VLAN

You are currently browsing articles tagged VLAN.

VLAN Trunking Between Nexus 5010 and Dell PowerConnect Switches

Thursday, December 2, 2010 in Networking by slowe | 5 comments

If you don’t work in the networking space on a regular basis, it’s easy to overlook interoperability issues between equipment from different vendors. After all, a VLAN trunk is a VLAN trunk is a VLAN trunk, right? Alas, the answer is not always quite so simple.

While standards such as 802.1Q promise easy interoperability, the devil is usually in the details. I ran into just this sort of problem today in the lab. Specifically, I had a need to trunk VLANs between a pair of Cisco Nexus 5010 switches and a pair of Dell PowerConnect 6248 switches.

The configuration on the Cisco Nexus side was pretty straightforward (note that this was one of the first eight ports on the switch and was throttled down to 1Gbps):

interface ethernet 1/1
  switchport mode trunk
  speed 1000

I tried replicating this same setup on the PowerConnect switches using Dell’s switchport mode trunk command. Unfortunately, it didn’t work. I kept digging around, but regardless of the configuration the show interfaces switchport ethernet command would always show that VLAN 1 was marked as tagged. This clearly wouldn’t work; since VLAN 1 was defined as the native VLAN on the Cisco Nexus switch, it would be untagged on the Cisco side. I needed the VLAN to be untagged on the Dell side as well.

Quite by accident, I stumbled upon a slightly different command on the Dell: the switchport mode general command. The help text in the interface indicated that this was the correct configuration for 802.1Q operation.

I modified the Dell PowerConnect to use this configuration:

interface ethernet 1/g47
switchport mode general
switchport general allowed vlan add 1 untagged
switchport general allowed vlan add 900 tagged

With this configuration, the show interfaces switchport ethernet command now reported that VLAN 1 was untagged, as shown in the screenshot below.

A quick connectivity test showed that traffic was now flowing properly between the Dell PowerConnect 6248 switches and the Cisco Nexus 5010 switches. Problem resolved! Key takeaway: use switchport mode general for interoperability with other vendors’ switches.

If you have any experience with Dell PowerConnect switches and have additional information to share, please post it in the comments below.

Tags: , ,

vMotion Practicality

Monday, July 12, 2010 in Networking, Virtualization by slowe | 33 comments

About a month ago I posted an article titled The vMotion Reality. In that article, I challenged the assertion that vMotion was a myth, not widely implemented in data centers today due to networking complexity and networking limitations.

In a recent comment to that article, a reader again mentions networking limitations—in this instance, the realistic limits of a large Layer 2 broadcast domain—as a gating factor for vMotion and limiting its “practical use” in today’s data centers. Based on the original article’s assertions and the arguments found in this comment, I’m beginning to believe that a lot of people have a basic misunderstanding of the Layer 2 adjacency requirements for vMotion and what that really means. In this post, I’m going to discuss vMotion’s Layer 2 requirements and how they interact (and don’t interact) with other VMware networking functionality. My hope is that this article will provide a greater understanding of this topic.

First, I’d like to use a diagram to help explain what we’re discussing here. In the diagram below, there is a single ESX/ESXi host with a management interface, a vMotion interface, and a couple of network interfaces dedicated to virtual machine (VM) traffic.

VLAN Behaviors with VMware ESX/ESXi

As you can see from this highly-simplified diagram, there are three basic types of network interfaces that ESX/ESXi uses: management interfaces, VMkernel interfaces, and VM networking interfaces. Each of them is configured separately and, in many configurations, quite differently.

For example, the management interface (in VMware ESX this is the Service Console interface, in VMware ESXi this is a separate instance of a VMkernel interface) is typically configured to connect to an access port with access to a single VLAN. In Cisco switch configurations, the interface configuration would look something like this:

interface GigabitEthernet 1/1
  switchport mode access
  switchport access vlan 27
  spanning-tree portfast

There might be other commands present, but these are the basic recommended settings. This makes the management interfaces on an ESX/ESXi host act, look, feel, and behave just exactly like the network interfaces on pretty much every other system in the data center. Although VMware HA/DRS cluster design considerations might lead you toward certain Layer 2 boundaries, there’s nothing stopping you from putting management interfaces from different VMware ESX/ESXi hosts in different Layer 3 VLANs and still conducting vMotion operations between them.

