Thank you for the wealth of information Mike! Whenever we talk to Enterasys, they always mention UNC!
Jason Grubbs Network Engineer Pottsgrove School District From: <Hawkins>, The Original Mike Stephen <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> To: Enterasys Customer Mailing List <[email protected]<mailto:[email protected]>> Subject: RE:[enterasys] Configure a port to use two VLANs Jason: I have one comment on your question and several comments on the related topic of managing vlans on Enterasys switches. The IEEE 801.1 vlan standard will not let you assign more than one vlan per port where both are untagged. The only way to have two or more vlans on a port is to have them tagged. However, this means that the device(s) on that port must be setup to recognize that traffic for each vlan that it needs. Each OS does this by various commands to setup 801.1Q trunking. While I am no expert on this (setting up servers, etc), see http://www.arrfab.net/blog/?p=40 for more information. It may also vary according to the nic driver for your nic. Thus when packets come in for vlan 200, your system/nic knows that things tagged with vlan 200 are what it is interested in to send to the vlan 200 portion (if you will) of the nic/system. At UNC we do lots of interesting things with vlans that I see very few other sites doing. These things save time and prevent errors. One of the things we do is set a PVID on each vlan that is tagged. Here are the mibs in question: dot1qPvid OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-write STATUS current DESCRIPTION "The PVID, the VLAN ID assigned to untagged frames or Priority-Tagged frames received on this port." REFERENCE "IEEE 802.1Q/D11 Section 12.10.1.1" DEFVAL { 1 } ::= { dot1qPortVlanEntry 1 } dot1qPortAcceptableFrameTypes OBJECT-TYPE SYNTAX INTEGER { admitAll(1), admitOnlyVlanTagged(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "When this is admitOnlyVlanTagged(2) the device will discard untagged frames or Priority-Tagged frames received on this port. When admitAll(1), untagged frames or Priority-Tagged frames received on this port will be accepted and assigned to the PVID for this port. This control does not affect VLAN independent BPDU frames, such as GVRP and STP. It does affect VLAN dependent BPDU frames, such as GMRP." REFERENCE "IEEE 802.1Q/D11 Section 12.10.1.3" DEFVAL { admitAll } ::= { dot1qPortVlanEntry 2 } As I said, setting a PVID buys you much. We setup all tagged vlans on a port with a PVID of a value 999. This is what we consider to be a junk vlan. Thus if for some reason on a tagged port there are packets that are tagged with a vlan you do not want to see on that port or then those packets get dropped into the 999 vlan which is in effect a black hole that does not get off the switch port. We do not want end system setting vlan tagging on packets, we believe that to be the function of the network. Thus we can keep unwanted traffic off the network if there is something not configured correctly on a system or if there is a bug with an application. This one little feature has saved our bacon more than a time or two. GVRP Another big time saver for us at UNC when it comes to vlan is the protocol GVRP. We are big users of GVRP on our network. Enterasys switch have an excellent implementation of GVRP. This allows for dynamic trunks to be setup between ports such that you can always be assured that the vlan(s) you want are going down a trunk. It saves tremendous amounts of network manager time over having to tag many links to get a vlan where you need it to go. ATGTools - vlanConfig One final big time saver for us at UNC is a command called "vlanConfig" which is part of the ATGTools set that Enterasys gives away on their web site. This "vlanConfig" command is an executable command (Windows and various Linux, unix versions available) is a program that sends commands to a switch or list of switches to make vlan changes on a switch. It is much faster especially when you want to make changes on a number of switches at one time. The deal with this is kind of odd in that many of the field engineers in Enterasys do not know about this/these tools much less use them. There is the belief in much of Enterasys is that the average network manager will shoot themselves in the foot too often. Officially Enterasys does not want to support this however at UNC we find it invaluable at time savings. We use it one command at a time we use it extensively in scripts to setup switches and to make massive vlan changes on groups of switches. The vlanConfig command is the main way we set tagged vlans on ports with the 999 Pvid. See below the output of help for this command: $ vlanConfig -h VlanConfig creates/deletes a VLAN and adds/removes ports to its egress list as either untagged or tagged, using dot1qVlan mibs. It also sets the port VLAN for the specified ports. Use the -ctron option to use ctVlanConfig mibs. See the HTML help file for usage notes on the XP platform. PLATFORM SUPPORT: Matrix E6/E7 Matrix E1 Matrix E5 Matrix N3/N7 Matrix C1 XP series USAGE: vlanConfig { -s X1 | -l X2 } [ options ] -s X1 : where X1 is the IP address or hostname of the device -l X2 : where X2 is the name of a list of IP addresses to read OPTIONS: -add : creates a VLAN; used with -vlan -del : deletes a VLAN; used with -vlan -vlan X3 : where X3 is the VLAN ID -name X4 : where X4 is the VLAN name; used with -add (default=VLAN #) -addPorts X5 : where X5 is a list of dot1dBridge port numbers (1-3,7) or port names (fe.1.1-3,7;ge.3.1-5) to add -delPorts X6 : where X6 is a list of dot1dBridge port numbers (1-3,7) or port names (fe.1.1-3,7;ge.3.1-5) to delete -addHost : to add the host data port, if supported -delHost : to delete the host data port, if supported -tagged : adds/deletes ports to tagged egress list (otherwise untagged) Note: that if -addPorts or -delPorts value equals BP then all Backplane ports will be added or deleted -pvid X7 : used with -addPorts and -tagged to specify the port VLAN (default=1) -status : displays the VLAN status of each device -portStatus : displays the port status of each device -isl : adds ISL ports (with CDP neighbors) to tagged egress list of all VLANs, or the specified VLAN if used with -vlan -ctron : uses the ctVlanConfig MIBs -dbof X8 : write database import friendly output to X8.dbo -dbo : write database import friendly output to screen -gui : causes the optional GUI to be spawned -allPorts : allows all ports to be displayed (GUI-only) -aports : shows IP list in ascending port order (GUI-only) -dports : shows IP list in descending port order (GUI-only) -a : will discover all devices in the cloud. Only meaningful when entering a seed IP. -h : Display argument descriptions -v : Display tool version -realTime : causes all timeticks values to be resolved to the workstation's clock -tee X9 : will tee output to the screen and the file specified by X9 -noCons : will suppress output to the screen -addr2name : attempts to resolve addresses to names (IP-DNS only) -grep X10 : where X10 is a regular expression to grep for -snmpStack X11 : where X11 is "old" or "new". The old stack is a Ctron implementation that only supports SNMPv1. The new stack is a UCDavis implementation that can support SNMPv1, v2c, and v3. (default=new) -snmpVer X12 : where X12 is the SNMP version to use (1, 2c, 3, or h). Only applies when using the new SNMP stack. Use "h" for the highest version that succeeds, per device. (default=h) -n X13 : where X13 is the community string -usmUser X14 : where X14 is the USM user name -authType X15 : where X15 is the authorization protocol (MD5 or SHA1). Only used if -auth password is specified. (default=MD5) -auth X16 : where X16 is the authorization password. If not specified, no authorization will be used. -priv X17 : where X17 is the privacy password. If not specified, no encryption will be used. -throttle X18 : where X18 is the # SNMP requests / second (default=20) -to X19 : where X19 is the SNMP timeout (in seconds) (default=2) -rt X20 : where X20 is the number of times to retry in case of SNMP failure (default=1) -args X21 : where X21 specifies a command line arg default file. Optionally a section within the file can be specified using a colon (e.g. filename:section). The filename portion of X21 should NOT include the '.args' extension. (default=default) One word of caution. With this command you can shoot yourself in the foot easily. You are making immediate changes on a switch when you use it. Enterasys Support discourages it for this reason. However, if you get the tools and practice a bit with it, you start to see what a real time saver this is over doing a telnet or SSH to one switch at a time. Consider yourself warned but look into it if you really want to gain some time back from day to day management of vlans on your network. Yes, Enterasys GTAC, I know you do not officially support these tools but if you have a customer that wants to manage as best they can then they can make the choice to investigate these capabilities. We are all supposed to be adults here, right?!!! LOL! Well Jason, I hope some of this helps you. I was very long winded; sometime I get going and I just can't stop. Take what you like and leave the rest. Have a good holiday everybody - be sure to remember all those who made the sacrifice for our country. Mike Hawkins Associate Director of Networking University of North Carolina at Chapel Hill -----Original Message----- From: Jason Grubbs [mailto:[email protected]] Sent: Friday, May 25, 2012 7:51 AM To: Enterasys Customer Mailing List Subject: [enterasys] Configure a port to use two VLANs We are replacing a Cisco 3750 with an C5K. This switch serves as our phone switch. Some of the Cisco phones have devices that connect through the phones secondary port. How can I configure the ports on the C5K so they use both vlan 200 and vlan 1? I used this command to set them to 200: Set port vlan ge.1.1-47 200 But I am then asked if I want to remove the ports from all other VLANs untagged egress lists? Should I say no if I want to allow traffic on both 200 and 1? Jason Grubbs Network Engineer Pottsgrove School District ________________________________ This email and any files transmitted with it are to be treated as confidential and as such are not to be used or disclosed except for the purpose for which it has been sent. Any views or opinions presented in this e-mail are solely those of the author and do not represent those of the Pottsgrove School District. The School District accepts no liability for any damage caused by this e-mail. The recipient is required to indemnify the School District against any claims for loss or damage caused by any viruses or otherwise. --- To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
