Cisco – VmwareESXi Vlans, Cisco devices and broadcast making the things odd

ciscovlanvmware-esxi

I'm having problem for some days trying to make a correct configuration

Right now I have a Cisco Catalyst switch, a Cisco Router 2811 and a VMware ESXi node with 4-8 VM (Linux,BSD, Windows), each one of those are configure to use 802.1q and they are group in 5 vlans .

Next, the Node connect to a Cisco Catalyst 2964 to the Interface port 0/1 with this configuration:

switchport trunk allowed vlan 1-11
switchport mode trunk
switchport nonegottiate

Plus "Interface vlan" for each vlan, at this point the Virtual hosts with ipv4 static address are able to ping to the Switch (Host of vlan 2 can ping Interface Vlan2 of the Switch , etc).

Next I configure the Interface of the switch which will be connect to a Cisco 2811 Router

switchport trunk allowed  vlan 1-11, 99 
switchport mode trunk 
switchport nonegottiate 
switchport mode trunk native 99

In the Cisco 2811 Router I created one dhcpv4 pool for each Vlan (Except 99) and begin to make the work on the interface

interface FastEthernet0/0.1
 encapsulation dot1Q 1 
 ip address 192.168.1.1 255.255.255.0
 ipv6 address 2001:DB8:C0CA:1::1/64
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ipv6 address 2001:DB8:C0CA:2::1/64
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ipv6 address 2001:DB8:C0CA:3::1/64
!
interface FastEthernet0/0.4
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ipv6 address 2001:DB8:C0CA:4::1/64
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ipv6 address 2001:DB8:C0CA:5::1/64
!
interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 192.168.99.1 255.255.255.0

With this I removed the static IPv4 address and restart the virtual host. To my surprise they have IPv6 address well configured but not IPv4. My next big surprise come when I try to ping the Default Gateway with IPv6 of each host: I can't , but I can ping the remote hosts.

Next, I pick 2 different virtual hosts and put static IPv4 address on them, they can ping their local gateway without problem and even remote nodes, however the DHCP is still failing.

At some point I enable the "debug ip dhcp server packet" I find something very peculiar: All the broadcast messages are getting to the Router Interface fa 0/0.1 ** (and that interface is answering the DHCPOFFER) . With that I remembered another thing: **Before sending a local ping IPv6 check first with NDP using a Multicast message but is no the case when you try to send a remote packet.

At this point, I'm very sure the VMware ESXi has the Vlan well configured, the switch seem to be the same case because the router is able to deliver the "IPv6 Router advertisement" correctly to the virtual host. BUT the router is getting a wrong delivery with Broadcast (and seem) multicast and because that his answer are send in the wrong vlan (or never answer the NDP Neighbour Solicitation).

Suggestion?

— Added 25/03

Something I'm seeing is the next:

The CDP the VMWare ESXi node is getting from the Switch state that the Vlan is 1 and show the ip address range for that vlan. After some test I removed the Vlan1 from the port to the ESXi host and check again the CDP, the new range of IP address now was from the Vlan 2, but the VLAN is still mark as "1" and now the broadcast of the nodes aren't getting to the router.

— Added 25/03 (Second part)

With the suggestion of @JelmerS this is what VMWare display:

 esxcfg-vswitch -l
Switch Name      Num Ports   Used Ports  Configured Ports  MTU     Uplinks
vSwitch0         128         4           128               1500    vmnic0

  PortGroup Name        VLAN ID  Used Ports  Uplinks
  VM Network            0        0           vmnic0
  Management Network    0        1           vmnic0

Switch Name      Num Ports   Used Ports  Configured Ports  MTU     Uplinks
vSwitch1         128         13          128               1500    vmnic1

  PortGroup Name        VLAN ID  Used Ports  Uplinks
  Vlan5                 5        2           vmnic1
  Vlan4                 4        3           vmnic1
  Vlan2                 2        3           vmnic1
  Vlan3                 3        2           vmnic1

The switch I'm working is the vSwitch1 which has all his nodes separated from the Internet (the other is used for remote connection to the nodes)

Best Answer

I would check your configuration in ESX.

A simple way to tell if your ESX config is broken would be to add vlan 99 onto Gi0/1 (towards your host) and set it as the native vlan (like you did towards your router). This will prevent untagged packets from ending up on a vlan that connects to Fa0/1.1 of your router and confirm that your vSwitch config needs examining.

