Follow-Up About Multiple VLANs, Virtual Connect, and Flex-10

Scott,
Based on what you have described here it sounds as if there is no tagging mechanism that identifies which FlexNIC the traffic is either destined to, or sourced from?

It sounds like Flex-10 / FlexNIC uses the VLAN tag as the means to provision and identify what FlexNIC a frame belongs to.

If an additional tag was used, such as a VNTag, Flex-10 would not have this limitation.

Cheers,
Brad

Scott,
Perhaps I could be more clear. When a frame is received by the LOM, the only way it knows to which FlexNIC that frame belongs is via the VLAN tag. Hence the unique VLAN per FlexNIC per LOM limitation.

How the adapter presents itself as multiple adapters to the system (PCIe or SRI-IOV) has nothing to do with how the adapter is viewed as multiple adapters to the upstream network device(s) (Flex-10).

Brad

Scott,

We’re using BL685c G6’s with 4 LOMS giving us 16 FlexNICs.

Each chassis will have a pair of VC-Flex-10 modules each containing 4 1Gbp/s uplinks (we have no 10GbE available).

Knowing the limitation of 64 VLANS when using VLAN tagging, we need to use VLAN tunnelling.

I understand that you can’t map the same VLAN onto two different FlexNICS from the same LOM. Which basically means if you’re using the multiple networks option, you can only ever present multiple VLANs to 4 LOMS (4 NICS basically).

So what value am I actually getting from Flex-10?

In terms of bandwidth allocation, I’ll have a maximum of 4GB coming out of each VC which needs to be shared between the service console, vmotion, vm networks and backups.

If I decided not to use this and go for traditional VC interconnects, would I be delivering the same solution for less cost?

Stuart

Stuart,

Let me take a stab at your situation. There are a couple of things to consider here. The first is whether you need the extra NIC ports. If you need more than 4 NICs, then Flex10 FlexNIC capability is a decision point. Flex10 will give you 16 FlexNICs rather than 4 standard NICs. Although you may not like the architectural limitation of not being able to assign the same VLANs to multiple FlexNICs on the same LOM (LAN on Motherboard), you still get some cool benefits…
The 10Gb FlexNIC bandwidth is still usable for critical functions like VMotion even if you have 1Gb uplinks. If you are using multiple enclosures, Virtual Connect modules can be “stacked” across chassis so that you have a 10Gb backbone across up to four chassis. The stacking links go between chassis and do not require any ports at your switching core. In the case of VMotion, you can create a VMotion vNet in Virtual Connect, and assign the various FlexNICs more bandwidth on that vNet connection. That will give you faster VMotion capabilities within or even across enclosures.

The traditional Virtual Connect modules will only provide 1Gb downlinks to the servers, so your 10Gb NICs will be limited at 1Gb – including VMotion, and you do not want that. The only way to extract the 10Gb speed out of the ports is to use either Flex10 or the HP 10Gb Ethernet BL-c Switch.

Bottom line the Flex10 will give you faster, cross chassis VMotion capabilities at the very least. Yes, if you want to have more VLANs than are currently supported, you will need to use VLAN tunneling, but you can still use the 10Gb VMotion strategy.

Just a general comment on the content here –

Since Flex-10 is 100% hardware transparent (no drivers or O/S awareness required), it will work not only with VMware, but Hyper-V, XenServer, and any other virtualization platform which becomes available on the x86/x64 platform. The only thing required is the standard 10Gb NIC driver.

As Scott mentioned, FlexNICs appear as standard PCIe functions, allowing the OS to see them as regular NICs. This allows for a great deal of Flexibility (no pun intended) when it comes to supporting any operating system or virtualization platform.

We can’t forget that although VMware is the market share leader, many companies are running or evaluating multiple virtualization strategies. Virtual Connect Flex10 will work transparently across any of them.

As far as i can tell, from the discussion going on here, there is some confusion about how VLANs operate in a normal network. And, particularly, how they are managed by Spanning Tree.

VLANs operate on layer two. They have no TTL like packets (layer 3) and rely on a single path up through the infrastructure (via trunk connections between switches), until they get to the core of the network (or the point at which VLANs are terminated and the path beyond is routed).

To me, a clear reason why physical, or virtual Flex, connections cannot carry the same VLAN up two separate uplinks is due to the essential operation of VLANS and Spanning Tree. You CAN have two uplinks that can carry the same VLANs, just not at the same time. In other words, the secondary link (whether physical or virtual) must be in standby.

If you have one VLAN running on two separate uplinks at the same time, you are going to get a Spanning Tree loop. I don’t see any reason why HP or anyone else is going to be able to solve a technology problem that has existed since VLANs existed. No other network company has been able to provide an active/active solution for layer two infrastructures.

Does this make sense in the context of this discussion (I’ve kinda just jumped in and am only now looking at VC in a virtualized environment.

I just re-read my statement: “VLANs operate on layer two. They have no TTL like packets (layer 3)…”.

