You are more than welcome. M
Sent via DroidX2 on Verizon Wireless™ -----Original message----- From: Jason Grubbs <[email protected]> To: Enterasys Customer Mailing List <[email protected]> Sent: Fri, May 25, 2012 15:05:08 GMT+00:00 Subject: Re: [enterasys] Configure a port to use two VLANs Thank you for the wealth of information Mike! Whenever we talk to Enterasys, they always mention UNC! Jason Grubbs Network Engineer Pottsgrove School District From: <Hawkins>, The Original Mike Stephen <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> To: Enterasys Customer Mailing List <[email protected]<mailto:[email protected]>> Subject: RE:[enterasys] Configure a port to use two VLANs Jason: I have one comment on your question and several comments on the related topic of managing vlans on Enterasys switches. The IEEE 801.1 vlan standard will not let you assign more than one vlan per port where both are untagged. The only way to have two or more vlans on a port is to have them tagged. However, this means that the device(s) on that port must be setup to recognize that traffic for each vlan that it needs. Each OS does this by various commands to setup 801.1Q trunking. While I am no expert on this (setting up servers, etc), see http://www.arrfab.net/blog/?p=40 for more information. It may also vary according to the nic driver for your nic. Thus when packets come in for vlan 200, your system/nic knows that things tagged with vlan 200 are what it is interested in to send to the vlan 200 portion (if you will) of the nic/system. At UNC we do lots of interesting things with vlans that I see very few other sites doing. These things save time and prevent errors. One of the things we do is set a PVID on each vlan that is tagged. Here are the mibs in question: dot1qPvid OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-write STATUS current DESCRIPTION "The PVID, the VLAN ID assigned to untagged frames or Priority-Tagged frames received on this port." REFERENCE "IEEE 802.1Q/D11 Section 12.10.1.1" DEFVAL { 1 } ::= { dot1qPortVlanEntry 1 } dot1qPortAcceptableFrameTypes OBJECT-TYPE SYNTAX INTEGER { admitAll(1), admitOnlyVlanTagged(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "When this is admitOnlyVlanTagged(2) the device will discard untagged frames or Priority-Tagged frames received on this port. When admitAll(1), untagged frames or Priority-Tagged frames received on this port will be accepted and assigned to the PVID for this port. This control does not affect VLAN independent BPDU frames, such as GVRP and STP. It does affect VLAN dependent BPDU frames, such as GMRP." REFERENCE "IEEE 802.1Q/D11 Section 12.10.1.3" DEFVAL { admitAll } ::= { dot1qPortVlanEntry 2 } As I said, setting a PVID buys you much. We setup all tagged vlans on a port with a PVID of a value 999. This is what we consider to be a junk vlan. Thus if for some reason on a tagged port there are packets that are tagged with a vlan you do not want to see on that port or then those packets get dropped into the 999 vlan which is in effect a black hole that does not get off the switch port. We do not want end system setting vlan tagging on packets, we believe that to be the function of the network. Thus we can keep unwanted traffic off the network if there is something not configured correctly on a system or if there is a bug with an application. This one little feature has saved our bacon more than a time or two. GVRP Another big time saver for us at UNC when it comes to vlan is the protocol GVRP. We are big users of GVRP on our network. Enterasys switch have an excellent implementation of GVRP. This allows for dynamic trunks to be setup between ports such that you can always be assured that the vlan(s) you want are going down a trunk. It saves tremendous amounts of network manager time over having to tag many links to get a vlan where you need it to go. ATGTools - vlanConfig One final big time saver for us at UNC is a command called "vlanConfig" which is part of the ATGTools set that Enterasys gives away on their web site. This "vlanConfig" command is an executable command (Windows and various Linux, unix versions available) is a program that sends commands to a switch or list of switches to make vlan changes on a switch. It is much faster especially when you want to make changes on a number of switches at one time. The deal with this is kind of odd in that many of the field engineers in Enterasys do not know about this/these tools much less use them. There is the belief in much of Enterasys is that the average network manager will shoot themselves in the foot too often. Officially Enterasys does not want to support this however at UNC we find it invaluable at time savings. We use it one command at a time we use it extensively in scripts to setup switches and to make massive vlan changes on groups of switches. The vlanConfig command is the main way we set tagged vlans on ports with the 999 Pvid. See below the output of help for this c --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