So, if it’s not the management interfaces that are gating the practicality of vMotion in today’s data centers, it must be the VM networking interfaces, right? Not exactly. Although the voices speaking up against vMotion in this online discussion often cite Layer 3 VLAN concerns as the primary problem with vMotion—stating, rightfully so, that the IP address of a migrated virtual machine cannot and should not change—these individuals are overlooking the recommended configuration for VM networking interfaces in a VMware ESX/ESXi environment.

Physical network interfaces in a VMware ESX/ESXi host that will be used for VM networking traffic are most commonly configured to act as 802.1Q VLAN trunks. For example, the Cisco switch configuration for a port connected to a network interface being used for VM networking traffic would look something like this:

interface GigabitEthernet1/10
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 1-499
  switchport trunk native vlan 499
  spanning-tree portfast trunk

As before, some commands might be missing or some additional commands might be present, but this gives you the basic configuration. In this configuration, the VM networking interfaces are actually capable of supporting multiple VLANs simultaneously. (More information on the configuration of VLANs with VMware ESX/ESXi can be found in this aging but still very applicable article.)

In practical use what this means is that any given VMware ESX/ESXi host could have VMs running on it that exist on a completely different and separate VLAN than the management interface. In fact, any given VMware ESX/ESXi host might have multiple VMs running across multiple separate and distinct VLANs. And as long as the ESX/ESXi hosts are properly configured to support the same VLANs, you can easily vMotion VMs between ESX/ESXi hosts when those VMs are in different VLANs. So, the net effect is that ESX/ESXi can easily support multiple VLANs at the same time for VM networking traffic, and this means that vMotion’s practical use isn’t gated by some inherent limitation of the VM networking interfaces themselves.

Where in the world, then, does this Layer 2 adjacency thing keep coming from? If it’s not management interfaces (it isn’t), and it’s not VM networking interfaces (it isn’t), then what is it? It’s the VMkernel interface that is configured to support vMotion. In order to vMotion a VM from one ESX/ESXi host to another, each host’s vMotion-enabled VMkernel interface has to be in the same IP subnet (i.e., in the same Layer 2 VLAN or broadcast domain). Going back to Cisco switch configurations, a vMotion-enabled VMkernel port will be configured very much like a management interface:

interface GigabitEthernet 1/5
  switchport mode access
  switchport access vlan 37
  spanning-tree portfast

This means that the vMotion-enabled VMkernel port is just an access port (no 802.1Q trunking) in a single VLAN.

Is this really a limitation on the practical use of vMotion? Hardly. In my initial rebuttal of the claims against vMotion, I pointed out that because it is only the VMkernel interface that must share Layer 2 adjacency, all this really means is that a vMotion domain is limited to the number of vMotion-enabled VMkernel interfaces you can put into a single Layer 2 VLAN/broadcast domain. VMs are unaffected, as you saw earlier, as long as the VM networking interfaces are correctly configured to support the appropriate VLAN tags, and the management interfaces do not, generally speaking, have any significant impact.

Factoring in the consolidation ratio, as I did in my earlier post, and you’ll see that it’s possible to support very large numbers of VMs spread across as many different VLANs as you want with a small number of ESX/ESXi hosts. Consider 200 ESX/ESXi hosts—whose vMotion-enabled VMkernel interfaces would have to share a broadcast domain—with a consolidation ratio of 12:1. That’s 2,400 VMs that can be supported across as many different VLANs simultaneously as we care to configure. Do you want 400 of those VMs in one VLAN while 300 are in a different VLAN? No problem, you only need to configure the physical switches and the virtual switches appropriately.

Let’s summarize the key points here:

  1. Only the vMotion-enabled VMkernel interface needs to have Layer 2 adjacency within a data center.
  2. Neither management interfaces nor VM networking interfaces require Layer 2 adjacency.
  3. VM networking interfaces are easily capable of supporting multiple VLANs at the same time.
  4. When the VM networking interfaces on multiple ESX/ESXi hosts are identically configured, VMs on different VLANs can be migrated with no network disruption even though the ESX/ESXi hosts themselves might all be in the same VLAN.
  5. Consolidation ratios multiply the number of VMs that can be supported with Layer 2-adjacent vMotion interfaces.

Based on this information, I hope it’s clearer that vMotion is, in fact, quite practical for today’s data centers. Yes, there are design considerations that come into play, especially when it comes to long-distance vMotion (which requires stretched VLANs between multiple sites). However, this is still an emerging use case; the far broader use case is within a single data center. Within a single data center, all the key points I provided to you apply, and there is no practical restriction to leveraging vMotion.

If you still disagree (or even if you agree!), feel free to speak up in the comments. Courteous and professional comments (with full disclosure, where applicable) are always welcome.

