PowerConnect 5424 Question

Networking

Networking
Learn how to modernize & transform the network with the latest solutions from Dell Data Center, Campus and Wireless networking solutions.

PowerConnect 5424 Question

  • Hi,
    Does anyone know how to configure a single port on the 5424 to pass traffic from both the default VLAN and a user defined VLAN. This is our scenario:
    Have an ESX 4 server using VMNIC3 in a single vSwitch that has two virtual machine port groups one called LAN with no VLAN id and one called DMZ with a VLAN id of 40
    When I connect VMNIC3 to the 5424 switch traffic flows fine for the servers in the LAN port group but does not for the servers in the DMZ port group.
    The switch port is currently configured in VLAN 100 (the default), Port VLAN mode is Access, Frame Type is Admit All, Ingress Filtering is Enabled.
    Anyone have any idea of how to configure this port to also allow trafffic for VLAN 40, I assume I must setup some sort of tagging on this port, any idea of how this is done ?

    Thanks,

    John
  • Update: I spoke to a Tech Support person at Dell about this. Looks like these 5424 switches cannot assign multiple VLAN's to a single port. The guy I sopke to connected to another type of Dell switch and one of the options for this switch was an item in the tree called double VLAN (or something similar) which seems to allow multiple VLAN's per port. He suggested a firmware upgrade may place this item in the tree. I will do this when I can and see what happens.
  • Thanks for the follow-up KiwiJJ! Let us know what you find.

  • Did you ever get this resolved? I am having a similar issue.

    Thanks
  • Hi magit,
    I never managed to upgrade the firmware on the switches as it would have mean't downtime and as we had a linksys switch which could handle multiple VLAN's on one port I used that instead. I will get around to it one day when I need the systems down for more than just a switch firmware upgrade. But I really don't think these switches are capable of more than one VLAN per port which is a bit slack for a switch of this caliber. Maybe someone from Dell could fire up one of these switches and apply the latest firmware upgrade and let us know rather than having their customers do it.

    cheers,

    John
  • I think the 5424 can perfectly handly what you are looking for .. .and probably much more. One port can not only be assigned to 2 VLAN's but to much more than 2 VLAN's.

    I hope this example will help you :
    - port 1-10 = VLAN10
    (ie: switch will add VLAN ID 10 to all packages received at port 1 to 10)
    - port 11-20 = VLAN20
    (ie: switch will add VLAN ID 20 to all packages received at port 11 to 20)
    - port 21-24 = TRUNK : VLAN10 AND VLAN20
    (ie: switch will only accept VLAN-TAGGED packages with ID's 10 or 20, eg: from your Vmnic3 connection)

    1) Create VLANs
    - Switch | VLAN | VLAN Membership | ADD
    ID = 10 / Name = VLAN10
    ID = 20 / Name = VLAN20

    2) Port Settings
    - switch | VLAN | Port Settings | Show All
    1..20 : port VLAN MODE = Access (default)
    21..g24 : port VLAN Mode = TRUNK

    3) Assign VLAN to Ports
    - Switch | VLAN | VLAN Membership
    Show VLAN = 10 (VLAN10)
    PORTS
    1..10 = U ntagged
    11..20 =
    21..24 = T agged

    Show VLAN = 20 (VLAN20)
    PORTS
    1..10 =
    11..20 = U ntagged
    21..24 = T agged

    The same can be done with the console (Telnet) interface :

    1) Create VLANs
    vlan database
    vlan 10,20
    exit
    interface vlan 10
    name VLAN10
    exit
    interface vlan 20
    name VLAN20
    exit
    2) Port Settings
    interface ethernet g21 {repeat for: g21..g24}
    switchport mode trunk
    exit
    3) Assign VLAN to Ports
    interface range ethernet g(1-10)
    switchport access vlan 10
    exit
    interface range ethernet g(21-24)
    switchport trunk allowed vlan add 10
    exit
    interface range ethernet g(11-20)
    switchport access vlan 20
    exit
    interface range ethernet g(21-24)
    switchport trunk allowed vlan add 20
    exit
  • "Update: I spoke to a Tech Support person at Dell about this. Looks like these 5424 switches cannot assign multiple VLAN's to a single port"---maybe you didn't understand it very well.
    It is true that you can't assign multiple vlans to a single port when this port is in access mode. You have to realize that this switches (i mean this class of switches and better) doesn't work without VLANs, even in default factory settings all ports are in VLAN 1. All ports are in Acces mode with aassigned VLAN 1. Access mode means that decisions where to send packet are only made internaly in switch and information about VLAN which this packets belongs to is only in switch for internal purpose. When all ports are from factory settings in VLAN 1 switch behaves like common cheap switches in which packets from all ports can go to any port. But when you make VLAN 10 and VLAN 20 and add ports 1-10 to VLAN 10 and ports 11-20 to VLAN 20 then switch knows that it can't pass anything from port 1-10 to any port from 11-20. But this information is known only to this one switch where you did this config. But when you set port mode to trunk, switch will "share" that information about VLAN taggs. This in reality means that when in access mode any tag from packet about VLAN is removed. When in trunk mode VLAN tags are kept in packet headers. So when port 21-24 from example above is in trunk mode and packet arrives to that port with tag for VLAN 10 switch will know that this packet is part of VLAN10 and packet will be sent to the port range 1-10. When untagged packet will arrive to port 21-24 and destination for that packet will be one from 1-10 switch will not sent this packets to these ports because from factory these ports are from VLAN 1 !
    Example above from koen.vdvelde is perfect for you if you don't mind that ports 21-24 are in VLAN1.



  • Hi Guys,
    Thanks very much for this information, I tried to set a port on VLAN 1 (which is the default) to tagged (T) but it would not work. All other VLAN's I can change the Tagging on the ports.
    Does this mean I have to change all the ports on VLAN 1 to another VLAN number (ie 10) and not use the default VLAN (1) ?

    regards,

    John
  • John,
    It's up to you wether you want to change the default VLAN ID's on your switch, or not. But you should make sure that the ID's you use on your switch do match the ID's in your VMWare's switch configuration.
    I suggest you re-read the explanation of MiroPetrak : it describes very well how your switch is handling VLAN tag's.

    Practicaly, translating my above example to your config, I suggest this :
    Port 1-23 = Access Mode
    Port 24 = TRUNK Mode
    VLAN100 (ID=100) =
    -- port 1-22 = U ntagged
    -- port 24 = T agged
    VLAN40 (ID=40)=
    -- port 23 = U ntagged
    -- port 24 = T agged

    And for the VSwitch in VMWare : make sure that VMNic3 is connected to port 24 (the Trunk Port, allowing both VLAN100 and VLAN40 packages).
    Port Group "DMZ" should have VLAN id/tag 40
    Port Group "LAN" should have VLAN id/tag 100

    Summarized, two things to change :
    1) the vmnic3-port on your switch should be in TRUNK mode, allowing all VLAN ID's that you might assign in the vmware's vswitch
    2) All PortGroups on your vswitch should get a VLAN ID assigned. Non-tagged packages will be dropped by your switch when it's connection port is configured in Trunk mode
    Good Luck,
    Koen.
  • Hi Koen,
    Thanks for the info, appreciate it. I will set it up as follows (can you check to see if I have it right- we have 4 ESX Servers)

    Ports 1 to 12 VLAN 500 (iSCSI) Access mode
    Ports 13 to 18 and port 24 VLAN 100 (LAN) Access mode
    Ports 19 to 23 VLAN 40 (DMZ) and VLAN 100 (LAN) Trunk mode

    So in Switch | VLAN | VLAN Membership (on the switch)
    Show VLAN 500
    PORTS
    1..12 = U ntagged
    13..18 + 24 =
    19..23 =

    Show VLAN 100
    PORTS
    1..12 =
    13..18 + 24 = U ntagged
    19..23 = T agged

    Show VLAN 40
    PORTS
    1..12 =
    13..18 + 24 =
    19..23 = T agged

    Also, Is it possible to have a vSwitch with two NIC's teamed with each NIC going to a different switch or should I set it up as both NIC's going to a different switch with one NIC active and the other as failover. (we are not driving the NIC's to capacity)

    Thanks,

    John
  • Hi John,

    Looks good, but to be 100% sure, you also should tell us how the vswitches on your ESX server are configured and connected to the real switches.

    Couple of questions :

    1) I assume you 'll connect each ESX server to one of the Trunk ports on the real switch. But what are you going to do with that 5'th Trunk port ?

    2) Doesn't your DMZ needs access to 'the real world' ? I don't see any ports configured as Untagged for VLAN 40 ?

    3) I see you didn't define any Tagged ports for VLAN 500. I assume you don't need it at this moment, but it might be worth to have this prepared (eg: for monitoring purposes in the future). I would suggest to assign all used VLAN-tags (40,100,500) to all Trunk Ports, wether you need them at this moment or not.
    Show VLAN 500
    PORTS
    1..12 = U ntagged
    13..18 + 24 =
    19..23 = => I would make these T agged

    ... to be continued ....
  • ... continued ...

    Regarding your teaming question, I first of all should inform you that I'm not a network- nor a vmware-specialist. I'm just a user of these products that more-or-less knows how it's own setup is configured ;-)
    I assume you want to setup this teaming as a kind of redundant (fail-over) config ? And most-probably for your iscsi-lan ?
    First of all, you should make sure that both switches (ie: the ports on the switches you want to team) are configured in the same subnet.
    Second: therefor you should make sure that both switches are inter-connected. ie: there should be a physical link between both switches, so both NIC's can "see" each other.
    Third : you should experiment (and test !) with the Nic Teaming settings in VMWare. In our setup (fyi: ESX 3.5 !), we started with Network Failover Detection = 'link failure', but we found out that, in some situations, a failure of the network (eg: when the inter-switch-link broke) was not detected and thus failover didn't work. Now, our config says : network failover detection = 'Beacon Probing', meaning that both nic's monitor each other and act accordingly if they don't see each other anymore.
    Fourth : as far as I know, Teaming in VMWare is always a failover config, and never does do load-balancing. ie: only one of your nic's will be active at a certain moment. At least that was in ESX3.5, but this might just as well have been changed in ESX 4.

    Have Fun !
    Koen.

  • Hi Koen,
    Thanks for the reply, I have been away for a couple of days which is why it's taken so long to get back to you.

    1) The 5th trunk port will be used for an ESX server (we have 5 ESX boxes not 4 ... I can't count past 4 !)

    2) Yes, the DMZ needs to access the real world. ahhh I see, I think ... I need to make port 24 (Tagged or Untagged ?) for VLAN 40 (this port connects to the core switch) so traffic can go to the core switch and therefore out via the router which is connected to the core switch ... is this correct ?

    3) iSCSI traffic only flows through ports 1..12 which has one of the NIC's from each of the servers, the two SAN management modules and a connection to a port on the other 5424 switch (the other 4 ports are unused) why would I need to let VLAN 500 traffic through ports 19..23 ?

    regards,

    John
  • Hi Koen,
    Yes, we want some sort of failover / redundancy setup for the iSCSI and the LAN. Currently the setup is:

    On server A - vSwitch1 is iSCSI1 going to switch 247, vSwitch2 is iSCSI2 going to switch 246 (both in the same subnet and both connected to a VLAN 500 port on the switches ... VLAN ID has not been set on the vSwitches) This should give us failover for the SAN. I have setup multipathing as per the Dell doco and have mulitple paths to the SAN.

    vSwitch0 has Nic0 and Nic1, this has port groups for the LAN and DMZ ... the DMZ VLAN ID has been set to 40 on the vSwitch, both NIC's are connected to ports on our core switch (Linksys) which has VLAN 100 Untagged for the LAN and VLAN 40 Tagged for the DMZ. What I want to do is move one of these NIC's to one of the 5424 switches (say 246) to provide redundancy.So I assume I would setup the 246 switch port the NIC would connect to for VLAN 100 (Untagged) and VLAN 40 (Tagged) and setup port 10 (connected to switch 247) and port 24 (connected to the core switch) also for VLAN's 100 (Untagged) and 40 (Tagged) ?

    Both NIC's for vSwitch0 are set as active adpaters in VMware, should I move one of them to Standby ?

    regards,

    John
  • Hi John,
    sorry for my late reply ... it has been a bit busy over here.

    here are my answers on your first message:

    1) :-)

    2) any inter-switch-connection should be configured in TRUNK mode (at least if you want that single cable connection to pass ip packages from all possible different vlan's). So if port 24 is the uplink to your Core switch, I would configure it in Trunk mode and assign all VLAN's as Tagged. Of course, you should do the same on your core switch.

    3) you don't *need* to allow VLAN500 traffic to your vmware-ports. I was only thinking that this might become handy in the future (eg: when you want connection to your san's management from one of your virtual machines). But, on the other hand, keeping iSCSI and 'normal' LAN separated is undoubtly a good practice (thats why a lot of people prefer dedicated switches for iscsi), so you can just as well leave it this way.

    K.