-
Cisco UCS Manager CLI Configuration Guide, Release 2.1
-
Preface
- Introduction
-
System Configuration
-
Configuring the Fabric Interconnects
-
Configuring Ports and Port Channels
-
Configuring Communication Services
-
Configuring Authentication
-
Configuring Organizations
-
Configuring Role-Based Access Control
-
Configuring DNS Servers
-
Configuring System-Related Policies
-
Managing Licenses
-
Managing Virtual Interfaces
-
Registering Cisco UCS Domains with Cisco UCS Central
-
- Network Configuration
- Storage Configuration
- Server Configuration
- System Management
- System Monitoring
-
Index
-
Feedback
Contents
- Configuring VLANs
- Named VLANs
- Private VLANs
- VLAN Port Limitations
- Configuring Named VLANs
- Creating a Named VLAN Accessible to Both Fabric Interconnects (Uplink Ethernet Mode)
- Creating a Named VLAN Accessible to Both Fabric Interconnects (Ethernet Storage Mode)
- Creating a Named VLAN Accessible to One Fabric Interconnect (Uplink Ethernet Mode)
- Creating a Named VLAN Accessible to One Fabric Interconnect (Ethernet Storage Mode)
- Deleting a Named VLAN
- Configuring Private VLANs
- Creating a Primary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
- Creating a Primary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
- Creating a Secondary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
- Creating a Secondary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
- Viewing the VLAN Port Count
- VLAN Port Count Optimization
- Enabling Port VLAN Count Optimization
- Disabling Port VLAN Count Optimization
- Viewing the Port VLAN Count Optimization Groups
- VLAN Groups
- Creating a VLAN Group
- Deleting a VLAN Group
- Viewing VLAN Groups
- VLAN Permissions
- Creating VLAN Permissions
- Deleting a VLAN Permission
- Viewing VLAN Permissions
Configuring VLANs
This chapter includes the following sections:
- Named VLANs
- Private VLANs
- VLAN Port Limitations
- Configuring Named VLANs
- Configuring Private VLANs
- Viewing the VLAN Port Count
- VLAN Port Count Optimization
- VLAN Groups
- VLAN Permissions
Named VLANs
A named VLAN creates a connection to a specific external LAN. The VLAN isolates traffic to that external LAN, including broadcast traffic.
The name that you assign to a VLAN ID adds a layer of abstraction that allows you to globally update all servers associated with service profiles that use the named VLAN. You do not need to reconfigure the servers individually to maintain communication with the external LAN.
You can create more than one named VLAN with the same VLAN ID. For example, if servers that host business services for HR and Finance need to access the same external LAN, you can create VLANs named HR and Finance with the same VLAN ID. Then, if the network is reconfigured and Finance is assigned to a different LAN, you only have to change the VLAN ID for the named VLAN for Finance.
In a cluster configuration, you can configure a named VLAN to be accessible only to one fabric interconnect or to both fabric interconnects.
Guidelines for VLAN IDs
Important:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
VLAN 4048 is user configurable. However, Cisco UCS Manager uses VLAN 4048 for the following default values. If you want to assign 4048 to a VLAN, you must reconfigure these values:
- After an upgrade to Cisco UCS, Release 2.0—The FCoE storage port native VLAN uses VLAN 4048 by default. If the default FCoE VSAN was set to use VLAN 1 before the upgrade, you must change it to a VLAN ID that is not used or reserved. For example, consider changing the default to 4049 if that VLAN ID is not in use.
- After a fresh install of Cisco UCS, Release 2.0—The FCoE VLAN for the default VSAN uses VLAN 4048 by default. The FCoE storage port native VLAN uses VLAN 4049.
The VLAN name is case sensitive.
Private VLANs
A private VLAN (PVLAN) partitions the Ethernet broadcast domain of a VLAN into subdomains and allows you to isolate some ports. Each subdomain in a PVLAN includes a primary VLAN and one or more secondary VLANs. All secondary VLANs in a PVLAN must share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.Isolated VLANs
All secondary VLANs in a Cisco UCS domain must be isolated VLANs. Cisco UCS does not support community VLANs.
NoteYou cannot configure an isolated VLAN to be used together with a regular VLAN.
Ports on Isolated VLANs
Communications on an isolated VLAN can only use the associated port in the primary VLAN. These ports are isolated ports and are not configurable in Cisco UCS Manager. If the primary VLAN includes multiple secondary VLANs, those isolated VLANs cannot communicate directly with each other.
An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.
Guidelines for VLAN IDs
Important:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
VLAN 4048 is user configurable. However, Cisco UCS Manager uses VLAN 4048 for the following default values. If you want to assign 4048 to a VLAN, you must reconfigure these values:
- After an upgrade to Cisco UCS, Release 2.0—The FCoE storage port native VLAN uses VLAN 4048 by default. If the default FCoE VSAN was set to use VLAN 1 before the upgrade, you must change it to a VLAN ID that is not used or reserved. For example, consider changing the default to 4049 if that VLAN ID is not in use.
- After a fresh install of Cisco UCS, Release 2.0—The FCoE VLAN for the default VSAN uses VLAN 4048 by default. The FCoE storage port native VLAN uses VLAN 4049.
The VLAN name is case sensitive.
VLAN Port Limitations
Cisco UCS Manager limits the number of VLAN port instances that can be configured under border and server domains on a fabric interconnect to 6000.
Types of Ports Included in the VLAN Port Count
The following types of ports are counted in the VLAN port calculation:
- Border uplink Ethernet ports
- Border uplink Ether-channel member ports
- FCoE ports in a SAN cloud
- Ethernet ports in a NAS cloud
- Static and dynamic vNICs created through service profiles
- VM vNICs created as part of a port profile in a hypervisor in hypervisor domain
Based on the number of VLANs configured for these ports, Cisco UCS Manager keeps track of the cumulative count of VLAN port instances and enforces the VLAN port limit during validation. Cisco UCS Manager reserves some pre-defined VLAN port resources for control traffic. These include management VLANs configured under HIF and NIF ports.
VLAN Port Limit Enforcement
Cisco UCS Manager validates VLAN port availability during the following operations.
- Configuring and unconfiguring border ports and border port channels
- Adding or removing VLANs from a cloud
- Configuring or unconfiguring SAN or NAS ports
- Associating or disassociating service profiles that contain configuration changes
- Configuring or unconfiguring VLANs under vNICs or vHBAs
- Upon receiving creation or deleting notifications from a VMWare vNIC, from an ESX hypervisor
NoteThis is outside the control of Cisco UCS Manager
- Fabric interconnect reboot
- Cisco UCS Manager upgrade or downgrade
Cisco UCS Manager strictly enforces the VLAN port limit on service profile operations. If Cisco UCS Manager detects that you have exceeded the VLAN port limit service profile configuration will fail during deployment.
Exceeding the VLAN port count in a border domain is less disruptive. When the VLAN port count is exceeded in a border domainCisco UCS Manager changes the allocation status to Exceeded. In order to change the status back to Available, you should complete one of the following actions:
Configuring Named VLANs
Creating a Named VLAN Accessible to Both Fabric Interconnects (Uplink Ethernet Mode)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, sets the sharing to none, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing none UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #Creating a Named VLAN Accessible to Both Fabric Interconnects (Ethernet Storage Mode)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, creates a member port on slot 2, port 20, and commits the transaction:
UCS-A# scope eth-storage UCS-A /eth-storage # create vlan accounting 2112 UCS-A /eth-storage/vlan* # create member-port a 2 20 UCS-A /eth-storage/vlan/member-port* # commit-buffer UCS-A /eth-storage/vlan/member-port #Creating a Named VLAN Accessible to One Fabric Interconnect (Uplink Ethernet Mode)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, sets the sharing to none, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing none UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #Creating a Named VLAN Accessible to One Fabric Interconnect (Ethernet Storage Mode)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, creates a member port on slot 2, port 20, and commits the transaction:
UCS-A# scope eth-storage UCS-A /eth-storage # scope fabric a UCS-A /eth-storage/fabric # create vlan finance 3955 UCS-A /eth-storage/fabric/vlan* # create member-port a 2 20 UCS-A /eth-storage/fabric/vlan/member-port* # commit-buffer UCS-A /eth-storage/fabric/vlan/member-port #Deleting a Named VLAN
If Cisco UCS Manager includes a named VLAN with the same VLAN ID as the one you delete, the VLAN is not removed from the fabric interconnect configuration until all named VLANs with that ID are deleted.
If you are deleting a private primary VLAN, make sure to reassign the secondary VLANs to another working primary VLAN.
Before You BeginProcedureBefore you delete a VLAN from a fabric interconnect, ensure that the VLAN has been removed from all vNICs and vNIC templates.
NoteIf you delete a VLAN that is assigned to a vNIC or vNIC template, the vNIC could allow that VLAN to flap.
