3448P VLAN trunking help needed

1. I'm assuming you have a phone with a data port.  A workstation is connected to the phone data port and the phone is connected to the switch.  You need to separate the data stream and the phone voice stream when it reaches the switch.  Likely you want the voice traffic to be on a separate VLAN then the data traffic.  Most VoIP phones are VLAN aware so you can configure the VoIP phone to tag the voice traffic with a VLAN ID.  So on your switch port you would see two streams of packets, one stream is already tagged by the phone and is the voice traffic while the other stream is untagged.  Now you also said that you have some workstations on one VLAN and other workstations on other VLANs.  So you need to create all these data VLANs as well as the voice VLAN on the switch (I'm assuming all voice traffic goes on the same VLAN but you could do it with different voice VLANs too - although I don't think that's typical).  The port on the switch going to the workstation should be configured such that it is in "general mode" and is a member of both the workstation VLAN and the voice VLAN.  You must also configure the PVID on the port to be equal to the VLAN ID on which you want the data stream to go (the workstation VLAN).  What happens now is that when the data stream comes from the workstation it will be untagged coming into the switch, and the switch will automatically tag all untag traffic using the PVID so the data stream will come in on the data VLAN as you wanted it.  The voice traffic is already tagged correctly by the VoIP phone.  At this point you have data from each workstation on the switch in the correct VLAN and the voice traffic already on the correct VLAN on the switch.
2. VLAN trunk is used to move more then one VLANs from one switch to another so if you have multiple VLANs which you need to pull through the various switches then yes you need to setup VLAN trunk (see those whitepapers you refer to and resources online to understand VLAN trunking).  Basically you need to create a VLAN trunk between the two switches and add those VLANs you wish to move through those two switches to the trunk - so the trunk port is a member of all those VLANs.

I know this is alot of data and it might not all make sense but if you do some research to understand how VLAN works I think the concept above will make sense.  There are lots of ways to do this and the above is a general approach for one way to do it.  It is hard to provide detail network engineering without full analysis of your setup, but anyway, I hope this helps more then it confuses :-).

Cuong.

You said 3348P in your last post but I'm assuming you meant 3448P :-).

You mentioned your DMZ will control security between VLAN.  How do you mean?  Is the DMZ a router?  The 3448 switches are all L2 switches and if you VLAN traffic then packets won't go across all those VLANs anyway so something on "dev" VLAN is not going to be able to send packet to something on "sales" VLAN anyway without a router in there somewhere.  So anyway, I'm not sure why you need a DMZ to control access between VLANs.  You do need a DMZ/Firewall probably to control access going out to the Internet though.

So just a quick example (off the top of my head so you might want to check syntax :-)).  This example is just for your switch 2 port e2 in your question and assuming you are in enable (executive mode) and you already created all those VLANs, then the commands you might use to configure the e2 port is something like this:

• config
• interface ethernet e2
• switchport mode general
• switchport general pvid 1000
• switchport general allow vlan add 1000 untag
• switchport general allow vlan add 1006 tag
• exit

What the above does is to configure the port e2 and set it up in general mode.  It set the PVID to 1000 (as we discussed this is because the workstation traffic comes in untag to the switch so we need it to be tagged 1000 to get on the correct VLAN).  It sets the port to be member of VLAN 1000 (untag) which means that it will accept traffic from VLAN 1000 and when it sends the traffic out the port it will send it as untag so that it will be properly process by your workstation (the workstation sends the traffic untag so expects it back untag).  It also make the port a member of VLAN 1006 (tag) so that it will accept the voice traffic on VLAN 1006 from the phone and will send it back tagged.

Just do something similar for the rest of the ports.

So the scenario is something like this:

• A packet enters the switch, if it is untagged it will be tag 1000 (because of PVID).  Remember the phone tag all voice packets as 1006.  So data packet is now on VLAN 1000 correctly.
• If the packet is on VLAN 1000 and leaves the port it will be sent untagged (because we specify that mode when we added the VLAN 1000 to the port).
• If the packet enters the port on VLAN 1006 it will be tagged (the phone tag it already) and it stays on VLAN 1006.
• If the packet is on VLAN 1006 when it leaves port 2 it will be sent tagged (again because we configured it that way).
• If a packet enters the port on any other VLAN other then 1000 or 1006 the packet will be dropped.
• Packets on one VLAN can only be forwarded to another port on the same VLAN so packets cannot cross VLAN boundary on a Layer2 switch.