Tags: , , , , ,

The vMotion Reality

Sunday, June 13, 2010 in Virtualization by slowe | 29 comments

The quite popular GigaOm site recently published an article titled “The VMotion Myth”, in which the author, Alex Benik, debunks the myth of vMotion and the live migration of virtual machines (VMs).

In his article, Benik states that the ability to dynamically move workloads around inside a single data center or between two data centers is, in his words, “far from an operational reality today”. While I’ll grant you that inter-data center vMotion isn’t the norm, vMotion within a data center is very much an operational reality of today. I believe that Benik’s article is based on some incorrect information and incomplete viewpoints, and I’d like to clear things up a bit.

To quote from Benik’s article:

Currently, moving a VM from a one physical machine to another has two important constraints. First, both machines must share the same storage back end, typically a Fibre Channel/iSCSI SAN or network-attached storage. Second, the physical machines must reside in the same VLAN or subnet. This means that inside a single data center, one can only move a VM across a relatively small number of physical machines. Not exactly what the marketing guys would have you believe.

Benik is correct in that shared storage is required in order to use vMotion. The use of shared storage in VMware environments is quite common for this very reason. Note also that shared storage is required in order to leverage other VMware-specific functionality such as VMware High Availability (HA), VMware Distributed Resource Scheduler (DRS), and VMware Fault Tolerance (FT).

On the second point—regarding VLAN requirements—Benik is not entirely correct. You see, by their very nature VMware ESX/ESXi hosts tend to have multiple network interfaces. The majority of these network interfaces, in particular those that carry the traffic to and from VMs, are what are called trunk ports. Trunk ports are special network interfaces that carry multiple VLANs at the same time. Because these network interfaces carry multiple VLANs simultaneously, VMware ESX/ESXi hosts can support VMs on multiple VLANs simultaneously. (For a more exhaustive discussion of VLANs with VMware ESX/ESXi, see this collection of networking articles I’ve written.)

But that’s only part of the picture. It is true that there is one specific type of interface on a VMware ESX/ESXi host that must reside in the same VLAN on all the hosts between which live migration is required. This port is a VMkernel interface that has been enabled for vMotion. Without sharing connectivity between VMkernel interfaces on the same VLAN, vMotion cannot take place. I suppose it is upon this that Benik bases his statement.

However, the requirement that a group of physical systems share a common VLAN on a single interface is hardly a limitation. First, let’s assume that you are using an 8:1 consolidation ratio; this is an extremely conservative ratio considering that most servers have 8 cores (thus resulting in a 1:1 VM-to-core ratio). Still, assuming an 8:1 consolidation ratio and a maximum of 253 VMware ESX/ESXi hosts on a single Class C IP subnet, that’s enough physical systems to drive over 2,000 VMs (2,024 VMs, to be precise). And remember that these 2,024 VMs can be distributed across any number of VLANs themselves because the network interfaces that carry their traffic are capable of supporting multiple VLANs simultaneously. This means that the networking group can continue to use VLANs for breaking up broadcast domains and segmenting traffic, just like they do in the physical world.

Bump the consolidation ratio up to 16:1 (still only 2:1 VM-to-core ratio on an 8 core server) and the number of VMs that can be supported with a single VLAN for vMotion is over 4,000. How is this a limitation again? Somehow I think that we’d need to pay more attention to CPU, RAM, and storage usage before being concerned about the fact that vMotion requires Layer 2 connectivity between hosts. And this isn’t even taking into consideration that organizations might want multiple vMotion domains!

Clearly, the “limitation” that a single interface on each physical host share a common VLAN isn’t a limitation at all. Yes, it is a design consideration to keep in mind. But I would hardly consider it a limitation and I definitely don’t think that it’s preventing customers from using vMotion in their data centers today. No, Mr. Benik, there’s no vMotion myth—only vMotion reality.

Tags: , , , ,

Creating UCS Service Profiles Part 1: Networking Elements

Wednesday, May 5, 2010 in Networking, Virtualization by slowe | 2 comments

This article is part 1 of a series of posts that provide some additional information on creating UCS service profiles. In this part of the series, I provide some guidelines on networking-related elements that should be created before you create a UCS service profile. By creating these elements before creating the service profiles or service profile template, the process of creating the service profile or service profile template is a bit smoother.

There are three key networking elements that I recommend defining before you create a UCS service profile:

  1. At least one MAC address pool
  2. All the VLANs that need to be visible/accessible within UCS
  3. At least one vNIC template

The steps for creating each of these elements, along with their location in UCSM, is found below.