Related Solutions

Cisco – Vlans and subinterfaces

Pardon, in your cut and pasted configs, you appear to be describing Gi0/48 - your uplink to your router, but in your question refer specifically to hosts connected to Gi0/18. I'm going to assume you're describing two different ports here. Further, I'm assuming from details in your config statements and question, that vlan 3 is being used for the 192.168.0.80/28 traffic. I'm going to assume that the vlan has already been declared on your 3560. (Check sh vlan)

First of all, your port Gi0/18 should be configured for access mode on vlan 3. Likely, something like this:

interface GigabitEthernet 0/18
switchport access vlan 3
switchport mode access

As far as for other recommendations. Will all/most of your traffic from your IP subnets be to and from the internet. Basically, If you have enough traffic between subnets, it may suit you to have the 3560 act as your internal router and then dedicate your 3825 to be your border router. The problem is that if your router is baring the entire load for all routing, then a packet from one subnet will arrive at your switch, then be forwarded via the dot1q to your trunk on some vlan X, the router then makes a routing decision and sends the same packet back along the dot1q trunk on some new vlan Y now destined for the destination machine. Btw, I'm simply describing the situation of internal traffic to your customers/organization that crosses your different subnets.

Instead, you can configure the 3560 at the, assuming normal conventions, first address of each vlan/subnet. E.g. 192.168.0.81 and enable ip routing. The next step is you create a new subnet specifically for between the router and switch. For convenience, i'd use something completely different, for example, 192.0.2.0/24 is reserved for documentation examples. Configure the router at 192.0.2.1 and the switch at 192.0.2.2. Have the switch use 192.0.2.1 as the default route. Configure the router to reach 192.168.0.0/16 via the switch at 192.0.2.2. If your network is small enough, static routes should be sufficient. No need for OSPF or anything.

Of course, this would be a rather dramatic change; but it has potential for being a large improvement. It all depends on the nature of your traffic.

For reference, cisco lists the Cisco Catalyst 3560G-48TS and Catalyst 3560G-48PS having a 38.7 Mpps forwarding rate and the Cisco 3825 as having 0.35Mpps forwarding rate. Mpps, just in case you don't know, is millions of packets per second.

It's not bandwidth, but it's how many 64 byte packet routing decisions the device can make a second. The length of the packet doesn't affect how long it takes to making a routing decision. So the peak performance in bits/bytes will be somewhere in a range. In terms of bandwidth, it means that 350kpps is 180Mbps w/ 64byte packets and 4.2Gbps w/ 1500 byte packets. Mind you, that's in bits per second, so think of it as 18 Megabytes or 420 Megabytes per second in regular file-size terms.

In theory, this means that your 3560G can route somewhere between 19.8Gbps and 464Gbps or rougly 2GBps and 45GBps.

Actually, looking at those numbers, you most definitely should consider the plan I described above. Dedicate your 3825 to handling, presumably, NAT'd external traffic and let your 3560 handle the rest.

I'm sorry this is so long; I'm bored at work waiting for tapes to finish. Cheers.

Cisco – VLAN trunking between Juniper EX -> Cisco Catalyst -> and Cisco Router

You stated that ports 3 and 42 were configured on the Catalyst switch, but then provided configurations for ports 46 and 48. The configuration you posted for port 46 should be applied to port 3 that connects to the EX2200. Your router's connection is unchanged, so hopefully we can assume that configuration is fine.

Now, on the EX2200, the following lines of code would be appropriate to do the following:

ge-0/0/0 - trunk allowing the same vlans as defined above on port 46

ge-0/0/6 - access port on VLAN80

set vlans vlan80 vlan-id 80
set vlans vlan82 vlan-id 82
set vlans vlan83 vlan-id 83
set vlans vlan93 vlan-id 93
set vlans vlan289 vlan-id 289
set interfaces ge-0/0/0 description uplink-to-catalyst 
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan80
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan82
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan83
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan93
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan289
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan80

Some other suggestions for you:

1) Turn on LLDP on your switch so you can do a show lldp neighbors and see where your connections go.

2) Don't use RSTP for spanning tree on the juniper switch, it doesn't play nice with Cisco that well, use VSTP instead. If you end up with a ton of vlans, you might even need to use MSTP.

3) Turn off chassis alarm for the management ethernet if you're not using it.

On the EX2200:

delete protocols rstp
set protocols vstp vlan all bridge-priority 4k
set protocols lldp interface all
set chassis alarm management-ethernet link-down ignore

On the Catalyst (if it supports it)

lldp run

Best Answer

Related Solutions

Cisco – Vlans and subinterfaces

Cisco – VLAN trunking between Juniper EX -> Cisco Catalyst -> and Cisco Router

Related Topic