Comments on: ESX Server and the Native VLAN http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: VMware ESX, NIC Teaming, and VLAN Trunking with HP ProCurve - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/comment-page-1/#comment-41198 VMware ESX, NIC Teaming, and VLAN Trunking with HP ProCurve - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers Fri, 05 Sep 2008 15:22:38 +0000 http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/#comment-41198 [...] a port can only be marked as untagged for a single VLAN). This correlates to the discussion about VMware ESX and the native VLAN, in which I reminded users that port groups intended to receive traffic for the native VLAN should [...] [...] a port can only be marked as untagged for a single VLAN). This correlates to the discussion about VMware ESX and the native VLAN, in which I reminded users that port groups intended to receive traffic for the native VLAN should [...]

]]> By: New VLAN Article at SearchVMware.com - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/comment-page-1/#comment-40352 New VLAN Article at SearchVMware.com - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 06 Aug 2008 16:05:29 +0000 http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/#comment-40352 [...] article published on SearchVMware.com, a VLAN article published here on my site, and the latest discussion of the use of the native VLAN, I’m trying to make sure everyone has the information they need to understand and use VLANs [...] [...] article published on SearchVMware.com, a VLAN article published here on my site, and the latest discussion of the use of the native VLAN, I’m trying to make sure everyone has the information they need to understand and use VLANs [...]

]]> By: miked http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/comment-page-1/#comment-34400 miked Wed, 28 Nov 2007 22:13:45 +0000 http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/#comment-34400 Its actually very simple, ...and classic. We have three zones. Public, DMZ, and Inside. I created vlan 20 for Public, 30 for DMZ, and vlan 40 for Inside. Then i created vlan dummy_vlan2, dummy_vlan3, and dummy_vlan4, then i went into the vlan database and suspended each. Then, I went to each access port (via the interface-range qualifier) and assigned the native vlan and set the vlan membership explicitly, nearly the same as you showed in your article (you showed an example of allowing all vlans). Finally, I explicited allowed only vlans 20,30, and 40 on the Trunk. I hope this is the appropriate place for it, but here is how I set it up, straight from the documentation I wrote. ------ + Set up the Aggregated Ports Set up PAGP on Switch01 side # conf t (config)# interface range gi 1/43 - 44 (config-if-range)# channel-group 1 mode desirable Set up PAGP on Switch02 side (config)# interface range gi 1/43 - 44 (config-if-range)# channel-group 1 mode desirable port-channel 1 is the resulting virtual interface The following command will verify what has been set up. # show etherchannel summary Set up the IEEE 802.1Q Trunk SW02 (config)# interface port-channel 1 (config-if)# switchport trunk encapsulation dot1q (config-if)# switchport mode trunk SW01 (config)# interface port-channel 1 (config-if)# switchport trunk encapsulation dot1q (config-if)# switchport mode trunk + Configure VTP SW01 (config)# vtp mode server (config)# vtp domain xxxxxxx (config)# vtp password xxxxxxxxxxxxxxx SW02 (config)# vtp mode server (config)# vtp domain xxxxxxx (config)# vtp password xxxxxxxxxxxxxxx + Vlan Configuration SW01 Create Dummy VLANs (config)# vlan 2 (config-vlan)# name dummy_vlan2 (config)# vlan 3 (config-vlan)# name dummy_vlan3 (config)# vlan 4 (config-vlan)# name dummy_vlan4 (config)# end Suspend dummy_vlan’s #vlan database #vlan 2 state suspend #vlan 3 state suspend #vlan 4 state suspend Create Active VLAN’s #vlan 20 #name PUBLIC_VLAN #interface range 1/1 - 4 #switchport access vlan 20 #switchport trunk native vlan 2 #vlan 30 (config-vlan)#name DMZ_VLAN (config-vlan)#interface range 1/17 - 32 (config-vlan)#switchport access vlan 30 (config-vlan)#switchport trunk native vlan 3 #vlan 40 (config-vlan)#name INSIDE_VLAN (config-vlan)#interface range 1/33 - 35 (config-vlan)#switchport access vlan 40 (config-vlan)#switchport trunk native vlan 4 Configure Trunk Interface (config)# interface port-channel 1 (config-if)# switchport trunk allowed vlan 20,30,40 (config-if)#end # wr mem Its actually very simple, …and classic. We have three zones. Public, DMZ, and Inside. I created vlan 20 for Public, 30 for DMZ, and vlan 40 for Inside. Then i created vlan dummy_vlan2, dummy_vlan3, and dummy_vlan4, then i went into the vlan database and suspended each. Then, I went to each access port (via the interface-range qualifier) and assigned the native vlan and set the vlan membership explicitly, nearly the same as you showed in your article (you showed an example of allowing all vlans). Finally, I explicited allowed only vlans 20,30, and 40 on the Trunk.