Creating a MAC Address Pool

Location in UCSM: LAN tab – LAN > Pools > MAC Pools
Prerequisites: None

Here are the steps for creating a MAC address pool:

  1. Right-click on MAC Pools and select Create MAC Pool.
  2. Specify a name and description for the new MAC pool, then click Next.
  3. Click Add (with the green plus symbol) to add a new MAC block.
  4. Specify the first MAC address and the size of the MAC block. Keep in mind that MAC pools (and the MAC address blocks within them) are not shared across UCSM instances, so be sure to provide a way of distinguishing MAC addresses across multiple UCSM instances. For example, use the fourth hextet to denote a UCSM instance (01 for the first UCSM instance, 02 for the second, etc.). This will help generate unique MAC addresses across multiple UCSM instances.
  5. Click OK to add the MAC address block to the MAC pool.
  6. Repeat steps 3 through 5, as needed, to add more MAC address blocks to this MAC pool. When the MAC address pool is complete, click Finish to complete the creation of the new MAC pool.

Defining VLANs

Location in UCSM: LAN tab – LAN > LAN Cloud > VLANs
Prerequisites: None

  1. Right-click on VLANs and select Create VLAN(s).
  2. Specify a descriptive name for the VLAN.
  3. Specify whether the VLAN should be global to both UCS fabrics, specific to only one fabric or the other, or if the fabrics should be configured differently for the same VLAN. Generally, VLANs will be configured as Common/Global.
  4. Specify the VLAN ID(s) that are associated with this VLAN object in UCSM. Generally, each VLAN object in UCSM should only have a single VLAN ID associated with it. If you enter multiple VLAN IDs (like “70-75″ or “21-24,27″), UCSM will create separate VLAN objects for each VLAN ID specified. This makes the creation of multiple VLANs a single step.
  5. When the dialog box is complete, click OK to create the VLAN object.
  6. Repeat this process to create VLAN objects for all VLANs that should be available within this UCSM instance. Use multiple VLAN IDs, as outlined earlier, to streamline the creation of multiple VLANs at the same time.

Creating a vNIC Template

Location in UCSM: LAN tab – LAN > Policies > vNIC Templates
Prerequisites: MAC address pool, VLANs

  1. Right-click on vNIC Templates and select Create vNIC Template.
  2. Specify a name and a description for this vNIC template.
  3. Select the UCS fabric to which this vNIC template should be associated. Do not select Enable Failover when using VMware ESX/ESXi. Note that you will need to create vNIC templates for both fabrics in dual fabric configurations.
  4. Leave all targets selected.
  5. Select Updating to make this an updating template. As additional VLANs are added in the future, modifying this template will then automatically modify service profiles created from this template to make the new VLANs available to associated blades.
  6. Place a check mark next to each VLAN that should be visible to vNICs created from this vNIC template.
  7. Mark one of the selected VLANs as the native VLAN; traffic from this VLAN will be untagged traffic. (In VMware ESX/ESXi, this traffic would require a port group with a blank VLAN ID configured.)
  8. Select the MAC address pool created earlier.
  9. If necessary, choose values for QoS policy, network control policy, pin group, and stats threshold policy. In general, these values do not need to be set.
  10. When the dialog box is complete, click OK to create the vNIC template.
  11. If this is a dual fabric installation, repeat this process for the second UCS fabric.

In part 2 of the series, I’ll provide information on the storage-related elements that I recommend creating before you create a UCS service profile.

If you have any questions or clarifications, please feel free to post them in the comments.

Tags: , , , ,

Configuring Inter-VLAN Routing

Friday, April 23, 2010 in Networking by slowe | 8 comments

Yesterday I completed the configuration of inter-VLAN routing (aka “router on a stick”, or RoaS) as part of my ongoing CCNA preparation. A couple people mentioned that they would find the configuration useful, so I’m posting what I have. This is by no means a comprehensive treatise on the subject; for that, you should look elsewhere. Google can find you lots of sites with more in-depth and detailed information on the reasons behind the necessary configuration.

There are two primary components in a RoaS configuration:

  1. The configuration of the VLANs and VLAN trunking port on the switch
  2. The configuration of subinterfaces on the router

I describe how to configure each component below.

VLANs and VLAN Trunking

How to create VLANs varies between various switch types. On some switches, you’ll use the vlan database command in privileged EXEC mode. On other switches, you will use the vlan <VLAN ID> command while in global configuration mode. Regardless of which method is necessary for your particular Cisco switch, you will want to ensure that the switch has all the necessary VLANs defined.

