- Named VLANs
- Private VLANs
- VLAN Port Limitations
- Configuring Named VLANs
- Creating a Named VLAN Accessible to Both Fabric Interconnects (Uplink Ethernet Mode)
- Creating a Named VLAN Accessible to Both Fabric Interconnects (Ethernet Storage Mode)
- Creating a Named VLAN Accessible to One Fabric Interconnect (Uplink Ethernet Mode)
- Creating a Named VLAN Accessible to One Fabric Interconnect (Ethernet Storage Mode)
- Deleting a Named VLAN
- Configuring Private VLANs
- Creating a Primary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
- Creating a Primary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
- Creating a Secondary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
- Creating a Secondary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
- Viewing the VLAN Port Count
Configuring VLANs
This chapter includes the following sections:
- Named VLANs
- Private VLANs
- VLAN Port Limitations
- Configuring Named VLANs
- Configuring Private VLANs
- Viewing the VLAN Port Count
Named VLANs
A named VLAN creates a connection to a specific external LAN. The VLAN isolates traffic to that external LAN, including broadcast traffic.
The name that you assign to a VLAN ID adds a layer of abstraction that allows you to globally update all servers associated with service profiles that use the named VLAN. You do not need to reconfigure the servers individually to maintain communication with the external LAN.
You can create more than one named VLAN with the same VLAN ID. For example, if servers that host business services for HR and Finance need to access the same external LAN, you can create VLANs named HR and Finance with the same VLAN ID. Then, if the network is reconfigured and Finance is assigned to a different LAN, you only have to change the VLAN ID for the named VLAN for Finance.
In a cluster configuration, you can configure a named VLAN to be accessible only to one fabric interconnect or to both fabric interconnects.
Guidelines for VLAN IDs
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The VLAN name is case sensitive.
Private VLANs
A private VLAN (PVLAN) partitions the Ethernet broadcast domain of a VLAN into subdomains and allows you to isolate some ports. Each subdomain in a PVLAN includes a primary VLAN and one or more secondary VLANs. All secondary VLANs in a PVLAN must share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.
Isolated VLANs
All secondary VLANs in a Cisco UCS domain must be isolated VLANs. Cisco UCS does not support community VLANs.
Ports on Isolated VLANs
Communications on an isolated VLAN can only use the associated port in the primary VLAN. These ports are isolated ports and are not configurable in Cisco UCS Manager. If the primary VLAN includes multiple secondary VLANs, those isolated VLANs cannot communicate directly with each other.
An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.
Guidelines for Uplink Ports
When you create PVLANs, be aware of the following guidelines:
Guidelines for VLAN IDs
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The VLAN name is case sensitive.
VLAN Port Limitations
Cisco UCS Manager limits the number of VLAN port instances that can be configured under border and server domains on a fabric interconnect to 6000.
Types of Ports Included in the VLAN Port Count
The following types of ports are counted in the VLAN port calculation:
- Border uplink Ethernet ports
- Border uplink Ether-channel member ports
- FCoE ports in a SAN cloud
- Ethernet ports in a NAS cloud
- Static and dynamic vNICs created through service profiles
- VM vNICs created as part of a port profile in a hypervisor in hypervisor domain
Based on the number of VLANs configured for these ports, Cisco UCS Manager keeps track of the cumulative count of VLAN port instances and enforces the VLAN port limit during validation. Cisco UCS Manager reserves some pre-defined VLAN port resources for control traffic. These include management VLANs configured under HIF and NIF ports.
VLAN Port Limit Enforcement
Cisco UCS Manager validates VLAN port availability during the following operations.
- Configuring and unconfiguring border ports and border port channels
- Adding or removing VLANs from a cloud
- Configuring or unconfiguring SAN or NAS ports
- Associating or disassociating service profiles that contain configuration changes
- Configuring or unconfiguring VLANs under vNICs or vHBAs
-
Upon receiving creation or deleting notifications from a VMWare vNIC, from an ESX hypervisor
Note
This is outside the control of Cisco UCS Manager
- Fabric interconnect reboot
- Cisco UCS Manager upgrade or downgrade
Cisco UCS Manager strictly enforces the VLAN port limit on service profile operations. If Cisco UCS Manager detects that you have exceeded the VLAN port limit service profile configuration will fail during deployment.
Exceeding the VLAN port count in a border domain is less disruptive. When the VLAN port count is exceeded in a border domainCisco UCS Manager changes the allocation status to Exceeded. In order to change the status back to Available, you should complete one of the following actions:
Configuring Named VLANs
Creating a Named VLAN Accessible to Both Fabric Interconnects (Uplink Ethernet Mode)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, sets the sharing to none, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing none UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #
Creating a Named VLAN Accessible to Both Fabric Interconnects (Ethernet Storage Mode)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, creates a member port on slot 2, port 20, and commits the transaction:
UCS-A# scope eth-storage UCS-A /eth-storage # create vlan accounting 2112 UCS-A /eth-storage/vlan* # create member-port a 2 20 UCS-A /eth-storage/vlan/member-port* # commit-buffer UCS-A /eth-storage/vlan/member-port #
Creating a Named VLAN Accessible to One Fabric Interconnect (Uplink Ethernet Mode)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, sets the sharing to none, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing none UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #
Creating a Named VLAN Accessible to One Fabric Interconnect (Ethernet Storage Mode)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, creates a member port on slot 2, port 20, and commits the transaction:
UCS-A# scope eth-storage UCS-A /eth-storage # scope fabric a UCS-A /eth-storage/fabric # create vlan finance 3955 UCS-A /eth-storage/fabric/vlan* # create member-port a 2 20 UCS-A /eth-storage/fabric/vlan/member-port* # commit-buffer UCS-A /eth-storage/fabric/vlan/member-port #
Deleting a Named VLAN
If Cisco UCS Manager includes a named VLAN with the same VLAN ID as the one you delete, the VLAN is not removed from the fabric interconnect configuration until all named VLANs with that ID are deleted.
If you are deleting a private primary VLAN, make sure to reassign the secondary VLANs to another working primary VLAN.
The following example deletes a named VLAN accessible to both fabric interconnects and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # delete vlan accounting UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink #
The following example deletes a named VLAN accessible to one fabric interconnect and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # delete vlan finance UCS-A /eth-uplink/fabric* # commit-buffer UCS-A /eth-uplink/fabric #
Configuring Private VLANs
Creating a Primary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, makes this VLAN the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing primary UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #
Creating a Primary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, makes this VLAN the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing primary UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #
Creating a Secondary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, makes this VLAN the secondary VLAN, associates the secondary VLAN with the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing isolated UCS-A /eth-uplink/vlan* # set pubnwname pvlan1000 UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #
Creating a Secondary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
You cannot create VLANs with IDs from 3968 to 4048. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, makes this VLAN the secondary VLAN, associates the secondary VLAN with the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing isolated UCS-A /eth-uplink/fabric/vlan* # set pubnwname pvlan1000 UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #
Viewing the VLAN Port Count
The following example displays the VLAN port count for fabric interconnect A:
UCS-A# scope fabric-interconnect a UCS-A /fabric-interconnect # show vlan-port-count VLAN-Port Count: VLAN-Port Limit Access VLAN-Port Count Border VLAN-Port Count Alloc Status ---------- --------------- ---------------- ---------- 6000 3 0 Available