You probably need some ports from switch 1 to go to switch 2 and switch 3 to trunk the traffic between those switches.  Setting up trunks is not much harder then setting up the access port above.  There is a "trunk mode" you can use (read the documentation for syntax) and the paper you reference probably have an example in there for setting up a trunk.

Cuong.

Cuong,

Thank you for taking the time to give me such a detailed explanation.  It is starting to make sense now (I just have to do some more reading as you suggested), at least now I know it is possible.  This is the setup I have in mind:

These are all 3348P switches.

switch 1:
e1: VoIP phone + workstation (dev)
e2: VoIP phone + workstation (dev)
e3: VoIP phone + workstation (IT)
e4: VoIP phone + workstation (sales)

switch 2:
e1: VoIP phone + workstation (sales)
e2: VoIP phone + workstation (dev)

switch 3:
e1: server 01 (back office)
e2: appliance 01 (appliances)
e3: server 02 (dmz)

The phones are Mitel VoIP phones, which support VLAN tagging (either through DHCP, or hardcoding).

These switches are brand new, so they aren't really configured for anything yet. I assume I create a VLAN for each segment I want to set up (I figured out how to do this, no problems there).  So I have the following vlan's:

vlan 1000 name dev
vlan 1001 name IT
vlan 1002 name sales
vlan 1003 name back_office
vlan 1004 name appliances
vlan 1005 name dmz
vlan 1006 name voip

This is about as far as I get.  I would greatly appreciate it if you could give me an example of how to filter the VoIP traffic from the data traffic (including the commands for some of this stuff, if possible.   Do you see anything with this setup?  The 8port firewall will control the security between these VLAN's. 

Example:  data going to Switch 2/e2: VoIP goes to VLAN 1006 (all VoIP traffic will go to the same VLAN), any data on that port, should go to the dev VLAN.  I will read those PDF files again while waiting for your response.  Thanks again!

Ok, I have done some serious reading this weekend (several hours in fact), and while I have learnt a lot, I think it also created some confusion, so hopefully you won't mind answering my questions.

A) I am trying to figure out the requirements for the VLAN trunk. Can I establish the trunk using the G3/G4 GigE ports (since I don't see much benefit to giving up the GigE ports for stacking purposes). I couldn't find any good examples on how to set up the trunk, so some command examples would be greatly appreciated (I am trying to avoid using the web interface for learning purposes).

I have 4 switches right now:
1) telco room (3424P)
2) data room (3448P)
3) 1st floor: workstations+voip (3448P)
4) 2nd floor: workstations+voip (3448P)

I was hoping to connect my 'telco' 3424P g4 ethernet port to g3 on my 'data' switch. Connect g4 on my data switch to g3 on the '1st floor switch', and g4 on the '1st floor switch' to g3 on the '2nd floor switch'. Would this be a good setup, or is there a design flaw? I am trying to keep the blackplane at gigabit speeds.

B) My 8-port firewall is in my data room, do I simply configure 8 ports on the 3448P data switch for the 8 VLANs (in access mode) and connect them directly to my firewall?

C) If I can access the switches using SSH, are there any big benefits to stacking my switches, especially since I would rather use my gigabit ports for trunking?

D) Since I am dedicating a VLAN to the VoIP traffic, can I give priority (QoS) to just the VoIP VLAN, or should I follow the example shown in the VoIP whitepaper (using the 'qos trust' command)?

Thanks again in advance for all your help!

Your questions are getting very loaded and because there are so many considerations and requirements I'm don't think I can properly help with all the network engineering issues.  I will try to answer some of the questions but please understand that I'm not recommending any particular solution and you should consider the discussion here to be purely informational only.  You will still need to experiment and test before you deploy any solution in a mission critical network.  You might have to try a setup and refine over time to get the optimal solution.  There are many issues with security and performance to consider as you engineer your network.  With that said, for a simple and small network that's well controlled the setup needs not be too complex - in this case simpler is better since you have to maintain all that stuff after all :-).

• (A/C) Regarding stacking - stacking gives you many benefit including the ability to manage the entire stack as a single switch.  This means that the ports from all the stack switches can be treated as belonging to the same pool which provides you with benefits such as: you can create LAG (link aggregation group) using ports from all the switches; you can manage the entire stack from a single management interface (including user accounts and security access); system wide settings apply to the entire stack (e.g. configure QoS and ACL once for the entire stack); etc.  For a small network perhaps stacking is not really important to you.  I am sure you realize that you can use G1/G2 fiber ports for Gig if you also need to do stacking at the same time.
• (A)There is nothing technically wrong with the setup you suggests - linking all the switches together using Gigabit ports.  Note that if you create a loop (connecting everything together so that they form a ring) then you must enable STP (spanning-tree protocol) otherwise you will have a bridging loop which will cause network problems.  If you do run STP consider turning on "port fast" feature on the access ports (ports leading to the workstations) otherwise it will take longer for the workstations to acquire links and be able to transmit (STP takes from 30-60 seconds to converge).  You may also use RSTP (rapid spanning tree protocol) in place of STP to improve convergence speed (since all your switches are PowerConnect and they all support RSTP this is a good option).
• (B) I cannot speak to your firewall setup.  I don't understand how it operates so I'm not sure what you are trying to do.
• (D) To use "QoS Trust" your traffic must already be tagged with a VPT (VLAN priority tag) or DSCP (DiffServ Code Point priority tag).  "QoS Trust" is used when something else in your network already put a QoS tag on the packet entering the switch and you just want to trust the incoming tag and use it for your own QoS policy on the switch.  If your traffic is not already tagged with QoS tag then you must be able to filter the traffic stream to add your own QoS tag.  The 34xx does not have the ability to filter a traffic stream and tag the traffic automatically.  If your VoIP phone has the ability to put a VPT (aka CoS tag) on the packet as it leaves the phone then you can use "QoS Trust" on the switch to prioritize the incoming traffic.
• Regarding rules to use VLAN trunks - you use a VLAN trunk if you want to carry traffic from multiple VLANs between two switches.
• • You typically use one trunk port between two switches (in your case you are correctly using the highest speed link)-
  • If you connect more then one ports between two switches you will cause bridging loop and STP will disable one of those port anyway, however there is an option to let you bond multiple ports when trunking between two switches call LAG (Link Aggregation Group - see documents on LAG).
  • A trunk port expects all incoming packets to contain a VLAN tag.
  • Trunk port will send all outgoing packets with the appropriate VLAN tag.
  • Trunk port does not accept untag incoming packets.
  • Trunk port only accept traffic for VLANs to which it is a member (ingress filtering).

Example of a trunk:

• Let's say you want to create a trunk between switch A and switch B (I'm intentionally using my example because I'm not recommending any particular setup based on your network).
• Let's say you have VLAN 10, 20, and 30 to move between switch A and switch B and port g23 on both switches are connected.
• To configure VLAN trunk on switch A the command would be something like this:
• • config
  • vlan database
  • vlan 10, 20, 30
  • exit
  • interface ethernet g23
  • switchport mode trunk
  • switchport trunk allow vlan add 10
  • switchport trunk allow vlan add 20
  • switchport trunk allow vlan add 30
  • exit

Cuong.

That's definitely some really great advice!

As for my firewall, it's a BSD (unix) based firewall, which routes the packets between the several subnets. It's also how I will control what subnet can get to what subnet, etc.

Can you give me an example of a cable which can be used to connect the g1/g2 uplink ports? Does Dell.com sell them?

To use the fiber ports you will need SFP transceivers and fiber optic cables.  Look here:

http://configure.us.dell.com/dellstore/config.aspx?c=us&cs=04&kc=6W300&l=en&oc=pct3448poe-sapp&s=bsd

Cuong.

Since the 34xxP switches uses 4 priority queues and both CoS and DSCP tags will be mapped to the one of those 4 priority queues anyway, I don't see an advantage either way.  However the phone tag the traffic you eventually have to map it to one of those queues so operationally they will be the same.  Plus you have only two classes of traffic to really distinguish from in your application so I don't see any difference between the two type of QoS tags.

The only other thing you have to make sure of is that you select the correct CoS for the traffic so that the traffic will be put on the correct priority queue.

Here is the section in the document on how to setup QoS on the 34xx:

<ADMIN NOTE: Broken link has been removed from this post by Dell>

 

Cuong.

Not sure if you can answer this question, but I figured I would ask anyways ;)

The phones support specifying the VLAN priority and DSCP value, what should I select (or can you point me into the right direction so I can do my own research, google didn't help much), and is there anything else I have to do on the switch, besides the trust command, in order to give the highest priority to the VoIP traffic? Thanks!

Cuong,

Thanks for the info!

Message Edited by d3448p on 03-16-2006 11:39 AM