After the VLANs have been defined, then you will need to configure the switch port connected to the router as a VLAN trunk port. This is pretty well covered elsewhere, but here is a quick review of the commands (these commands assume port 15 on module 0, a Fast Ethernet port):

switch(config)# int fa0/15
switch(config-if)# switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 1,71-75
switch(config-if)# exit
switch(config)# exit
switch#

A couple notes about these commands:

  • Some switches only accept 802.1Q VLAN encapsulation; therefore, the switchport trunk encapsulation dot1q command isn’t supported because that’s the only encapsulation supported. So, the support for this command will vary from switch to switch.
  • You will want to specify the correct VLANs for your environment in the switchport trunk allowed vlan command.

At this point, the switch is configured correctly; now it’s time to move to the router.

Subinterfaces on the Router

For each VLAN that needs to be routed, you will need to create a subinterface on the router. Creating a subinterface is pretty easy, the commands look something like this:

router(config)# int fa0/0.1
router(config-if)# encapsulation dot1q 1 native
router(config-if)# ip address 192.168.1.1 255.255.255.0
router(config-if)# exit
router(config)# exit
router#

As before, there are a few notes to consider about these commands:

  • The number of the subinterface (the “1″ in fa0/0.1 above) is only locally significant and doesn’t need to match the VLAN ID, but matching the VLAN ID makes it easier to associate the subinterface with its configured VLAN ID. Again, as stated earlier, you’ll need a separate subinterface for each VLAN that you want to route.
  • Only specify the native keyword on the encapsulation dot1q command if this is the native VLAN on the switch side as well. Otherwise, the trunk won’t form as expected.
  • The IP address specified here will be the IP address of the default gateway for that VLAN/subnet.

For the physical interface itself, the interface needs to be up (so don’t issue a shutdown command), but the interface does not need to have any IP address associated with it.

With this configuration in place, you should be able to route between the VLANs; just specify the IP address of the subinterface on the router for that VLAN as the default gateway of the systems on that VLAN and you should be good to go.

If I’ve missed anything glaring please speak up in the comments and let me know.

Tags: , , ,

FCoE and VLAN Trunking on Nexus 5000

Tuesday, November 3, 2009 in Networking, Storage by slowe | 3 comments

In my earlier post on how to configure FCoE on a Nexus 5000, one of the readers suggested in the comments that it was necessary to have the interfaces in VLAN trunk mode via the switchport mode trunk command. I didn’t pay that much attention to it because the interfaces were indeed in VLAN trunk mode.

Fast forward to yesterday, when I was troubleshooting a problem between a Gen2 QLogic CNA and the Nexus 5010 in my lab (I tweeted about it). Although the Ethernet side of the CNA works just fine, the CNA refuses to bring up an FCoE connection. In the process of troubleshooting, Brad Hedlund (check his outstanding web site) suggested to me in a Twitter direct message that I should double-check the VLAN trunking status of the interface. That part I’d already heard from the reader who commented on the first post, but the next part was new to me (emphasis mine):

Gen2 requires ‘switchport mode trunk’ on the 5K. Gen1 doesn’t. Also make sure FCoE VLANs are allowed on the trunk.

Ah, now there’s something I hadn’t heard! That prompted me to do a bit of testing this morning (yes, I know I’m supposed to be studying for the VCDX Design Exam this afternoon). In my testing, I confirmed that a Gen1 CNA (I’m using Gen1 Emulex CNAs) does not require VLAN trunking to be enabled on the Ethernet interface.

There does appear to be a “gotcha” though: if the Ethernet interface is in access mode, it’s access VLAN must be the same as the FCoE VLAN; otherwise, the vfc interface will report down.

In summary:

  • If you are using a Gen2 CNA, you must put the Ethernet interface in VLAN trunk mode.
  • If you are using a Gen1 CNA, the Ethernet interface may be in either access mode or trunk mode.
  • If the interface is in trunk mode, be sure that you have allowed the FCoE VLAN via the switchport trunk allowed vlan command.
  • If the interface is in access mode, be sure that you have placed the interface in the FCoE VLAN via the switchport access vlan command.

If there are any other subtleties or nuances I’ve missed, please post them in the comments below so that future readers will benefit. Thank you!

Tags: , , , , ,

Why No Multi-Hop FCoE?

