Did you get round to trying the "Bind IP Subnet to VLAN" method of segregating your clients? And more importantly did it work? I am in exactly the same situation as you and was also looking to use this feature and would appreciate your feedback.
Unfortunately, to answer my own question, no, this does not make sense. After a call to Dell, it was explained to me that this feature does not at all do what you would think it does. Your going to have to create every VLAN, then make the switchports members of those VLANs.
If you have LAGs, add the LAG to the VLAN, not the ports. If you're running Hyper-V (or I assume VMWare as well), and you configure the virtual NIC of each VM to be apart of different VLANs, then you want to put your switchports (or LAGs) into general mode, so it can except both tagged and untagged traffic, then add them to the VLAN in Trunk mode.
Hope that helps. Any more questions, don't hesitate.
Thanks for the swift response, even if its not the one I was hoping for. So what is the point of "BIND IP to Subnet" if you have to go and manually create the VLANs and then change the configuration of all your switch ports.
There is one other thing that you may be able to help with. I'm currently using my ISA server as my DG for all my guests but I'll need to change this to my 6248 when I introduce VLANs. How do I tell the 6248 to pass all packets not destined for the VLAN's onto my ISA server for routing over the internet?
At the moment everything is flat with just the default VLAN and my management interface is on the same subnet.
My network looks something like this:
172.16.0.0/255.255.0.0
ISA = 172.16.1.1/172.16.1.254
6248 = MGMT Interface 172.16.1.252
DG of clients = 172.16.1.254
I want to move the 254 address to the switch and have packets destined for the web routed through the ISA. On my previous switch (3-COM) this was easy as there was a last hop setting that I configured to point to the ISA but I cant seem to find this on the Dell.
In my case, I have two M6220 switches stacked together into one switch, with a Juniper firewall for my DG. For this to work, the virtual NIC in the VM has to be assigned to a VLAN, the VLAN needs to be created on the switch, the VLAN needs to be assigned to the switchport (or LAGs, in my case), and the VLAN needs to be configured on my Firewall.
It will be almost the same for you. I create subinterfaces for each of my VLANs on the firewall:
Interface: Bgroup0/0.10
VLAN ID: 1010
Subnet: 10.10.10.1/24
DG IP: 10.10.10.1
So any VM in that VLAN/Subnet uses 10.10.10.1 as the DG. If I had VLAN 1020, I'd create another subinterface and configure the subnet to 10.10.20.1/24 with DG of 10.10.20.1.
Basically, you want to create a *logical* NIC for each VLAN. If you have a server grade NIC in your ISA server, this should be no problem. See you NIC documentation or Google for how to do that.
Once you create that logical NIC, it will show up as if it is a real one, except you will have configured it to be a member of a specific VLAN. Then just configure it with an IP like any other interface.
I'm sure there are better instructions out there, but this should get you started. Let me know how it goes!
P.S. Just thought of something that might help you visualize this better: The VLANs are end to end. That is to say, they stretch all the way from the VMs, through the switch, into your DG. The traffic to/from these VLANs never actually uses the default VLAN.
Oh yah, and IIRC, the "Bind IP to Subnet" feature is either for diskless booting, or thin clients, or something like that. Would be exceedingly nice if Dell actually documented that somewhere. Oh, I dunno, maybe in the manual?
"This field is called "IP Address". Only IP Addresses are accepted." Gee, thanks Dell. But WHY would I use it?
Moonigan
14 Posts
0
April 26th, 2012 06:00
Hi,
Did you get round to trying the "Bind IP Subnet to VLAN" method of segregating your clients? And more importantly did it work? I am in exactly the same situation as you and was also looking to use this feature and would appreciate your feedback.
Regards
Paul
semosesam
4 Posts
0
April 26th, 2012 14:00
Unfortunately, to answer my own question, no, this does not make sense. After a call to Dell, it was explained to me that this feature does not at all do what you would think it does. Your going to have to create every VLAN, then make the switchports members of those VLANs.
If you have LAGs, add the LAG to the VLAN, not the ports. If you're running Hyper-V (or I assume VMWare as well), and you configure the virtual NIC of each VM to be apart of different VLANs, then you want to put your switchports (or LAGs) into general mode, so it can except both tagged and untagged traffic, then add them to the VLAN in Trunk mode.
Hope that helps. Any more questions, don't hesitate.
Moonigan
14 Posts
0
April 26th, 2012 15:00
Thanks for the swift response, even if its not the one I was hoping for. So what is the point of "BIND IP to Subnet" if you have to go and manually create the VLANs and then change the configuration of all your switch ports.
There is one other thing that you may be able to help with. I'm currently using my ISA server as my DG for all my guests but I'll need to change this to my 6248 when I introduce VLANs. How do I tell the 6248 to pass all packets not destined for the VLAN's onto my ISA server for routing over the internet?
At the moment everything is flat with just the default VLAN and my management interface is on the same subnet.
My network looks something like this:
172.16.0.0/255.255.0.0
ISA = 172.16.1.1/172.16.1.254
6248 = MGMT Interface 172.16.1.252
DG of clients = 172.16.1.254
I want to move the 254 address to the switch and have packets destined for the web routed through the ISA. On my previous switch (3-COM) this was easy as there was a last hop setting that I configured to point to the ISA but I cant seem to find this on the Dell.
Cheers
Paul
Moonigan
14 Posts
0
April 26th, 2012 15:00
WOW. Thanks for the help. The ISA solution isnt the most elegant so I may have to look at doing something else.
Cheers
Paul
semosesam
4 Posts
0
April 26th, 2012 15:00
In my case, I have two M6220 switches stacked together into one switch, with a Juniper firewall for my DG. For this to work, the virtual NIC in the VM has to be assigned to a VLAN, the VLAN needs to be created on the switch, the VLAN needs to be assigned to the switchport (or LAGs, in my case), and the VLAN needs to be configured on my Firewall.
It will be almost the same for you. I create subinterfaces for each of my VLANs on the firewall:
Interface: Bgroup0/0.10
VLAN ID: 1010
Subnet: 10.10.10.1/24
DG IP: 10.10.10.1
So any VM in that VLAN/Subnet uses 10.10.10.1 as the DG. If I had VLAN 1020, I'd create another subinterface and configure the subnet to 10.10.20.1/24 with DG of 10.10.20.1.
It will be almost identical for you: blogs.technet.com/.../802.1q-and-isa-server.aspx
Basically, you want to create a *logical* NIC for each VLAN. If you have a server grade NIC in your ISA server, this should be no problem. See you NIC documentation or Google for how to do that.
Once you create that logical NIC, it will show up as if it is a real one, except you will have configured it to be a member of a specific VLAN. Then just configure it with an IP like any other interface.
I'm sure there are better instructions out there, but this should get you started. Let me know how it goes!
P.S. Just thought of something that might help you visualize this better: The VLANs are end to end. That is to say, they stretch all the way from the VMs, through the switch, into your DG. The traffic to/from these VLANs never actually uses the default VLAN.
semosesam
4 Posts
0
April 26th, 2012 15:00
Oh yah, and IIRC, the "Bind IP to Subnet" feature is either for diskless booting, or thin clients, or something like that. Would be exceedingly nice if Dell actually documented that somewhere. Oh, I dunno, maybe in the manual?
"This field is called "IP Address". Only IP Addresses are accepted." Gee, thanks Dell. But WHY would I use it?