ESXi Virtual Swith Tagging / VLANs

[WizBang]

I'm using a Quanta LB6M flashed to a Turboiron 24x. The switch config is currently the default config. What I am doing is using Virtual Switch Tagging in VMWare and assigning VLANs to port groups. Ideally what I would like to happen is to just have the switch pass whatever VLAN it sees on a packet through untouched on all ports, that way I can perform all of the configurations in VMWare and not need to touch the switch if I want to add a new VLAN later. I am also passing untagged traffic on the switch and need to continue to do so. Is there a way to configure the switch to do this? I'm very new to this and would appreciate actual command examples I could use if at all possible.

Here is the current output of "show vlans" (as I said, the default config):

SSH@TX24 Router#show vlans
Total PORT-VLAN entries: 1
Maximum PORT-VLAN entries: 64
PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
 Untagged Ports:   1   2   3   4   5   6   7   8   9  10  11  12
 Untagged Ports:  13  14  15  16  17  18  19  20  21  22  23  24
 Untagged Ports:  25  26  27  28
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None

 

[WizBang]

I'm using a Quanta LB6M flashed to a Turboiron 24x. The switch config is currently the default config. What I am doing is using Virtual Switch Tagging in VMWare and assigning VLANs to port groups. Ideally what I would like to happen is to just have the switch pass whatever VLAN it sees on a packet through untouched on all ports, that way I can perform all of the configurations in VMWare and not need to touch the switch if I want to add a new VLAN later. I am also passing untagged traffic on the switch and need to continue to do so. Is there a way to configure the switch to do this? I'm very new to this and would appreciate actual command examples I could use if at all possible.

Here is the current output of "show vlans" (as I said, the default config):

SSH@TX24 Router#show vlans
Total PORT-VLAN entries: 1
Maximum PORT-VLAN entries: 64
PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
 Untagged Ports:   1   2   3   4   5   6   7   8   9  10  11  12
 Untagged Ports:  13  14  15  16  17  18  19  20  21  22  23  24
 Untagged Ports:  25  26  27  28
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None

I may have answered my own question. I'll post it in case it helps someone else. I wasn't able to have it pass every VLAN as I wanted but I was able to create enough VLANs to suit my needs for the foreseeable future. By default the switch allows 64 VLANs (possibly 63 usable since there is a default VLAN as well) so I decided that 30 VLANs would be enough. As mentioned in the previous post the purpose was to be able to set up port groups in VCenter and assign VLANs at that level while also allowing non-VLAN (untagged traffic) to pass as well. The switch has a total of 28 ports (24 SFP+ and 4 GBe copper). I created VLANs 20-49 using the following commands (if you are connected to the switch through one of the affected ports you may end up locking yourself out, I used the console instead):

config t
vlan 20 name ESXi-VLAN-20
tagged ethernet 1 to 28
exit
!
vlan 21 name ESXi-VLAN-21
tagged ethernet 1 to 28
exit
!
!this pattern continues to VLAN 49
!
vlan 49 name ESXi-VLAN-49
tagged ethernet 1 to 28
exit
!
!Set all ports to accept untagged traffic
!
int ethernet 1 to 28
dual-mode
exit
!
!write the config
write me

This may not have been the best way, but it seems to work. I welcome any suggestions anyone may have.

 

[Wolfstar]

That would be the correct way to do it, yes. You can also specify (down the road when you start exploring VLANs a bit more) WHICH VLAN you want untagged traffic to be on. Currently without any configuration to it, it's going to be sending untagged va VLAN 1. The way you would change it to, for example, VLAN 5 would be "dual-mode 5" - change the number to whatever VLAN you would want to use.

You'll see a lot of references to best practices being to disable VLAN 1 and not use it in documentation; this isn't necessary anymore but it's not a bad idea either. It's to prevent someone plugging into a port and trying to "hop" VLANs to VLAN1 and circumvent access restrictions.

 

[WizBang]

That would be the correct way to do it, yes. You can also specify (down the road when you start exploring VLANs a bit more) WHICH VLAN you want untagged traffic to be on. Currently without any configuration to it, it's going to be sending untagged va VLAN 1. The way you would change it to, for example, VLAN 5 would be "dual-mode 5" - change the number to whatever VLAN you would want to use.

You'll see a lot of references to best practices being to disable VLAN 1 and not use it in documentation; this isn't necessary anymore but it's not a bad idea either. It's to prevent someone plugging into a port and trying to "hop" VLANs to VLAN1 and circumvent access restrictions.

I've seen what I think is conflicting advice about STP/RSTP and VLANs (or maybe only in the context of dual-mode ports). Do you have any insight as to whether a form of spanning-tree should be used in this setup? Would it be of any real benefit if the members of the VLANs are usually static?

Thank you.

 

[Wolfstar]

Spanning tree is absolutely terrible, it's an absolute nightmare, and despite that should always be used unless you're doing Layer 3 uplinks, because it will keep you from losing your entire network. Spanning tree keeps loops out of your network. You do need to configure it correctly - if you don't set the priority, for example, it will likely default to going through your oldest switch (because it bases on mac address) or some dinky little 5-port that you've got in the living room instead of your actual core switch.

Note, this ONLY applies to physical switches and not to ESXi port groups - ESXi will not do spanning tree (nor does it need to). So if all you've got is one switch and your ESXi boxes, you can basically ignore spanning tree. More than one manageable switch though, you need to configure it.