Tuesday, August 11, 2009 in Gestalt, Networking, Storage by slowe | 13 comments

Much ado has been made—some of it by yours truly—about the current lack of ability to create a multi-hop Fibre Channel over Ethernet (FCoE) fabric. After digging in deeper with Cisco during my recent Unified Computing System (UCS) class, I have some additional information to share about the different forms of multi-hop FCoE and why multi-hop FCoE still isn’t available.

Multi-hop FCoE falls into two basic scenarios:

  • FCoE initiators and/or FCoE targets separated from an FCF (fibre channel forwarder) by multiple hops through IEEE DCB-compliant Ethernet switches
  • Multiple FCFs chained together to connect FCoE initiators and FCoE targets

There are additional scenarios, but for now let’s discuss just these two.

In the first scenario, FCoE initiators and FCoE targets might be separated from an FCF by one or more IEEE DCB-compliant Ethernet switches (also known as an “FCoE passthrough”). In this situation, FCoE Initialization Protocol (FIP) would be required in order for the FCoE initiators and FCoE targets to communicate. Now that FIP support is beginning to emerge following the ratification of the FC-BB-5 standard in early June, this sort of scenario becomes more possible.

If you think like me (and if you do, I’m very sorry to hear that!), your next question is, “OK, what is an IEEE DCB-capable switch?” As it turns out, the Nexus 5000 can be an IEEE DCB-capable switch (or an FCoE passthrough). Cisco doesn’t advertise that fact because they don’t feel that building a solution out of a bunch of Nexus 5000 switches is the best approach. OK, fair enough, so the Nexus 5000 isn’t really designed to be used that way. So what other options are there? None of which I’m aware, at this point, so that makes it impossible to build multi-hop FCoE solutions today. When a valid IEEE DCB-capable switch or FCoE forwarder does appear then you’ll be able to build these sorts of designs—assuming that you have FIP support in both the FCoE initiators and the targets. (Note that you could mix pre-FIP components in here, but all such components would have to be connected directly to the FCF, and would only be able to communicate with other components connected directly to the FCF.)

In the second scenario, FCoE initiators and targets are connected directly to an FCF—like a Nexus 5000—but you’ve got multiple FCFs chained together to create a larger fabric. You might consider this analogous to linking multiple MDS 9000 series switches together with inter-switch links (ISLs). In this case, FIP support would still be necessary for initiators to connect to targets on a different FCF, but now there’s another wrinkle. You see, Cisco has the concept of a VSAN (think of it like a VLAN for Fibre Channel—this is a simplistic definition but reasonable enough to use). In the MDS world (keeping in mind that NX-OS, the software running on Nexus switches, has its roots in SAN-OS, the software that runs on MDS Fibre Channel switches), there is the concept of trunking E_ports, where multiple VSANs are carried on a single E_port between two MDS switches. Continuing the VSAN/VLAN analogy, a trunking E_port is analogous to an 802.1q VLAN trunk.

Bear with me, there’s a reason I’m telling you all this.

When you use FCoE on a Nexus 5000, you end up mapping each VSAN to a VLAN. When you need to move from one FCF to another FCF—i.e., from one Nexus 5000 to another Nexus 5000—how should the VSAN information be presented? Should the VSAN information reside in the 802.1q VLAN tag, so that an 802.1q VLAN trunk is considered a trunking E_port with regard to VSANs? Or should the VSAN information remain embedded in the FC commands that are encapsulated by Ethernet? This fundamental question has not yet been answered. There are advantages and disadvantages to each approach, and as the T.11 group responsible for FC-BB-5 and other FCoE standards hasn’t yet come to agreement yet on how to handle this, then it’s currently not possible to create the FCoE equivalent of trunking E_ports (I believe these will be referred to as VE_ports). Since you can’t create VE_ports, you can’t connect multiple FCFs together, and you can’t build a multi-hop FCoE fabric composed of multiple FCFs.

As you can see, then, that even with FIP present in all components, neither definition of multi-hop FCoE is possible today. Although a Nexus 5000 can function as an FCoE passthrough, Cisco doesn’t recommend that architecture. Without any other IEEE DCB-capable Ethernet switches available to use as an FCoE passthrough, that makes the first scenario impossible to build. Likewise, the inability to create VE_ports and trunk VSANs across multiple Nexus 5000 switches means that it’s impossible to build the second scenario today. While multi-hop FCoE is the ultimate goal, it’s just not possible right now.

Here’s some food for thought while you digest this information: how would a fabric extender change things? That’s a topic I’ll delve into in a future post, so stay tuned!

Of course, FCoE experts and wizards are encouraged to add your corrections, clarifications, and thoughts in the comments below.

