Setting up VLAN for WAN to VM

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

weust

Active Member
Aug 15, 2014
353
44
28
44
I've bought a Cisco WS-C3560CX-8XPD-S consolidate some things, and to learn some IOS.
And mainly because it's cool for the hobby :)

The WS-C3560CX-8XPD-S has six 1GbE interface ports, two multi-GbE interface ports and two SFP+ interface ports.
It also has POE, so I can connect my UbiQuiti AP to it.

In my hypervisor server (Free Hyper-V 2012 R2) I will install a Qlogic card with two SFP+ ports, of which I will use one port connect to the first SFP+ port on the Cisco switch.
The port will be divided in four Functions. One for Management, one for WAN and one for LAN.
The fourth is a spare.

I want to set up two VLANs. One for WAN and one for LAN.
And they both have to work over the SFP+ cable (Twinax).
The WAN VLAN will have a 1GbE port and the SFP+ port.
The LAN VLAN will have several 1GbE ports and the SFP+ port.


I would like to use this topic to gain knowledge, and set up an interesting environment at home.

Regarding this setup, I have experience from my previous job where we ran Hyper-V clusters connected with SFP+ to Cisco Nexus switches, who were in turn connected to Cisco 4500E core switches.
The Nexus was set in transparent mode. The VM's had the VLAN ID set in their settings, not in the guest OS. The vSwitches, in general, didn't have a VLAN ID set because of the VM's working in several VLANs.
VLANs were configured on the core switches.

However, my Cisco IOS skills are minimal. Hence this topic.


What I've figured out so far, is that after I create a VLAN I add interfaces to it.
And in the case of my WAN VLAN I need to set the switchport to trunk allowed.
Code:
interface TenGigabitEthernet1/0/1
switchport access vlan 666
switchport trunk allowed vlan 666
switchport mode trunk
The 1GbE port connected to my cable mode will not have trunk allowed, but native.
But I am not 100% sure if that is correct. If it is, it's because that port is not connected to other VLANs.
Code:
interface GigabitEthernet1/0/1
switchport access vlan 666
switchport trunk native vlan 666
switchport mode trunk
Am I right, or did I miss something?
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Update on the Gi1/0/1 interface port.
Talking in a IRC channel someone mentioned to do the following:
Code:
switchport trunk native vlan 666
switchport host
Which gives the following:
Code:
interface GigabitEthernet1/0/1
 switchport access vlan 666
 switchport trunk native vlan 666
 switchport mode access
 spanning-tree portfast edge
This port doesn't need to be a trunk. And putting spanning tree portfast means it won't wait for 30 seconds for stp to decide it's an edge port.
 

sag

Member
Apr 26, 2013
34
6
8
I put the explanations with a ! in front after the lines it applies to.


Example modem port
int gi1/0/1
desc ***1Gig access 666 modem***
!because I like descriptions
switchport mode access
!setting the interface to be an access port (only 1 vlan)
switchport access vlan 666
!setting the interface to tag all traffic coming into the interface as vlan 666
spanning-tree portfast
!interface comes up faster and doesn't cause a topology change notification to be sent out when the states change

Example port going to the server
interface TenGigabitEthernet1/0/1
description ***10Gig Trunk to SERVER NAME***
!because I like descriptions
switchport trunk native vlan 666
!all untagged traffic will end up on vlan 666. all tagged traffic will carry their original tags
switchport mode trunk
!setting the interface to be a trunk port (many vlan)
load-interval 30
!so I can show int te1/0/1 and see the 30 second average over the interface instead of 5 minute
spanning-tree portfast trunk
!interface comes up faster and doesn't cause a topology change notification to be sent out when states change

If you want to restrict what tagged vlans can go over the trunk interface you can add the following
switchport trunk allowed vlan 11,90-95
!this allows vlan 11 and 90 through 95 to go in and out of the trunk port.

I don't know if I explained it very well. Please do ask questions if you have any. I run cisco gear at home and work.
 
Last edited:

weust

Active Member
Aug 15, 2014
353
44
28
44
Thanks for your reaction.

I've set descriptions on my VLANs, just not the interface ports yet.
Setting descriptions is always a good idea.

