Re: VLAN for 2 host replication link

dmayne · ‎01-17-2005

We have 2 servers in a cluster environment that are located in different areas of the building. Replication between servers requires a dedicated link between the boxes. Without having to physically run a long crossover cable between the servers, can a VLAN be created? If so what would the proper settings be? The servers connect to Cat3500XLs which have GBIC connections to a Cat6509 Sup1a /MSFC2

ehirsel · ‎01-17-2005

It is possible to create a vlan just for the server replication traffic. Do the servers connect to different 3500xl switches? Does your cat 6509 have dual power supplies?

The reason I ask these questions, is to help determine how your servers would respond if the replication links were to fail; you would not want server #2 to take over prematurely thinking that server #1 has an issue due to replication activity suspending due to a switch config, port, or other vlan issue.

Assuming that the loss of replication-line link does not cause a server status change, then one recommendation that I have is that you create the vlans on the cat 3500 and cat 6500 hosts, create a seperate 6509 msfc interface on that vlan and apply an acl so that no other traffic crosses into that vlan. You may even want to remove/shutdown the 6509 msfc interface so that the vlan is a private one, known only to the servers involved.

Let me know if this helps.

dmayne · ‎01-18-2005

The servers do connect to separate 3500xl switches (each switch has a GBIC connection to 2 redundant 6509s w/ dual power supplies. The servers actually have 2 network connections each (1 is visible on the LAN and the dedicated replication link is not routed.

I have created a Vlan on the 6509, with no IP address associated with it. The switchports on the 3500xl's that the replication links are plugged into are members of the Vlan. There are only 2 ports in the Vlan, do I still need to worry about other traffic crossing into the Vlan?

ehirsel · ‎01-18-2005

I would make sure that the 6509 msfc (routed) interface is shutdown on that vlan - this will allow layer 2 connectivity across the trunks to that vlan but not allow the 6509 to route into that vlan from other vlans.

As an extra precaution, since you are using 3500xl switches that cannot use mac acls (and protected ports only work when all ports are on the same switch; it does not work across trunk links), I would insure that no end-station devices are in vlan 1. It is possible for a vlan-jumping attck to from the native vlan into others when the attacker is a host on vlan 1. I believe the attck will not cross switches, but Cisco does recommend that vlan 1 not be used by any end-station.

Let me know if this helps.

dmayne · ‎01-24-2005

How would this look from a configuration standpoint?

This is what I have:

Cat6509:

ptm650901> (enable) show vlan 17

VLAN Name Status IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- --------------------

17 LotusRep active 76 1/1-2

2/1-9,2/11,2/13-16

15/1

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

17 enet 100017 1500 - - - - - 0 0

VLAN Inst DynCreated RSPAN

---- ---- ---------- --------

17 - static disabled

The 6509 Router (MSFC2) does not contain any entries in its config for this VLAN.

On the Catalyst 3500 switches:

interface FastEthernet0/21

description Notes Replication (VLAN 17)

duplex full

speed 100

switchport access vlan 17

spanning-tree portfast

Kevin Dorrell · ‎01-24-2005

Just a tip: if there are other (access) switches connected to these boxes, but which have no business with VLAN 17, you might consider pruning VLAN 17 from any trunks where it is not relevant.

Kevin Dorrell

Luxembourg

ehirsel · ‎01-26-2005

It looks good to me. If you run into any issues, just post them here.