Tags: , , , , ,

Using VMware ESX Virtual Switch Tagging with HP Virtual Connect

Monday, July 6, 2009 in Networking, Virtualization by slowe | 23 comments

In January 2008, SearchVMware.com published an article of mine titled VMware ESX Server Networking with HP Virtual Connect. In that article, I stated that one drawback of HP Virtual Connect was that it forced you to use External Switch Tagging (EST):

When used in conjunction with ESX Server, shared uplink sets force the use of EST because VLAN tags are stripped away by the Virtual Connect switch. Therefore, the ESX Server can’t use the VLAN tags, and must resort to a different vSwitch—each with one or more pNICs as uplinks—for each VLAN/associated network. This solution may be useful in some situations, but typically wouldn’t scale well for environments with many different VLANs.

It turns out that a firmware revision to the HP Virtual Connect software addresses this problem. As I’ve recently had the opportunity to work with an HP Virtual Connect Flex-10 module (you can expect to see some articles on Flex-10 in the near future), I wanted to revisit the idea of using HP Virtual Connect with VMware ESX/ESXi. In this post, I’ll describe how you go about configuring HP Virtual Connect so that you can use Virtual Switch Tagging (VST) and Shared Uplink Sets together. Each of the steps is described in one of the sections below.

Configure VC for VLAN Mapping

Before you even create the Shared Uplink Set, you must first configure the Virtual Connect module to use VLAN mapping instead of VLAN tunneling.

To access the option for configuring VLAN mapping, you can use the menu bar across the top of the right side of the HP Virtual Connect Manager. Simply click Configure > Ethernet Settings, then click on the Advanced Settings tab. There you will see the option to either tunnel VLAN tags or map VLAN tags. Choose to map VLAN tags. Optionally, you can click the check box to force server connections to use the same VLAN mappings; this will eliminate a step later but limits the overall flexibility of the solution. It’s up to you if you want to use this option.

Create the Shared Uplink Set

Now you’re ready to create the Shared Uplink Set. Using the menu bar across the top of the right side of the HP Virtual Connect Manager interface, simply choose Define > Shared Uplink Set. Specify a name for the uplink set, then choose the external uplink ports. While you here, you can also go ahead and create the associated networks you’ll need later.

Create the Associated Networks

Either while you’re creating the Shared Uplink Set or after the Shared Uplink Set has been created, you can add the Associated Networks. While you are editing the Shared Uplink Set, simply click the Add Network button under the Associated Networks area and define one or more VLANs. The following parameters are available when you define an Associated Network:

  • Network Name and VLAN ID: These are pretty self-explanatory. The VLAN ID here needs to match the external VLAN ID on the rest of the network.
  • Native: If this VLAN is marked as the native VLAN on the rest of your network, check this box. This network would then receive all of the untagged traffic on the uplink set.
  • Smart Link: If you would like this network to be marked as down if the uplinks go down, check this box.
  • Private network: With this box checked, the network will act like a private VLAN–nodes on this network cannot communicate with each other.
  • Advanced: This area allows you to set a custom speed for either the preferred speed or the maximum speed.

After you’ve defined the Associated Networks, then you’re ready to create the Server Profile—and that’s where the real magic in making VST is found.

Assign Networks in the Server Profile

Once again, you’ll use the menu bar across the right side of the HP Virtual Connect Manager to create a Server Profile. Simply select Define > Server Profile. In the Server Profile, you’ll add a network for each NIC present in the server blade (for a blade with Flex-10 NICs and a Flex-10 module, you will have eight NICs). When prompted for what network to associate to that NIC, choose Multiple Networks. Then click the small Edit button just to the right of the Network Name drop-down to show the Server VLAN to vNet Mappings screen.

The fact that you selected “Multiple Networks” when you added the connection to the Server Profile means that Virtual Connect will pass the VLAN tags up to the blade. The fact that you configured the Virtual Connect module to use VLAN mapping now means that you can create an association between the VLAN tags that a server uses and an corresponding Associated Network.

If you want to keep the server’s VLAN tags and the Associated Networks’ VLAN IDs matched up, just follow these steps:

  1. Check the box labeled Force Same VLAN Mappings As Shared Uplink Sets.
  2. Choose the Shared Uplink Set from the drop-down list.
  3. Place a check mark next to each Associated Network/vNet/VLAN. This tell the Virtual Connect module to include that VLAN.
  4. Place a check mark under Untagged for whichever Associated Network is should be handled as the untagged (native) VLAN.