The ! descriptions are very nice. I know some settings and what they do, but this makes it clearer for me.
Gi1/0/1 looks great. Will take it exactly like that.
For Te1/0/1 (later the third one, which is the SFP+ port) I will set "switchport trunk native vlan 1", because all traffic coming to and from the server will have it's tag set on either physical NIC or vNIC (VM, not Qlogic card).
VLAN 1 will not be configured, and therefore left alone.

"switchport trunk allowed vlan xx,xx-xx" might be a nice addition overall.

Thanks for the explanations. Really helpful!

Will configure further when I get home, and give it a go.
 

weust

Active Member
Aug 15, 2014
353
44
28
44
I notice then when I set "spanning-tree portfast trunk" on TenGigibitEthernet 1/0/1, it will show "spanning-tree portfast edge trunk" in the config.
Why would that be?
 

sag

Member
Apr 26, 2013
34
6
8
That is due to the version of code you are running
I found the following snippet in a pdf from cisco

"beginning with CiscoIOSRelease 15.2(4)E, or IOS XE 3.8.0E, if you enter the spanning-tree portfast [trunk] command in the global or interface configuration mode, the system automatically saves it as spanning-tree portfast edge [trunk]"

PDF LINK

The pdf was for 3750x and 3560x switches but they probably updated the code on the 3560cx for this also.
My 3560cx runs code 15.2(3)E and I didn't even see edge as an option when trying to configure spanning-tree on a port.
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Ah, that explains it :)

I'm running Version 15.2(3r)E2, RELEASE SOFTWARE (fc2) right now.
The web version. Which is totally useless unless you want to check temperatures.

System image file is "flash:/c3560cx-universalk9-mz.152-4.E1/c3560cx-universalk9-mz.152-4.E1.bin" for some reason.


I've build in the Qlogic QLE-3242-CU tonight. That card get's really warm.
Plus the Supermicro C2578CF motherboard I have doesn't seem to fully agree with the card.
It seems to redo the BIOS/UEFI screen for all enabled Functions before booting the OS.
Something I need to look into further.

Getting late here, but trying to configure some things on the server before turning in for the night.
 

sag

Member
Apr 26, 2013
34
6
8
The "Version 15.2(3r)E2, RELEASE SOFTWARE (fc2)" is the bootloader version. This runs after post and initializes the hardware and loads the actual IOS.

According to your system image file you are running IOS version 15.2(4)E1.
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Ah, right. It was the latest I could find.
Might move to the non-web version later, though.
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Pulled the Qlogic card because it made the server very unstable.
Hanging on anything network related. MMC or PowerShell.

So, took a member of my LFBO team for the LAN switch, and made that into a new vSwitch.
Configured the Cisco switch to have TenGigabitEthernet 1/0/1 able to to what 1/0/4 can, and plugged in the cable modem cable.

And it works, as is evident by this post :)

I bought a Intel X520-DA1 on ebay, which I hope will arrive end of next week, and that it will perform more nicely with the motherboard.
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Intel X520-DA1 finally arrived after 2 weeks of shipping.
Installed and it's behaving nicely so far.

Back to configuring this setup :)
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
LOL, just looked at your first post and saw the WAN/internet vlan number choice...good one sir...I did the SAME exact thing a few yrs back HAHA, dying here

root@ex3300sw> show configuration vlans
lan {
vlan-id 11;
interface {
ge-0/0/0.0;
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
}
l3-interface vlan.0;
}
landr {
vlan-id 111;
}
san {
vlan-id 77;
}
vmotion {
vlan-id 10;
}
vsan {
vlan-id 88;
}
wan {
vlan-id 666;
}

{master:0}
root@ex3300sw>
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Got everything hooked up, except I still need to configure POE for the AP.

One thing I am noticing is that machines take a long time to get an IP address.
It feels like it takes the switch a long time to allow the connection, or something like that.

I configured the ports that aren't WAN or the 10G uplink to the Hypervisor as follows:
!
interface GigabitEthernet1/0/5
description Soundwave
switchport access vlan 10
switchport mode access
Another thing I don't understand is why this six 1GbE port and two 10GbE port plus two 10GbE SFP+ shows GigabitEthernet 1/0/1 through 1/0/8 and TenGigabitEthernet 1/0/1 through 1/0/4.
I set descriptions for GE1/0/7 and 1/0/8 to not use them, but why does it even show them?