Tagging vs Untagging (any familiarity with Force10 would help)

JohnnyBiggles

I have questions or verification, perhaps, regarding switching/vSwitching:


[Actually, this is in regards to a Dell Force10 layer-3 switch working with a vSwitch]


Example setup: Firewall uplink to Force10 Switch, then to vSwitch then PCs (VMs). There are 3 port groups on the VM host: 2 assigned with VLAN IDs (100,200) and one (management network) without a VLAN ID.


1. My understanding is that on a switch, all VLANs going through a trunk port should be tagged, while the port where a PC is connected to the switch on VLAN X should be untagged for that single VLAN. Am I correct?


2. If #1 is correct, the link between the vSwitch/vmnic and the external switch is a trunk, where the vSwitch (once vlans are created and VMs are put into those vlans) sends those packets out of the vmnic port as 'tagged' (with whatever Vlan ID was assigned to that port group) to the connecting external switch. Correct?

3. On a new switch, by default, all ports are in Vlan 1 and are labeled as 'untagged'. To configure proper communication for the setup above, the port on that switch connected to the vSwitch/vmnic should be configured as a trunk, where once the VLANs have been created, the port should be set up as tagged, correct? The port connected to an uplink for a Vlan should be an access port (switchport)

4. Following the above questions, is the following example correct?

Example: (Assuming port 5 on the external switch connects to the vmnic and ports 10 and 20 connect to the respective uplinks for each vlan network)
Switch(config)#int vlan 100
Switch(conf-int-vlan-100)#tagged gi0/5
Switch(conf-int-vlan-100)#untagged gi0/10

Switch(int-gi0/10)#switchport

Switch(config)#int vlan 200
Switch(conf-int-vlan-200)#tagged gi0/5
Switch(conf-int-vlan-200)#untagged gi0/20

Switch(int-gi0/20)#switchport

I ask because these commands take ports 5, 10 and 20 out of Vlan 1 and puts them all in Vlan 100 and 200. What happens with the traffic that is not assigned to a Vlan on the vSwitch? (I did something and managed to cut off all communication to the host somehow. [I'm new to Force10 switches so configuration is a little different it seems.] Any help would be appreciated. Thanks.

meadIT

The vSwitch will only tag with VLANs that are configured in the port groups. If a port group (Management) is not configured with a VLAN, it will be untagged. You will want to set your physical switch uplinks with the Management VLAN untagged and VLAN 100 and 200 tagged.

meadIT

JohnnyBiggles wrote: »

1. My understanding is that on a switch, all VLANs going through a trunk port should be tagged, while the port where a PC is connected to the switch on VLAN X should be untagged for that single VLAN. Am I correct?

That's correct for trunks between switches, or where all traffic is getting tagged. Since your Management VLAN is not configured with a VLAN, it is exiting the vSwitch untagged. So for these ports, you'll want the Management VLAN untagged and the other configured VLANs tagged.

JohnnyBiggles wrote: »

2. If #1 is correct, the link between the vSwitch/vmnic and the external switch is a trunk, where the vSwitch (once vlans are created and VMs are put into those vlans) sends those packets out of the vmnic port as 'tagged' (with whatever Vlan ID was assigned to that port group) to the connecting external switch. Correct?

See above reply. The Management VLAN will not be tagged.


After re-reading the reset of your post, do you have three separate vSwitches with a single uplink for each? Or at least a single vmnic assigned to each port group? Can you post a screenshot of your Networking config?

JohnnyBiggles

I don't have a screenshot available as of now but 2 vmnics go out to iSCSI targets and the remaining 2 NICs will be teamed and will carry VM & management traffic for multiple Port Groups including the vmkernel group (no vlan) and a few VM Vlan groups. Thanks for your help thus far.

JohnnyBiggles

meadIT wrote: »

The vSwitch will only tag with VLANs that are configured in the port groups. If a port group (Management) is not configured with a VLAN, it will be untagged. You will want to set your physical switch uplinks with the Management VLAN untagged and VLAN 100 and 200 tagged.

This diagram is pretty much the topology I have set up. Now... let's assume the port on the top connection on the physical switch in your diagram is gi0/1 and the Nics aren't teamed yet in Vmware. On the other side of the physical switch, let's say ports gi0/10, gi0/20 & gi/30 provide the uplinks for the different networks (Vlan 100 = gi0/20; Vlan 200 = gi0/30; gi0/10 = management). I think when I was trying to configure the physical switch, under the Vlan 100 interface, I set port gi0/1 as tagged and port gi0/20 as untagged. When I ran 'show vlan', port gi0/1 was no longer under Vlan 1 (default vlan). Somehow, I lost connectivity to the host altogether and I couldn't ping the host. I'm not understanding why, unless I set under Vlan1 port gi0/1 to be untagged. Can you help me understand how the un-vlanned traffic (management network) will share the port with Vlanned traffic from the physical switch? (and I guess once the nics have been teamed, the other physical switch interface would be configured similarly....?)

meadIT

JohnnyBiggles wrote: »

This diagram is pretty much the topology I have set up. Now... let's assume the port on the top connection on the physical switch in your diagram is gi0/1 and the Nics aren't teamed yet in Vmware.

How many physical NICs are on the top vSwitch? 3?

JohnnyBiggles wrote: »

On the other side of the physical switch, let's say ports gi0/10, gi0/20 & gi/30 provide the uplinks for the different networks (Vlan 100 = gi0/20; Vlan 200 = gi0/30; gi0/10 = management). I think when I was trying to configure the physical switch, under the Vlan 100 interface, I set port gi0/1 as tagged and port gi0/20 as untagged.

