Showing results for 
Search instead for 
Did you mean: 

Best Practices For NAS Port&VLAN Configuration

Ross Mccullough


I would like to create a VLAN for NAS traffic from 2x servers to a NAS repository so I have a few simple questions. Lets assume the following

Server 1 NIC 3 =

Server 2 NIC 3=

SAN Nic 1 =

For arguements sake let's say the server is on Port 1, Server 2 is port 2 NAS is port 3 you get the idea. I needed some clarification on a few points and any recommendations on best practices.

My understanding is you would like to keep this traffic segregated from other network traffic hence you are putting it on it's on VLAN. Assuming the above would you suggest:

Ports are configured as Trunks with 1UP & 11T or just 11UP? I understand you may want to use Ingress Filtering so you would set the access type to General and set the Ingress to Admit Tagged Only? Use some kind of MAC filtering on the VLAN? Under one setting for VLAN I can set all the other ports as either Excluded or Forbidden, what's the difference between the two?

Thanks in advance as always experts I appreciate your valuable feedback!


Tom Watts

Hi Ross, in a layer 2 environment, the VLAN will only communicate amongst themselves. Of course, these days some form of intervlan communication is needed, where a layer 3 device would come to practice. A general port is an 802.1q port, where as you may disable ingress filtering, versus a trunk port which you cannot. The ports connecting the NAS and server can be set as an untag member access port. As the access port, the ingress filter applies, therefore any vlan not specified to the port will be discarded.

If you need access to the NAS/server units, your layer 3 device would handle the traffic management and intervlan communication and the port connecting to the L3 device would be a vlan untagged, all others tagged on a trunk or general port. The reason I say "a vlan untagged" is because the adminstrative vlan should not be used for any traffic but also because you may have specific vlans that you want to be a candidate for sharing traffic with.

The difference between forbidden and excluded is not much. If a vlan is forbidden, it means it will not (ever) be a member of the prot assignment, as the excluded simply means it is not a member at this time, but can be.

Also, if your server supports it, you can set up a LAG on the switch. Either static or with LACP.

I hope this answers your question.


-Tom Please mark answered for helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: