As I’ve mentioned before, I’ve got a Dell PowerConnect 6224 in my vSphere lab. When I first started setting up my vSphere environment, I had some difficulties with configuring the Dell switch to support external switch tagging (EST) and virtual switch tagging (VST) VLAN modes. The VMware KB has a bunch of great information (KB 1008001, KB 1004074, KB 1006628, KB 1004127) about Cisco switching, but Dell switching isn’t covered. Sadly, there’s not a whole lot of great Dell switch configuration information in VMware environments to be found on the Web, although Dennis Smith from the Dell Tech Center says he will be providing more as the year progresses.
Before we get started, it might help to understand the three Dell switchport modes: General, Access, & Trunk.
General: General ports may be members of as many VLANs as desired. The user may set separately for each such VLAN whether it should be Tagged or Untagged. This setting applies to transmitted frames. Incoming untagged frames are classified into the VLAN whose VID is the currently configured PVID. Ingress filtering may be turned OFF on General-mode ports, if so desired. Ingress filtering is ON by default.
Access: Ports that are Access ports belong to a single VLAN, whose VID is the currently set PVID (default is 1). Access ports accept only untagged frames. All traffic sent will be untagged. If the VLAN whose VID is set as the current PVID of the port is deleted from the system or deleted from the port, the Port’s PVID will be set to 1 (that is, the port will be made a member of VLAN 1, the default VLAN). Ingress Filtering is always ON for ports in Access Mode. Access ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags. Setting an Access port PVID to 4095 will effectively shut it down, as no frames will be forwarded in either direction.
Trunk: Trunk ports may belong to as many VLANs as desired. Trunk ports will accept tagged frames only. Untagged frames will be discarded. Frames sent from this port will be sent tagged. Ingress filtering is always Enabled on Trunk ports. Incoming frames will undergo Ingress filtering and if correctly tagged, (tagged with a VID of one of the VLANs to which the port currently belongs) will be admitted. Trunk-mode ports are intended for Switch-to-Switch links, where in general all traffic is tagged.
We’ll be using Access and General port modes in the following VLAN tagging examples.
Adding a VLAN
Before we get started on configuring our VLAN tagging modes, we’ll need to create a VLAN or two. From the switch’s web interface, go to Switching > VLAN > VLAN Membership > Add. Enter the VLAN ID and name and Apply Changes. If you prefer configuring via telnet, use the following commands from an administrative prompt. In this example, I’ve created 2 VLANs: 20 for vMotion and 30 for vSphere management.
interface vlan 20
interface vlan 30
name "vSphere Mgmt"
External Switch VLAN Tagging (EST)
Setting up EST in a Dell/VMware environment is rather straightforward. First, you’ll want a vSwitch with the correct physical uplink (vmnic) selected. Second, you’ll need a portgroup with the VLAN ID set to 0 (the default VLAN ID for portgroups in vSphere). Take note of the physical switchport your vmnic is connected to. Link Layer Discovery Protocol (vendor-neutral, similar to Cisco’s CDP) is enabled by default on my switch (OS version 22.214.171.124), so determining the physical switchport is as easy as clicking the blue callout to the right of the vSwitch.
From the switch’s web interface, go to Switching > VLAN > VLAN Membership. Hit the Show VLAN dropdown and select the VLAN you want to add to your ports. After the page refreshes, click the Static box below the port you want to add to that specific VLAN. In my case, all the ports were members of VLAN 1 (default), so they were Forbidden from joining VLAN 20. By clicking the Static box, we change the VLAN membership from the default VLAN 1 to Untagged, as a member of VLAN 20. Personally, I don’t care much for the GUI version of the VLAN picker, as the U/T/F options aren’t entirely intuitive — I much prefer the command line.
interface ethernet 1/xg4
switchport access vlan 20
If you’re setting external VLAN tagging on a LAG, make sure the LAG is set to Access under Switching > VLAN > LAG Settings. You’ll set the VLAN in much the same way as it’s done on an individual port. The only difference is that it’s set on the LAG channel group, and not the participating ports.
And that’s pretty much all there is to external switch tagging.
Virtual Switch VLAN tagging (VST)
Virtual switch tagging is setup in much the same way. Define the VLAN you want to pass out of vSphere in each portgroup’s settings on the vSwitch. In the switch GUI, you’ll need to make changes in two places. First, go to Switch > VLAN > Port Settings. Hit the port dropdown and select the port that corresponds to the vSwitch’s vmnic. After the page refreshes, set the port to General. You can leave the Frame Type as ‘AdmitAll’. Next, head over to Switch > VLAN > VLAN Membership. For each VLAN that you want to pass from vSphere out of that port, select it using the Show VLAN dropdown. Then click the box above the port, and click it until it says T, for Tagged.
In the example below, port 1/xg4 is a general port passing VLAN 20, and ports 3 & 5 are set to pass all untagged traffic as VLAN 20.
interface ethernet 1/xg4
switchport mode general
switchport general allowed vlan add 20 tagged
Thanks for your comments Damian. Great point about HA, as I ran into this once before as well. As for the transition, I’m actually leaning a bit toward doing a rip and replace instead of transitioning one physical link at a time. ARP always seems to be pretty sneaky in the problems it can create, and I thought this approach might reduce the issues.
I’ve looked into some interVLAN routing configurations, and will see what I can come up with. Once I get all of these switches in production, I’ll be sure to write up a post, and will link to your site. Thanks again.
Great article Damian. Thanks for sharing. I just purchased 4 stacked 6248 switches that will be replacing my older LAN switchgear (old Dlink switches that didn’t support interVLAN routing), and I want to ensure that my cutover is a smooth one. Pretty straight forward arrangement with a vSphere cluster running on some Dell M6xx blades, with the typical Service Console and vMotion networks on their own VLANs. I have not completed the configurations yet, so they are not in production. I have a few questions if you don’t mind.
1. From my cluster, my LAN connections ride over a dedicated vSwitch (vswitch2, 2pNICs). These are going to untagged switch ports for the default VLAN. I don’t believe I should have to make any adjustments to the switchports for these particular NICs do I? Would this fall under the category of EST?
2. From my cluster, I have my SC network and vMotion network riding over the same vSwitch (vswitch0, 2pNICs). These are going to tagged switch ports that for those respective VLANs, with the default VLAN being set to ‘forbidden’. Each ESX host portgroup has the VLAN number specified in the properties of that portgroup. I’m assuming this is where the VST configuration comes into play, correct?
3. I’d like to keep my configuration of my ESX hosts the same when I transition to the PowerConnect switches. Any special considerations that should be mentioned?
While my SC network currently uses an upstream router to get access to the other networks, I’d like to eventually handle this via InterVLAN routing. It might be nice if you showed an example of this with the 62xx switches. I’m looking forward to moving over to these 6248 switches, as my SAN switch fabric are some dedicated 6224s. It will be nice to get some consistency, but I want to be sure the transition is a smooth one.
Damian Karlson says
Hi Pete – thanks for your comment. My apologies for the delay in responding.
Answering your first question — I suppose that technically you could call it EST, since it is tagging the default VLAN. On your second question — yes, specifying a VLAN on a portgroup is VST. On your third question — you should be able to transition to the PowerConnect without an issue. You might consider moving one physical uplink at a time if you can’t have an interruption in service. Also, make sure that HA is disabled to avoid any accidental failover issues when making changes to the uplinks. I’ve made this mistake in production before; accidentally isolated all hosts in a cluster with an upstream switch change. The results weren’t pretty. 🙂
As far as InterVLAN routing is concerned, I don’t have access to my PowerConnect switches any more. They were part of a lab that I had with a previous employer. You might consider reaching out to the Dell TechCenter guys for questions such as this. If you’re on Twitter, @KongYang should be able to point you in the right direction.
Hope this helps!