Should the bold interface be gi0/10? So by setting g0/10 as tagged, you're telling the physical switch that traffic coming from the vSwitch with a VLAN tag of 100 is allowed. Setting g0/20 to untagged is telling it that any traffic that is coming from the vSwitch with no tag whatsoever (untagged) should be placed on VLAN 100.

JohnnyBiggles wrote: »

When I ran 'show vlan', port gi0/1 was no longer under Vlan 1 (default vlan). Somehow, I lost connectivity to the host altogether and I couldn't ping the host. I'm not understanding why, unless I set under Vlan1 port gi0/1 to be untagged. Can you help me understand how the un-vlanned traffic (management network) will share the port with Vlanned traffic from the physical switch? (and I guess once the nics have been teamed, the other physical switch interface would be configured similarly....?)

Again assuming the bold should read gi0/10, by using this command in your original post "Switch(conf-int-vlan-100)#untagged gi0/10" you are telling the switch port that anything that is coming from the vSwitch untagged (Management) should be placed on VLAN 100. So by doing this, your traffic that should have been on the Management VLAN (assuming it is VLAN 1) was being placed on VLAN 100 instead.

If none of the physical NICs are teamed on the vSwitch, your configuration should look something like this, depending on whether you have one or multiple vSwitches.

JohnnyBiggles

The attached image is what the topology should look like. The numbers here are how they should be, so ignore the examples used previously.

meadIT

Ah, that makes it more clear. My previous post still applies here.

Before change (g0/1 vlan 1 untagged) - Management traffic sent from vSwitch untagged. Phys Switch sees it has no tag, so places it on vlan 1, everyone's happy.

After change (g0/1 vlan 1 tagged) - Management traffic sent from vSwitch untagged. Phys switch sees it has no vlan configured as "untagged" so drops packet. Connection lost to Management.

JohnnyBiggles

1. I just tested the following commands, and according to results of running the 'show vlan' command afterward, port gi0/1 appears under Vlans 100 and 200 as tagged, but seems to have been removed completely from Vlan 1 (the default vlan) (it shows all other ports as 'U' for untagged except gi0/1, which doesn't appear at all):

Sw(conf)#int vlan 100
Sw(conf-int-vlan-100)#tagged gi0/1
Sw(conf-int-vlan-100)#exit
Sw(conf)#int vlan 200
Sw(conf-int-vlan-200)#tagged gi0/1

I try to run the following command but it won't allow me since 'tagged' or 'untagged' are not configuration options under interface Vlan 1:

Sw(conf)#int vlan 1
Sw(conf-int-vlan-1)#untagged gi0/1

This is the output of show vlan:

Sw1#show vlan


Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged, M - Vlan-stack, H - VSN tagged
i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged


NUM Status Description Q Ports
* 1 Active U Gi 0/2-9,11-24
100 Inactive Test 100 T Gi 0/1
200 Inactive Test 200 T Gi 0/1
Sw1#



Any suggestions?

2. The connection between Gi0/10 and the other switch as you have shown in your returned diagram is carrying tagged vlans 1, 100 and 200... that switch will not carry traffic from vlans 100 and 200 - just management traffic that is not assigned to a vlan... so how should that port be configured? Still as a trunk?

meadIT

I'm not familiar with the Force 10 switches. I found this command on a blog post (Humair's Blogs » Blog Archive » 802.1Q Trunking Between Cisco and Dell Force10 Switches) and it seems to show that it should allow you to untag VLAN 1 on a port. In this example, it's using a port channel, but the command should be the same for a single channel.

- int vlan 1
- untagged Port-channel 1
- ip address 10.10.10.1/24
- no shut

If the switch attached go Gi0/10 will only have VLAN 1, it shouldn't matter whether it's a trunk or access port.

JohnnyBiggles

Thanks meadIT. You've been a big help. I'll have to contact Dell directly to see if I can get further help with this.

JohnnyBiggles

Apparently, there is a mode used on the Force10 switches I don't believe I've seen before: Hybrid mode. Enabling this mode on a port allows the default/native Vlan to remain untagged. For example, let's say you have a trunk between port te0/5 on the Force10 and another switch, and you have 3 Vlans configured between the two switches - 100, 200, 300 - with PCs connected to ports 10, 20 30 on each switch for their respective Vlans. You would enter the following commands into the Force10:

For Vlan 100:

Sw1#conf
Sw1(config)#interface te0/5
Sw1(config-if-te0/5)portmode hybrid
Sw1(config-if-te0/5)switchport
Sw1(config-if-te0/5)exit
Sw1(config)#interface vlan 100
Sw1(config-if-vl-100)#tagged te0/5
Sw1(config-if-vl-100)#untagged te0/10

By entering the above commands (noting the 'portmode hybrid' command, and assuming Vlan 1 is the native Vlan), packets passing through port te0/5 will remain listed under Vlan 1 as untagged, whereas if you had not entered the 'portmode hybrid' command along with the 'switchport' command on that port, configuring the trunk port - te0/5 - as tagged for Vlan 10 would have removed that port from Vlan 1, which essentially drops packets that are not explicitly assigned to a Vlan other than the native. (Entering 'untagged te0/5' under the Vlan 1 interface configuration is unnecessary when using the 'portmode hybrid' command. It is also not possible since the native Vlan interface commands are limited.)

I haven't been able to prove that this works yet but in theory, it should work when i get to the switch.

Borak

John, Were you to get to work? What force10 and firmware are you using? Tia, borak