cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3078
Views
0
Helpful
6
Replies

Dealing with VLAN conflicts on UCS infrastructure

aevans001111
Level 1
Level 1

Hi,

This is a configuration guidance questions so hoping someone can assist.

We are in the process of migrating our internal environment onto UCS environment shared with our Hosting/Customer environment. Unfortunately there are VLAN conflicts so we are hoping to workaround this rather than resolving the actual conflicts.

The current plan is as follows.

Implement new Nexus switching and create dedicated port channels for the internal environment. These switches will deal with all the internal VLANs while the existing switches deal with the hosting/customer VLANs. Basically we are separating the VLAN conflicts using different port channels.

My question is will this actually work? On the Fabric Interconnects there is a Global VLAN list so I'm worried the network traffic will get confused on the interconnects and not know which port channel to push the communication up since the conflicting VLANs will exist on both. A colleague suggested looking into VLAN Pin groups and tieing the VLANs to specific vNic's but I've never used Pin groups so don't want to waste time looking at this if it won't work anyway.

Appreciate any thoughts or suggestions from someone who has dealt with a similar situation in the past.

Thanks.

2 Accepted Solutions

Accepted Solutions

Wes Austin
Cisco Employee
Cisco Employee

Hello,

If I understand correctly, you want to pin and allow certain VLANs on network uplinks, while allowing other VLANs on another segmented layer 2 network uplink? You will want to utilize disjointed layer 2 to accomplish this. UCS will pin vNICs only to network uplinks that satisfy all of the VLANs defined on that vNIC.

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-computing/white_paper_c11-692008.html

HTH,

Wes

View solution in original post

Greetings.

If your individual tenants have blade level control/ownership, then the blades and OSs running on them, that share the same vlans, are going to see each others broadcast & arp traffic, and ability to contact each other (not withstanding individual blade OS firewall implementations) >>>This is something you already realize, and why you created this post.

We see customers needed to deploy multi-tenant type configurations similar to yours, using private vlans to segregate individual tenants.

See http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Network-Mgmt/3-1/b_UCSM_Network_Mgmt_Guide_3_1/b_UCSM_Network_Mgmt_Guide_3_1_chapter_0110.html#d17683e1065a1635 

There are limitations, and private vlans don't always fit all requirements.

Thanks,

Kirk...

View solution in original post

6 Replies 6

Wes Austin
Cisco Employee
Cisco Employee

Hello,

If I understand correctly, you want to pin and allow certain VLANs on network uplinks, while allowing other VLANs on another segmented layer 2 network uplink? You will want to utilize disjointed layer 2 to accomplish this. UCS will pin vNICs only to network uplinks that satisfy all of the VLANs defined on that vNIC.

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-computing/white_paper_c11-692008.html

HTH,

Wes

Hi Wesley,

Thanks very much for the quick response.

I'm trying to find a way to have overlapping/conflicting VLANs present on the fabric interconnects yet have functional networks presented up.

I was told that this can be done by pinning vNICs to certain uplinks like you mentioned. I will read through the article you linked in more depth, my only concern is that it says 'this scenario assumes no overlapping VLANs are present' and I want then present.

Greetings.

Like Wes has mentioned, UCSM won't let you have overlapping vlans on the UCSM configuration.  Having your upstream switch port vlan config not configured the same as your UCSM, will result in potential designated receiver issues, which will negativelly impact broadcasts, arp, etc.

Maybe it would be easier if you draw a pic of what you are intending, and label where vlans are, and aren't allowed on UCSM uplink ports as well as the upstream switch, and we can confirm if your intended config will work or not (I'm guessing it won't).

Thanks,

Kirk...

Hi Kirk,

Thanks for your response, as this is a multi tenancy environment there are overlapping VLANs and there will continue to be overlaps created as the various tenants have their own VLAN schemas.

Here's a diagram of what we are needing to implement. Could you please take a look and let me know what the solution would be for an environment such as ours ie. multi tenanted. From our perspective the only place the VLAN's will overlap is at the fabric interconnects because that's where they are presented to the blades. Tenant 1's VLANs will never be presented to the Tenant 2 port channel or to any Tenant 2 blades/templates etc.

Thanks.

Greetings.

If your individual tenants have blade level control/ownership, then the blades and OSs running on them, that share the same vlans, are going to see each others broadcast & arp traffic, and ability to contact each other (not withstanding individual blade OS firewall implementations) >>>This is something you already realize, and why you created this post.

We see customers needed to deploy multi-tenant type configurations similar to yours, using private vlans to segregate individual tenants.

See http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Network-Mgmt/3-1/b_UCSM_Network_Mgmt_Guide_3_1/b_UCSM_Network_Mgmt_Guide_3_1_chapter_0110.html#d17683e1065a1635 

There are limitations, and private vlans don't always fit all requirements.

Thanks,

Kirk...

Thanks very much for the advice, will look into private vlans.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: