vLANs on PC 6248 Stack and vSwitches

I will do my best to answer the questions you have, and provide some ideas on what the commands may  look like, along with some documentation.

 "Can I or should I eliminate VLAN1?"

VLAN 1 is your management VLAN for the switch, or in this case the stack. You assign an IP to this VLAN, and then can access it through the web, telnet, ssh, etc. You can certainly change the management VLAN to another VLAN if you want, completely up to you.

 This is an example of how you would create a VLAN, name, and assign an IP address to is.

console> enable

console# config

console(config)# vlan database

console(config-vlan)# vlan 2

console(config-vlan)# exit

console(config)# interface vlan 2

console(config-if)# name Management

console(config-vlan)#ip address 131.108.1.27 255.255.255.0

console(config-if)# end

 Then to change the management VLAN to this newly created VLAN, you would run this command.

console > enable

console# configure

console(config)#ip address vlan 2

 "Do I configure vLAN tagging on both ends (vSwitches and pSwitches)?"

"Do I have to configure trunking at all?"

 I will try to answer these together. Yes you want to trunk between the switch and the physical server. In a trunk all frames must be tagged, so yes tagged.

The commands would look similar to this, but of course with your VLANS in place of 101 and 102.

 interface ethernet g7

switchport mode trunk

switchport trunk allowed vlan add 101

switchport trunk allowed vlan add 102

exit

 You can use VLAN 1 as the native VLAN of the trunk,

which you can configure using the following command:

 switchport trunk native vlan 1

 This document does a really good job of explaining things and going over scenarios, it should help out.

http://www.dell.com/downloads/global/power/ps3q08-20080213-Ramos.pdf

 "Can anyone provide some examples on how to configure the stack including routing with the following assumptions?"

"I have a 5 switch Powerconnect 6248 stack.  Do I still have to configure trunking between the switches or is it not needed because they are stackable switches?"

 The following information should help clear this up.

 When switches are stacked, there is no need to connect any other ports together and trunk them

Here is some documentation on stacking switches.

http://www.dell.com/downloads/global/products/pwcnt/en/pwcnt_stacking_switches.pdf

 For routing you can enable routing using this command.

console> enable

console# config

console(config)# ip routing

 To enable routing for the VLAN, run this command

 console(config)#interface vlan 2

console(config-if-vlan2)#routing

console(config-if-vlan2)#exit

 Here is a good document that goes over VLAN routing.

http://www.dell.com/downloads/global/products/pwcnt/en/app_note_38.pdf

 I hope this information helps out some. If you have any other questions, let me know and I will do my best to answer, and if I don’t know I will try and find out for you.

 Thanks.

Daniel,

Thank you very much for your help.  It is well appreciated.

Could you provide more information in regards to link aggregation.  Is it true that I will run into port flapping issues or issues where the ARP table gets constantly refreshed?

Also, what about things like STP and portfast? Do they need to be disabled/enabled?

As long as I don't touch VLAN1, which is where all my devices currently reside, I can create the new VLANs and start playing with them without affecting my users and causing down time, right:?

Wow, thanks again for your help.  You have gone above and beyond.  I will start testing your recommendations and will post the outcome when I'm done.

Yeah definitely keep us updated. Also don’t forget that we also have phone support for the PowerConnect line, so if you are in the middle of implementation or testing and run into a snag. Feel free to give these guys a call.

1-800-945-3355

This forum post is on a stack of 55xx and creating LAGs, but the basic commands and principals should still be the same for the 62xx.

http://en.community.dell.com/support-forums/network-switches/f/866/t/19437712.aspx

The LAG is going to be a group of ports you place together in a channel. Since you have these stacked, you can even put ports from different switches that are in the stack, into a LAG.

