please, could you share me your configuration detail? I don't need any internal information.

Just some detail on switch configuration and hyper-v networks and virtual switch.

I'm going crazy!!

I have 6 M610 DELL blades, connected to 4 M6220 DELL switches. DELL sw are connected to 2 different Cisco switches.

I configured:

port 1 -> 6 (hyper-v host) with 2 vlans 100 untagged, 101 tagged pvid 100.

port 18 vlan 100 access mode -> connected to Cisco switch port 1 (trunk)

port 19 vlan 101 access mode -> connected to different Cisco switch port 1 (trunk)

On vlan 100 (pvid) I'm able to work without problems.

On vlan 101 I'm not able to do anything .

On blades there is a nic team (port 1 A2 B2 M6220 sw) without vLAN definition.

On Hyper-v is define virtual switch over team.

How do you solve the problem?

Cheers

David

0 Kudos