I should clarify: Frames (which encapsulate IP Packets passed down from layer three) operate on layer two and are constrained “within VLANs”. Frames have no TTL, hence Frames do not timeout and therefore are not removed from the network (whereas packets are removed once their TTL is reached). If you have a pathing loop somewhere, the frames just keep going around forever. Enter Spanning Tree Protocol.

Actually, Frames are also passed between Routers. In this case, however, there is no VLAN information (tagging) and the IP Packets are encapsulated just to get them onto the link which connects to the next Router in the path (route).

So, I may have inadvertently given the impression that VLANs are the basis for layer two Ethernet network technologies. When, in fact, Frames (and switching/bridging devices) form the basis for layer two operation (on an Ethernet network). I hope this doesn’t further confuse things (the concepts are simple, the details are not).

I think Server guys are going to have to learn more and more about networking technologies, as their domain (traditionally just endpoints on the network) and now becoming part of the network. We are no longer just teaming a few NICs.

Although the discussion here is healthy, it’s more academic than useful in the real world. The Flex-10 is the absolute worst piece of network gear I’ve ever tried to work with. It has so many limitations that it’s almost impossible to use in all but the most simple of environments. Limitations like:

* Bandwidth assignments to FlexNICs are “hard” meaning if you assign 1Gbps to one FlexNIC and 4Gbps to another, and the 4Gbps isn’t using all of the 4Gbps, that “left over” bandwidth CANNOT be used anywhere else, meaning you could be dropping other production traffic without the 10Gbps interface being throttled. Poor design.
* Only up to 28 VLANs per FlexNIC if VLAN tagging!!
* Because of it’s proprietary loop prevention, a tunneled FlexNIC it cannot have a MAC address in it’s CAM table in more than one VLAN. This is a MUST for any environment using bridged server-load balancers (the most common method for deploying SLB)
* It can only have 128 VLANs on the whole module (tunneled FlexNICs do not count toward this 128), which if you’re bonding uplinks, each VLAN counts multiple times for each link (i.e. if you a 30 VLANs, and you have 2 x 10G uplinks bonded, that counts as 60 VLANS!)
* It supports NO sort of Layer 2 QoS (CoS) meaning you’d better not ever want to try to put any voice applications (i.e. IP PBX, Voicemail, etc) on a blade. Even worse if you’re trying to do a virtual environment using iSCSI or NFS for your storage protocols.
* If a Flex-10 loses it’s uplink it doesn’t have the ability to down the internal server links, meaning the server has NO way of knowing if it’s upstream Flex-10 is a black hole. (and it can be a black hole depending on how you configure multiple Flex-10s).

HP has this protocol they came up with to solve this last issue, called SmartLink. SmartLink, upon a Flex-10 losing it’s uplink(s), sends a signal to the host telling to down it’s NIC. HOWEVER, for SmartLink to work, your OS on the blade MUST have a driver that supports SmartLink, which ESX, HyperV, nor XenServer have making SmartLink USELESS if you’re running a virtual environment!

I could carry on more, but I shant. Just the above should be enough for anyone considering deploying Flex-10 in a large data center to steer clear.

The only quirk I dislike about the Flex10 VC modules is the vlan limitation in a vnet. I’m hoping that a firmware update from HP will resolve that issue. We have a dz or so server based vlans here so i’m not worried about it.

All other quirks are no different than running bare-metal systems.

VmPassThru is a waste of resource to me. My manager places utilization demands upon our team. Resources aren’t purchased until we prove that bandwidth/cpu/memory are fully consumed.

I run a 6 node Oracle RAC cluster that is spanned across two c7000 chassis and four VC modules. The blades use two flexnics – one from each VC module. I have bond mode 1 and large mtu configured on a single bond interface which consists of the 2 flexnics. 3 vlan tagged interfaces are created on the bond interface.

When I require more bandwidth I’ll be purchasing additional sfp’s and those ports will be configured for etherchannel. Half my bandwidth is currently idle but in most environments that is the case. I tested etherchanneling my two VC’s and did some resiliency testing. All tests were successful. In fact you can do mode 4 bonding on the os level when VSS is implemented on upstream switches or if you have stack-wise switches installed. We don’t. Our uplinks are connected to two 6500′s.

This is the best Oracle cluster I’ve seen in my 6 years of dealing with RAC. I’m excited to get two more chassis so we can span the cluster across our wan.

Again, great post and conversation.
/Chris C

My question is more security based. I would like to completely know how the VC forwards packets. Lets say I have a mixed environment internal resources and dmz on the same VC.
All the trunks go to the VC and it is all separated out through the manager. What would the VC do if I send a packet to the wire with a vlan tagID of a internal network? Is it smart enough to know that this is coming from the DMZ and to not pass the traffic. I would think not the way you guys are talking about how dumb the VC’s are.

Scott – Is there any known limitation to vlans on the VC
Flex 10 module when tunnelling? We are experiencing odd network
disconnects in our c7000 chassis with BL460c servers running ESX
vSphere 4.0 U2. We have some NFS datastores exported from NetApp
3170′s that are dropping and coming back. The same ones work just
fine from our DL380′s. I’d be glad to provide you with more detail
if you have a few moments to spare on this one. Thanks!

Sorry my comments are for Dion.