802.1Q and Servers

S

SYN ACK

[H]ard|Gawd
Joined
Jul 11, 2004
Messages
1,243
we have a lot of private plant-floor networks (mfg company, generally createa a new vlan/non-routed network for each line on the plant floor)

normally we've been having mulitple nics/phsyical interfaces for a main backup server to talk to devices on each of the lines

we've moved a few of these to a dot1q connection to get rid of having multiple physical interfaces

so, say the server has a production (routed) ip address and then private non-routed ip address on each vlan (for the private plant floor networks)

say the production server is on vlan 20

what should i define on the switch&server as the native vlan?
should i assume vlan 20 to dump any non-tagged traffic right into that?
or should i have it dump it into vlan 1 (default/non-routed)

what's the best practice here?
 
A quick diagram would help clarify the stacking of the private and routed nets.
 
Say, 10 private non-routed VLANs (each vlan/network representing a mfg. line in a plant, all devices on each line are segregated into their own vlan)
This is non-routed so people can't connect to mfg. machines while people are working and hurt someone

Configs and such need to be backed up, so a server was put up with a NIC for each private VLAN and an IP interface (no gateway, it's not routed) so the devices on each line could backup config to this server)

Instead of having a physical NIC for each VLAN/line (since they will be increasing) we put in 802.1Q NICs and trunked them. Then added IPs to each respective VLAN on the server.

Server has 2 NICs
1st NIC - Regular/Access - VLAN 20 (Server Farm Production Routed Network)
2nd NIC - 802.1Q trunked with multiple non-routed VLANs (private line networks)

My question is, what to set the default VLAN for on the switch
Should I keep it as the native VLAN 1 (non-routed, used only for BPDUs, and such)
or should i set it to VLAN 20 (server farm routed VLAN).

That clear things up?
 
Somewhat clearer. I'm going to assume we're talking about Cisco Catalysts, which if that is the case then Vlan1 isn't going anywhere. Its hard set and cannot be changed.

Typically the native vlan should be the routed one, unless I'm still not fully grasping your question.
 
Nortel throughout the enterprise

no, i didn't mean remove VLAN 1. It is not-used because it's the default (security purposes) and it's used as the native for all untagged traffic (except on PVID ports) = all PDUs get dumped on VLAN 1 like normal... ignore all that.


Normally, on a trunk link (dot1q) you keep vlan 1 as your native VLAN so it dumps all PDU traffic (or all traffic that comes ingress that is not tagged). Switches obviously participate with VLAN 1 and pass it throughout every trunk.

But with trunked server interfaces, there is no reason to dump VLAN 1 to it (to include it in the trunk as a vlan member). In this case, I'm just passing the Server Farm production routed VLAN and then each of the private non-routed VLANs.

There is no VLAN 1 defined on the server 802.1 NIC

I'm just curious what I should set my native/PVID vlan to on the switch dot1q link to the server.

I didn't see an option for PVID/native VLAN on the server NIC properties and I just don't want any weird mismatches or bridged VLANs happening.
 
Well I'm stumped. It doesn't help that the only experience I have with anything close to Nortel is an old Centillion 100 in my basement I used to use for lan parties.

I see what you're saying about the Server NICs not needing to deal with VLAN1 info, but I'm, well, stumped as to which way to go with it.
 
dot1q is a standard
doesn't matter what manufacturer we're talking about (as you already know im sure)

hmmm thanks for your time, tho
 
I'm confused... are you setting the switch port connected to the 802.1Q server NIC as a trunk port? And if so, isn't it going to want the switch's native VLAN?

Also, I was under the impression that 802.1Q interfaces have spanning tree and bridging disabled so the problems you're trying to avoid don't come up. Do these 802.1Q cards have documentation to this effect?
 
thedude42 said:
I'm confused... are you setting the switch port connected to the 802.1Q server NIC as a trunk port? And if so, isn't it going to want the switch's native VLAN?
Click to expand...

The switch is set to dot1q (with all private plant floor vlans + the production routed server farm vlan/network as vlan members of the server port). The server has a 802.1q capable nic and the production/private VLANs have been created on the server. All VLANs are fully functional. I'm just curious what to set my default VLAN too (native) on the switch. Should I set it to the production network, or should i include vlan 1 as a vlan member.



thedude42 said:
I'm confused... are you setting the switch port connected to the 802.1Q server NIC as a trunk port? And if so, isn't it going to want the switch's native VLAN?

Also, I was under the impression that 802.1Q interfaces have spanning tree and bridging disabled so the problems you're trying to avoid don't come up. Do these 802.1Q cards have documentation to this effect?
Click to expand...


no, spanning tree is completely independent. there is no reason to disable STP on a trunk port unless it is a part of a nortel split-multi-linked trunk group.
 
OK, ok, I think I'm with you now.

From what I was taught, if you're not using the default, use whatever you want for the native, but best practices says don't use a VLAN you're using for something else. Use the native VLAN for the native VLAN, with only the trunking and management ports set as members.

That said... I am understaning this correctly, right? You are setting the switch port connected to the server's 802.1Q NIC as a trunk port? If I'm getting this correctly, then whatever you decide the native VLAN is is what that port should be a member of.

I don't see why it wouldn't work with the native VLAN being 20, just that doing it this way the NIC treats the production network differently by not encapulating the traffic. If the NIC has VLAN 20 set as it's native, then all should be well.

Me personally, I like having everything categorized and organized logically, so having all the ports used for connectivity of hosts on their VLANS and one completely seperate VLAN for native/management has always been my defacto standard, and what most of the people I have learned from tend to do as well. But this is mostly for management and security, however I'd do it like that anyway if security wasn't an issue unless an odd situation arose that prevented me from doing it that way, like say no router available to get the switches NTP updates or something along those lines.
 
kinda.
i dont see an option to set a native vlan on the server side (nic properties)

basically, im wondering/worried
if i set the native/PVID on the switch trunk port (to the server) to vlan 20 (production server farm network) i just want to make sure untagged traffic (which could be a security issue, or whatever-the-hell might be getting dumped) - that i dont want it getting dumped into the server farm network and possibly effecting other servers
 
Right, which makes sense that you would make the switch's native VLAN 1 or something that's not being used by one of the other networks. That way everything meaningful going to the server is encapsulated.
 
yeah i think i will stick to native pvid 1 even though 1 is not on the server.

thanks,
 
You must log in or register to reply here.
Back
Top