The following example deletes a named VLAN accessible to both fabric interconnects and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # delete vlan accounting UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink #The following example deletes a named VLAN accessible to one fabric interconnect and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # delete vlan finance UCS-A /eth-uplink/fabric* # commit-buffer UCS-A /eth-uplink/fabric #Configuring Private VLANs
Creating a Primary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, makes this VLAN the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing primary UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #Creating a Primary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, makes this VLAN the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing primary UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #Creating a Secondary VLAN for a Private VLAN (Accessible to Both Fabric Interconnects)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, makes this VLAN the secondary VLAN, associates the secondary VLAN with the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing isolated UCS-A /eth-uplink/vlan* # set pubnwname pvlan1000 UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #Creating a Secondary VLAN for a Private VLAN (Accessible to One Fabric Interconnect)
ProcedureImportant:You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, makes this VLAN the secondary VLAN, associates the secondary VLAN with the primary VLAN, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing isolated UCS-A /eth-uplink/fabric/vlan* # set pubnwname pvlan1000 UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #Viewing the VLAN Port Count
Procedure
Command or Action Purpose The following example displays the VLAN port count for fabric interconnect A:
UCS-A# scope fabric-interconnect a UCS-A /fabric-interconnect # show vlan-port-count VLAN-Port Count: VLAN-Port Limit Access VLAN-Port Count Border VLAN-Port Count Alloc Status ---------- --------------- ---------------- ---------- 6000 3 0 AvailableVLAN Port Count Optimization
VLAN port count optimization enables mapping the state of multiple VLANs into a single internal state. When you enable the VLAN port count optimization, Cisco UCS Manager logically groups VLANs based on the port VLAN membership. This grouping increases the port VLAN count limit. VLAN port count optimization also compresses the VLAN state and reduces the CPU load on the fabric interconnect. This reduction in the CPU load enables you to deploy more VLANs over more vNICs. Optimizing VLAN port count does not change any of the existing VLAN configuration on the vNICs.
VLAN port count optimization is disabled by default. You can enable or disable the option based on your requirement.
Important:
- Enabling VLAN port count optimization increases the number of available VLAN ports for use. If the port VLAN count exceeds the maximum number of VLANs in a non optimized state, you cannot disable the VLAN port count optimization.
- VLAN port count optimization is not supported in Cisco UCS 6100 Series fabric interconnect.
- Enabling Port VLAN Count Optimization
- Disabling Port VLAN Count Optimization
- Viewing the Port VLAN Count Optimization Groups
Disabling Port VLAN Count Optimization
VLAN Groups
VLAN groups allow you to group VLANs on Ethernet uplink ports, by function or by VLANs that belong to a specific network. You can define VLAN membership and apply the membership to multiple Ethernet uplink ports on the fabric interconnect.
After you assign a VLAN to a VLAN group, any changes made to the VLAN group will be applied to all Ethernet uplink ports that are configured with the VLAN group. The VLAN group also enables you to identify VLAN overlaps between disjoint VLANs.
You can configure uplink ports under a VLAN group. When you configure the uplink port for a VLAN group, that uplink port will only support all the VLANs in that group.
You can create VLAN groups from the LAN Cloud or from the LAN Uplinks Manager.
Creating a VLAN Group
ProcedureVLAN Permissions
VLAN permissions restricts access to VLANs based on specified organizations. Based on the service profile organizations the VLANs belong to, VLAN permissions also restrict the set of VLANs you can assign to service profile vNICs. VLAN permissions is an optional feature and is disabled by default. You can enable or disable the feature based on your requirements. If you disable the feature, all the VLANs are globally accessible to all organizations.
NoteIf you enable the org permission in, when you create a VLAN, you will see Permitted Orgs for VLAN(s) option in the Create VLANs dialog box. If you do not enable the Org Permissions, you will not see the Permitted Orgs for VLAN(s) option.
If you enable org permission, when creating a VLAN you will specify the organizations for the VLAN. When you specify the organizations, the VLAN will be available to that specific organization and all the sub organizations beneath the structure. Users from other organizations cannot have access to this VLAN. You can also modify the VLAN permission at any point, based on any changes in your VLAN access requirements.
CautionWhen you assign VLAN org permission to an organization at the root level, all sub organization can access the VLANs. After assigning org permission at root level, if you change the permission for a VLAN that belongs to a sub organization, that VLAN becomes unavailable to the root level organization.
Creating VLAN Permissions
Procedure