If, on the other hand, you want to specify different server VLAN tags than Associated Network/vNet VLAN IDs, leave the check box for Force Same VLAN Mappings As Shared Uplink Sets unchecked, and specify the server VLAN ID that should be used for each Associated Network/vNet. For example, if the server was using VLAN ID 10 to refer to the Production network, but the Production network was using VLAN 1000 on the Associated Network and on the rest of the network, then choose the Associated Network that represents the Production network and specify a server VLAN ID of 10. This allows you to create a mapping between the VLAN tags the server uses and the VLAN tags the rest of the network uses.

After you’ve defined the Server Profile and created the vNet mappings, attach the Server Profile to a blade running VMware ESX/ESXi and you’re good to go! Within VMware ESX/ESXi, you would configure the vSwitches, distributed vSwitches, and port groups as you would normally.

How I Tested

My testing was performed on a HP Virtual Connect Flex-10 module running firmware revision 2.10. The Flex-10 module was uplinked via a single 10Gbps connection to an HP ProCurve switch. The blades were running VMware ESX 4.0.0.

Tags: , , , , ,

Changing vNIC Port Group Assignment in VMware with PowerShell

Monday, January 5, 2009 in Networking, Virtualization by slowe | 4 comments

Experienced PowerShell users won’t find this post very helpful, but less experienced PowerShell users—or even PowerShell newbies such as me—may find this handy. Today I had a need to change the port group assignment on the vNICs for a bunch of guest VMs in the lab. Rather than manually click through all these VMs just to change the port group, I decided to give PowerShell a try.

Thanks to this post by Cody Bunch and this Twitter response by Hal Rottenberg, I cobbled together this PowerShell command:

get-datacenter "Name" | get-vm | get-networkadapter | where-object { $_.networkname -like "OldPortGroup" } | set-networkadapter -networkname "NewPortGroup" -Confirm:$false

It worked like a champ! Obviously, you could limit the scope of this command by filtering the VMs that are returned with a wildcard pattern on the Get-VM command.

Thanks to Cody and Hal for their assistance!

Tags: , , , ,

VMware ESX Networking Articles

Friday, December 19, 2008 in Networking, Virtualization by slowe | 2 comments

Over the past few years—almost four years now that I’ve been writing here on this site—I’ve written quite a few articles on VMware ESX networking. Here’s a collection of links to some of the more notable, and hopefully more useful, articles in that group.

We’ll start with a classic article, but one that is still the number 1 post on this site. Written in December of 2006, this article on VMware ESX, NIC teaming, and VLAN trunking still generates lots of traffic even today. In that post, I describe how to use NIC teaming—more precisely, link aggregation or EtherChannel—along with VLAN trunking with VMware ESX. I guess this is a scenario that still causes problems with admins even today.

That first article was written with Cisco Catalyst switches in mind, but earlier this year I also published a version with information on VMware ESX, NIC teaming, and VLAN trunking with HP ProCurve switches as well.

One key piece to more fully understanding how VMware ESX interacts with VLAN tags is understanding what happens with untagged traffic, and this is something I described in this article on VMware ESX and the native VLAN. The key thing to remember here is to be sure to configure a VMware ESX port group to capture the untagged traffic, if that’s what you desire; otherwise, the traffic will just be ignored.

Similarly, a lot of VMware admins don’t fully understand the implications of the various load balancing policies on the vSwitch. The NIC teaming article from December 2006 assumed link aggregation (EtherChannel in the Cisco world), but how did VMware ESX behave in configurations without link aggregation? I tackled that subject in the post on NIC utilization in VMware ESX, and then provided a follow up post only a couple of months later. Both of these posts provide great information on how VMware ESX will place traffic onto the vSwitch uplinks.

Of course, if you find yourself needing to change the load balancing policy on a vSwitch, you might find this tip on using the CLI to change the vSwitch load balancing policy helpful, too. And this CLI guide to modify a port group may also prove useful.

In addition to an in-depth guide to NIC teaming, link aggregation, and VLAN trunking, I also provided a how-to on configuring VMware ESX, IP-based storage, and jumbo frames. While not officially supported by VMware, many users have reported success with this configuration and seen improved performance. (And before you ask: No, I haven’t run any performance comparisons myself yet.)

With the release of VI4—or whatever it ends up being called—there’ll be plenty of new networking fodder for me to write about: the Distributed vSwitch, the Cisco Nexus 1000V, and more. In the meantime, though, are there any other networking-oriented articles, guides, or how-to’s that readers would be interested in seeing published? I’m open to suggestions.

Tags: , , , , , , ,

« Older entries