Solved: Regarding VLANs in UCS/HX

m1xed0s · ‎09-20-2021

Inherited a UCS/HX environment and some LAN/VLAN configuration confused me and would hope someone could help clarify here:

1. The UCS domain contains two HX Clusters (prod and test). There are VLAN 100-200 configured in UCS as Dual Fabric mode and they are assigned to the Guest VM vNICs for both HX clusters (duplicated VLAN IDs)...So for example, if I configured VLAN 100 portgroup on virtual switches within vCenter under the two HX clusters, how will UCS FI know which HX node to receive the VLAN 100 return traffic?

2. Say I have two port-channels per FI to the north bound network. I want VLAN 300 on port-channel 1 and VLAN 400 on port-channel 2. I can associate VLAN to specific uplink port-channel under "LAN Uplinks Manager". But I think I can also use the "VLAN Group" to associate VLAN(s) to specific uplink. But what would be the difference between two methods of accomplishing the task? I thought I saw an article about "VLAN Group" is recommended but can not find it anymore...

Steven Tardy · ‎09-20-2021

Multiple VLANs with the same VLANID often seems broken/wrong at first glance and can lead to confusion.

The UCS guide has a half decent explanation of why having multiple VLANs with the same VLANID exists:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Network-Mgmt/4-1/b_UCSM_Network_Mgmt_Guide_4_1/b_UCSM_Network_Mgmt_Guide_4_1_chapter_0110.html#concept_D1DA6EF2EF0446099CFC3FAD4AEBDB87

To answer your questions directly.

1] From a VLAN perspective within the UCS Fabric Interconnect the VLAN on the packet is the VLAN on the packet which would be sent to BOTH prod-VLAN100 and test-VLAN100.

Controlling if VLAN100 is allowed to go to prod vs test could be controlled by the VLANs allowed on the vNIC from UCSM. If VLAN100 is a prod VLAN, then removing VLAN100 from the test vNIC template vm-network would result in no VMs in test from accessing VLAN100 regardless of OS vSwitch configuration.

UCSM / LAN / Policies / root / sub-org / HyperFlex-test / vNIC Templates / vNIC Template vm-network-a / [Modify VLANs]

2] VLAN Groups are a way to solve the I-gotta-remember-to-add-this-VLAN-to-multiple-places problem (vNIC configuration and uplink configuration). Add the VLAN to UCSM and then add the VLAN to the VLAN Group and the VLAN gets added to the necessary vNICs and uplinks.

Again the UCSM docs do a decent job of explaining VLAN Groups:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Network-Mgmt/4-1/b_UCSM_Network_Mgmt_Guide_4_1/b_UCSM_Network_Mgmt_Guide_4_1_chapter_0110.html#concept_B2E1ECE33E65492CB430B027C561D7DC

View solution in original post

Steven Tardy · ‎09-20-2021

Multiple VLANs with the same VLANID often seems broken/wrong at first glance and can lead to confusion.

The UCS guide has a half decent explanation of why having multiple VLANs with the same VLANID exists:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Network-Mgmt/4-1/b_UCSM_Network_Mgmt_Guide_4_1/b_UCSM_Network_Mgmt_Guide_4_1_chapter_0110.html#concept_D1DA6EF2EF0446099CFC3FAD4AEBDB87

To answer your questions directly.

1] From a VLAN perspective within the UCS Fabric Interconnect the VLAN on the packet is the VLAN on the packet which would be sent to BOTH prod-VLAN100 and test-VLAN100.

Controlling if VLAN100 is allowed to go to prod vs test could be controlled by the VLANs allowed on the vNIC from UCSM. If VLAN100 is a prod VLAN, then removing VLAN100 from the test vNIC template vm-network would result in no VMs in test from accessing VLAN100 regardless of OS vSwitch configuration.

UCSM / LAN / Policies / root / sub-org / HyperFlex-test / vNIC Templates / vNIC Template vm-network-a / [Modify VLANs]

2] VLAN Groups are a way to solve the I-gotta-remember-to-add-this-VLAN-to-multiple-places problem (vNIC configuration and uplink configuration). Add the VLAN to UCSM and then add the VLAN to the VLAN Group and the VLAN gets added to the necessary vNICs and uplinks.

Again the UCSM docs do a decent job of explaining VLAN Groups:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Network-Mgmt/4-1/b_UCSM_Network_Mgmt_Guide_4_1/b_UCSM_Network_Mgmt_Guide_4_1_chapter_0110.html#concept_B2E1ECE33E65492CB430B027C561D7DC

m1xed0s · ‎09-20-2021

Thanks for the information and links.

Regarding the VLAN Group, I understand the purpose but I not sure when comparing it to the LAN Uplinks Manager...I guess VLAN Group would be for simplification of configuration steps but no functional difference over doing the same in LAN Uplinks Manager?

Steven Tardy · ‎09-20-2021

Correct. VLAN Groups are mostly an ease-of-use feature and provide no "functional" difference.

m1xed0s · ‎09-20-2021

Thanks for the confirmation.