Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
5
Helpful
7
Replies

Help with config

Go to solution
coolaboola
Level 1
Level 1

‎01-17-2018 01:55 AM - edited ‎03-08-2019 01:27 PM

HI everyone

 

I have inherited an environment and i just dont understand how its working

 

There is a portgroup on esxi with a vlan tag of lets say 60 and there are vms in this portgroup in the IP range of 192.168.60.x with a gateway of 192.168.60.1 which is an interface in that vlan on the switch. 

 

The esxi nics are part of a LAG and if i click on one of the nics in the lag in vCenter and check the CDP then it tells me that is attached to port 3 on the switch. Here is the config for that port on the physical switch

 

interface GigabitEthernet1/0/3

 switchport access vlan 61

 switchport trunk native vlan 61

 switchport mode trunk

 channel-group 1 mode active

 spanning-tree portfast trunk

 spanning-tree bpdufilter enable

 

And here is port channel 1 

 

interface Port-channel1

 switchport access vlan 61

 switchport trunk native vlan 61

 switchport mode trunk

 

The other 3 nics in the LAG have the same kind of config. The config makes no sense to me - why configure it as access and trunk ? How is vlan 60 working when its not mentioned on any of the port channel or nic configs ?

 

Any ideas ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to coolaboola

‎01-17-2018 04:18 AM

What would be the reason for setting the port as an access port as well as a trunk port ? is that a config error.

seen before where ports get upgraded to a trunk in config but user didn't remove the legacy access config first

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-17-2018 02:17 AM

The "switchport mode trunk" line sets the port channel to be a trunk. 

 

Vlan 60 works because all vlans are allowed on a trunk link unless you restrict the vlans with the "switchport trunk allowed vlan ..." command. 

 

Jon

Go to solution
nixpengu1n
Level 1
Level 1

‎01-17-2018 02:18 AM

Hello,

 

First of all you need to understand what is a vSwitch configuration inside of your Virtual Environment. It will be great if you could share your ESXi Network configuration.

 

In general here are some considerations:

 

1. Depends on environment, VM traffic and Management / vMotion traffic should reside on different vSwitches

2. Management / vMotion traffic ideally should have dedicated physical network interfaces which are not shared with VM traffic

3. You can tag both VM traffic and Management /vMotion traffic if you want

 

So if, for example, VM traffic and Management / vMotion traffic is tagged with different VLAN IDs and resides in different IP subnets, physical interface configuration on Cisco switch may look like that:

 

Interface X/X/X

  switchport mode trunk

  switchport trunk native vlan X

  switchport trunk allowed vlan Y, Z

  switchport nonegotiate

 

In this case vlan X is a dummy VLAN you use in your LAN to be defined on trunk ports. VLAN Y, Z - VLAN IDs which is tagged on vSwitch configuration inside ESXi.

 

Also you may issue spanning-tree portfast command to make ESXi network interfaces available as soon as LAN boots up and add channel-group X mode on command if you have several physical interfaces, connected to ESXi (however it depends on your ESXi configuration - may be you have Destributed vSwitch which participates in STP process).

   

0 Helpful

Go to solution
coolaboola
Level 1
Level 1

‎01-17-2018 04:08 AM

thanks.

What would be the reason for setting the port as an access port as well as a trunk port ? is that a config error. Usually i would just have the port as a trunk and part of a port channel and then the allowed vlans on that link

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to coolaboola

‎01-17-2018 04:18 AM

What would be the reason for setting the port as an access port as well as a trunk port ? is that a config error.

seen before where ports get upgraded to a trunk in config but user didn't remove the legacy access config first
0 Helpful

Go to solution
nixpengu1n
Level 1
Level 1
In response to coolaboola

‎01-17-2018 04:29 AM - edited ‎01-17-2018 04:30 AM

Hello,

 

Generally it is a configuration error. Port should be either in access or trunk mode. Ideally traffic from different subnets has to be tagged by different VLAN IDs if it is running through one physical interface, due to VLAN generally has to match a unique IP subnet.

 

But if we are talking about ESXi environment things could get a bit more complicated because you can have different VM networks configured on one vSwitch which will correspond to same VLAN and IP subnet. This VM networks could be mapped to the same NICs on ESXi host thus port on Cisco switch will be configured as normal access port just for this VLAN. This is quite crazy setup (but could be acceptable if you want to segment broadcast / multicast traffic from VMs for example), however you could not check a skill of a person who configures you VM environment.

 

So that's why I've asked you to share your ESXi network configuration.

0 Helpful

Go to solution
coolaboola
Level 1
Level 1
In response to nixpengu1n

‎01-17-2018 06:03 AM

In my esxi environment which i also inherited, there are multiple portgroups using these nics . Some have vlan tags and others dont. I presume if a portgroup doesnt have a tag then the traffic will flow through the native vlan (from the config).

 

Its a mess really . I think its legacy config plus config errors. In my eyes , each portgroup in vsphere should have a tag , the nics should be in the port channel and the vlans allowed on the port channel . Thats the way i have always seen it

0 Helpful

Go to solution
nixpengu1n
Level 1
Level 1
In response to coolaboola

‎01-17-2018 07:20 AM - edited ‎01-17-2018 07:24 AM

Hello,

 

OK, I will put some example.

 

Example 1: Management Network and VM Network are separated between vSwitches and physical interfaces

 

VM-Example-1.png

 

As you can see in this example both networks has no VLAN ID tag and they are utilizing different physical interfaces. In this example Management network and VM network could reside in one VLAN and port configuration on Cisco switch could be the following:

 

Interface X/X

  switchport mode access

  switchport access vlan X

  spanning-tree portfast

end

 

However you can separate them into two different subnets and configure different VLANs on different physical interfaces accordingly.

 

Example 2: VM networks utilizes same physical interfaces and traffic is tagged with VLAN ID within one vSwitch

 

VM-Example-2.png

In this case you will need to configure a trunk port on your Cisco switch for each ESXi physical interface:

 

Interface X/X

  switchport mode trunk

  switchport trunk native vlan X

  switchport trunk allowed vlan 135, 136

  swithport no negotiate

end

 

Also you may add all your ESXi physical interfaces into a port group to balance network traffic with channel-group X mode on command. However it will require some additional configuration on vSwitch:

 

VM-Example-3.png

Finally, if for example, one of the VM networks are not tagged with VLAN ID, it should be configured as native vlan on trunk port.

 

Hope this will help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card