Example of what command may look like.

console> enable

console# configure

console(config)# interface range ethernet g1-2

console(config-if)# channel-group 1 mode auto

console(config-if)# exit

console(config)#

Here is a good article on "LINK AGGREGATION INTEROPERABILITY OF THE DELL POWERCONNECT 6200 SERIES SWITCH"

http://www.dell.com/downloads/global/products/pwcnt/en/pwcnt_link_aggregation.pdf

And of course the owners manual goes over these commands also. Page 439:

http://support.dell.com/support/edocs/network/PC62xx/en/CLI/PDF/cli_en.pdf

I am not real familiar with the port flapping/ARP issue. I did some research and found where people were talking about this when using a Cisco switch in the mix. And to correct this they used General mode for the switch connection between the Cisco and the PowerConnect. But not something we would do here.

http://en.community.dell.com/support-forums/network-switches/f/866/t/19335968.aspx

• Portfast isUsed for non-switch devices

• Clients

• Servers

• Printers

• Portfast configuration ignored when port is connected to another switch

I would think since these ports are effectively connecting to virtual switches, you would leave portfast turned off. This following document outlines some specific times when you might enabled it, but it looks to be with a cisco switch. It also talks some about STP and the virtual switches.

http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

"Spanning tree protocol (STP) — disable STP on physical network interfaces connected to the ESX Server host. For Cisco-based networks,"

"Spanning Tree Protocol Not Needed

VMware Infrastructure 3 enforces a single-tier networking topology. In other words, there is no way to interconnect multiple virtual switches, thus the network cannot be configured to introduce loops. As a result, Spanning Tree Protocol (STP) is not needed and is not present."

You can create, name and assign IP addresses to VLANs on the switch, without interfering with its current use. Once you get ready to assign those VLANs to specific ports, I would make sure you are not at peak time of the day, as there could be interruptions.

If I run into anymore info on the port flapping/ARP I will post it up.

I have another question:

For those servers that are not going to be virtualized yet, do I have to set their ports in access mode?  I understand that for the ports connected to the ESXi hosts I need to configure the ports as trunking ports because they connect to vSwitches but I am not sure about the rest of the ports like the ports for non virtualized servers, printers, PCs and other network devices such as IPS and firewalls.

Also, I have seen recommendations on changing the Native VLAN1 for security reason.  I have seen this for Cisco switches and was wondering whether it is a good practice for Dell switches too.

supportforums.cisco.com/.../2002990

For any VLAN unaware devices, such as the physical servers that have not been virtualized yet, PCs, printers, they would be in access mode with portfast usually turned on.

For any other network device, like a firewall, that is VLAN aware, you would use the general or trunk mode.

Couple of forum posts with similar ideas.

en.community.dell.com/.../19996805.aspx

en.community.dell.com/.../19963760.aspx

I do not have any documentation that recommends changing the native VLAN from 1 to something else. But the switch has the capability, it is easy to implement, so I would say go for it.

Great.

Also,

I currently have one default gateway for all devices (192.168.10.1).  To minimize the amount of changes to my critical devices (servers, networks devices, etc) I was thinking about using the 192.168.10.x for my servers and network devices leaving my firewall as default gateway for 192.168.10.x.  

I understand that the IP that I assign to each of my VLANs will serve as the default gateway for the devices on that VLAN.  How will internet access work?

and if I use the firewall as default gateway for 192.168.10.x, do I still have to assign an IP to the VLAN where 192.168.10.x will reside?

The default gateway is going to be the IP address of the VLAN the device is in.

For instance your Printer:

The IP address of your Printer is

192.168.15.x /24

We will say it is in VLAN 15. And VLAN 15 has an IP address of 192.168.15.1 /24

So you set that Printer default gateway to 192.168.15.1

Then in the instance of communication outside of VLAN 15, in your instance the internet. Routing is enabled and will take over that communication outside the VLAN.

Looking things over some more, the connection between the firewall and the switch should really be on it's own VLAN, and not mixed in with the same VLAN as other devices.

Based on what we have gone over so far I have mocked up a sample diagram, just to give you an idea of what the network may look like.

en.community.dell.com/.../network-diagram.pdf.aspx

I hope this answers your questions, if not let me know.

Thanks.

Thanks for your patience.  

I have two NIC ports on each one of my 3 ESXi hosts that I will be putting on a LAG and on its own VLAN.  This group is for management and vMotion of my hosts.  Since I won't have everything virtualized just yet I was wondering if I should keep management of non virtualized environment and management of virtualized server on two different VLANs.

Also, how will DHCP work?  I currently have a couple of DHCP server on 192.168.10.x.  I was thinking to use 192.168.10.x for my servers VLAN.  If my DHCPs servers are 192.168.10.203 and 192.168.10.204, will they be able to provide IPs for my workstations on VLAN 11 (192.168.11.x)?  

It is a good idea to keep your virtual environment on one VLAN and physical servers on another. When you have the servers split like this the management is going to be inherently split.

For instance if your virtual environment is on 192.168.30.x /24, which is VLAN 30. And say you use VI Client to manage it, you would use the 192.168.30.x IP address to access and manage,

With the physical servers, 192.168.11.x /24, on VLAN 11, say you used open manage server administrator to manage those. You would use the IP address 192.168.11.x to access and manage.

So inherently the management would occur on the same VLAN that the device resides in.

Now, if you had enough network ports on each device, to use one port for only management, then you could take one network port from each device. Create a "Management" VLAN and put each of those individual ports in the respected management VLAN.

I hope that helps explain? Maybe you had a different idea on how to separate the management to a different VLAN?

In an article like the following they use a centralized DHCP server.

"In networks with a central server running Dynamic Host Configuration Protocol (DHCP), the router can be configured to relay DHCP requests from each subnet. The DHCP server would be configured to assign IP addresses based on the origin IP subnet."

www.dell.com/.../app_note_38.pdf

But then in this forum post, they have the DHCP server in VLAN 10, and it appears to work.

en.community.dell.com/.../19363935.aspx

With routing enabled, and ensuring the DHCP scopes are setup, I would think the DHCP server should still work even when placed in it's own VLAN.

Here are some general articles on DHCP Scope.

support.microsoft.com/.../139904

technet.microsoft.com/.../dd183624%28v=ws.10%29.aspx

www.tech-faq.com/dhcp-scope.html

Thanks

I'm a bit confused with the VLAN 10 (Firewall) portion of your network diagram.  

What is the 192.168.10.2 address for?

Also, I am trying to avoid changing the static IPs of my servers which are on 192.168.10.x.  That's why I thought about leaving the servers on VLAN 10 using 192.168.10.x.  If I assign as an example, VLAN 200 to firewall and use 192.168.200.x, 192.168.200.1 as the default gateway do still need another IP like you used with 192.168.10.2?

Can you explain a little more how exactly my devices will connect to the internet taking in consideration that I have a couple of DNS servers which have forwarders configured on their zones? Do I leave these servers on the same VLAN as my other servers?  

If the DNS servers have 192.168.10.x IP addresses and I configure them on the DHCP scopes or as static DNS server IP addresses on my other servers I guess routing will take care of forwarding the packets to the respective VLAN default gateways until they reach the destination device (DNS server), right?

I'm sorry that I keep going back and forward with this, but I am trying to map everything and make all the steps to accomplish this and I don't have a test environment except for a couple of PC 3424 and some of the commands are not the same.  As I gather all my answers I will prepare a configuration and will post it once I have everything ready and hopefully all this will make sense.  Once again, thanks a whole lot for your time.

The 192.168.10.2 address is for the VLAN on the port that connects to firewall. When connecting the switch and the firewall with each other, it is best to put those ports into their own VLAN. It does not have to be 10, it could be anything you set it to. I just used 10 here as an example.

If you used VLAN 200 for the Trunk between the firewall and the switch, that would work fine, just don’t put anything else on that VLAN. 192.168.10.2 would change to 192.168.200.x on the port that connects to the firewall.

If you have physical servers, including the DNS and DHCP server already static in the 192.168.10.x and want to leave that all alone, you should have no issues doing so.

You are correct with routing, as long as default gateways are set, traffic should flow just fine, internal and external.

Let me know if this does not make any sense and ill see about putting up a different diagram. Or if you want to message me the diagram you have. Either way.

Thanks :)

I thought the default gateway for the VLAN is the IP assigned to the VLAN itself.  Can I assign 192.168.200.2 to the port on the switch for VLAN 200, assign 192.168.200.1 for the Firewall IP and set it as the default gateway for VLAN 200 on the switch?

"I thought the default gateway for the VLAN is the IP assigned to the VLAN itself. "

It is, whatever IP address you assign to that VLAN, then becomes the gateway for devices that reside inside that VLAN.

" Can I assign 192.168.200.2 to the port on the switch for VLAN 200, assign 192.168.200.1 for the Firewall IP and set it as the default gateway for VLAN 200 on the switch?"

When setting up a trunk link between these two devices there is no need to set a default gateway. Looks like that was my mess up on the diagram saying that the DG would be 192.168.10.1. There is no need for a DG for those two connections.