I hope this is the appropriate place for it, but here is how I set it up, straight from the documentation I wrote.

——

+ Set up the Aggregated Ports

Set up PAGP on Switch01 side

# conf t
(config)# interface range gi 1/43 – 44
(config-if-range)# channel-group 1 mode desirable

Set up PAGP on Switch02 side

(config)# interface range gi 1/43 – 44
(config-if-range)# channel-group 1 mode desirable

port-channel 1 is the resulting virtual interface

The following command will verify what has been set up.
# show etherchannel summary

Set up the IEEE 802.1Q Trunk

SW02

(config)# interface port-channel 1
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk

SW01

(config)# interface port-channel 1
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk

+ Configure VTP

SW01

(config)# vtp mode server
(config)# vtp domain xxxxxxx
(config)# vtp password xxxxxxxxxxxxxxx

SW02

(config)# vtp mode server
(config)# vtp domain xxxxxxx
(config)# vtp password xxxxxxxxxxxxxxx

+ Vlan Configuration

SW01
Create Dummy VLANs

(config)# vlan 2
(config-vlan)# name dummy_vlan2
(config)# vlan 3
(config-vlan)# name dummy_vlan3
(config)# vlan 4
(config-vlan)# name dummy_vlan4
(config)# end

Suspend dummy_vlan’s

#vlan database
#vlan 2 state suspend
#vlan 3 state suspend
#vlan 4 state suspend

Create Active VLAN’s

#vlan 20
#name PUBLIC_VLAN
#interface range 1/1 – 4
#switchport access vlan 20
#switchport trunk native vlan 2

#vlan 30
(config-vlan)#name DMZ_VLAN
(config-vlan)#interface range 1/17 – 32
(config-vlan)#switchport access vlan 30
(config-vlan)#switchport trunk native vlan 3

#vlan 40
(config-vlan)#name INSIDE_VLAN
(config-vlan)#interface range 1/33 – 35
(config-vlan)#switchport access vlan 40
(config-vlan)#switchport trunk native vlan 4

Configure Trunk Interface

(config)# interface port-channel 1
(config-if)# switchport trunk allowed vlan 20,30,40
(config-if)#end
# wr mem

]]> By: slowe http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/comment-page-1/#comment-34399 slowe Wed, 28 Nov 2007 19:21:06 +0000 http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/#comment-34399 Miked, Thanks for your feedback. I'm wondering if you'd be willing to disclose a little bit of information on how the judicious use of native VLANs allowed you to accomplish your goals? It would, I think, be useful information to a lot of readers. Thanks! Miked,

Thanks for your feedback. I’m wondering if you’d be willing to disclose a little bit of information on how the judicious use of native VLANs allowed you to accomplish your goals? It would, I think, be useful information to a lot of readers.

Thanks!

]]> By: miked http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/comment-page-1/#comment-34398 miked Wed, 28 Nov 2007 17:31:42 +0000 http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/#comment-34398 I also suggest use of native vlans. In our initial data center rollout for a financial company, i needed to keep costs down, so i resolved to reduce the number of high end switch hardware we bought. Using native vlans properly allowed me to do this while mitigating the 'vlan hopping' exploit. I also suggest use of native vlans. In our initial data center rollout for a financial company, i needed to keep costs down, so i resolved to reduce the number of high end switch hardware we bought. Using native vlans properly allowed me to do this while mitigating the ‘vlan hopping’ exploit.

]]> By: jeremYprieS.com http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/comment-page-1/#comment-34154 jeremYprieS.com Wed, 14 Nov 2007 20:44:24 +0000 http://blog.scottlowe.org/2007/11/13/esx-server-and-the-native-vlan/#comment-34154 <strong>vSwitch0, Native VLANs and Host Building...</strong> I was just reading Scott’s posting regarding ESX Server and the Native VLAN.  It got me started on a post to describe my logic regarding vSwitch0 design for ESX host building.  I can tell you that I suggest native VLAN use fo... vSwitch0, Native VLANs and Host Building…

I was just reading Scott’s posting regarding ESX Server and the Native VLAN.  It got me started on a post to describe my logic regarding vSwitch0 design for ESX host building. 
I can tell you that I suggest native VLAN use fo…

]]>