Configuring VLANs

This chapter includes the following sections:

Named VLANs

A named VLAN creates a connection to a specific external LAN. The VLAN isolates traffic to that external LAN, including broadcast traffic.

The name that you assign to a VLAN ID adds a layer of abstraction that allows you to globally update all servers associated with service profiles that use the named VLAN. You do not need to reconfigure the servers individually to maintain communication with the external LAN.

You can create more than one named VLAN with the same VLAN ID. For example, if servers that host business services for HR and Finance need to access the same external LAN, you can create VLANs named HR and Finance with the same VLAN ID. Then, if the network is reconfigured and Finance is assigned to a different LAN, you only have to change the VLAN ID for the named VLAN for Finance.

In a cluster configuration, you can configure a named VLAN to be accessible only to one fabric interconnect or to both fabric interconnects.

Guidelines for VLAN IDs

Important:

You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

VLAN 4048 is user-configurable. However, Cisco UCS Manager uses VLAN 4048 for the following default values. If you want to assign 4048 to a VLAN, you must reconfigure these values:

  • After an upgrade to Cisco UCS, release 2.0: The FCoE storage port native VLAN uses VLAN 4048 by default. If the default FCoE VSAN was set to use VLAN 1 before the upgrade, you must change it to a VLAN ID that is not used or reserved. For example, consider changing the default to 4049 if that VLAN ID is not in use.
  • After a fresh install of Cisco UCS, release 2.0: The FCoE VLAN for the default VSAN uses VLAN 4048 by default. The FCoE storage port native VLAN uses VLAN 4049.

The VLAN name is case sensitive.

Private VLANs

A private VLAN (PVLAN) partitions the Ethernet broadcast domain of a VLAN into subdomains and allows you to isolate some ports. Each subdomain in a PVLAN includes a primary VLAN and one or more secondary VLANs. All secondary VLANs in a PVLAN must share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.

Isolated VLANs

All secondary VLANs in a Cisco UCS domain must be isolated VLANs. Cisco UCS does not support community VLANs.

Ports on Isolated VLANs

Communications on an isolated VLAN can only use the associated port in the primary VLAN. These ports are isolated ports and are not configurable in Cisco UCS Manager. If the primary VLAN includes multiple secondary VLANs, those isolated VLANs cannot communicate directly with each other.

An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.

Guidelines for Uplink Ports

When you create PVLANs, be aware of the following guidelines:

  • The uplink Ethernet port channel cannot be in promiscuous mode.
  • Each primary VLAN can have only one isolated VLAN.
  • VIFs on VNTAG adapters can have only one isolated VLAN.

Guidelines for VLAN IDs

Important:

You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

VLAN 4048 is user-configurable. However, Cisco UCS Manager uses VLAN 4048 for the following default values. If you want to assign 4048 to a VLAN, you must reconfigure these values:

  • After an upgrade to Cisco UCS, release 2.0: The FCoE storage port native VLAN uses VLAN 4048 by default. If the default FCoE VSAN was set to use VLAN 1 before the upgrade, you must change it to a VLAN ID that is not used or reserved. For example, consider changing the default to 4049 if that VLAN ID is not in use.
  • After a fresh install of Cisco UCS, release 2.0: The FCoE VLAN for the default VSAN uses VLAN 4048 by default. The FCoE storage port native VLAN uses VLAN 4049.

The VLAN name is case sensitive.

VLAN Port Limitations

Cisco UCS Manager limits the number of VLAN port instances that can be configured under border and server domains on a fabric interconnect to 6000.

Types of Ports Included in the VLAN Port Count

The following types of ports are counted in the VLAN port calculation:

  • Border uplink Ethernet ports
  • Border uplink Ether-channel member ports
  • FCoE ports in a SAN cloud
  • Ethernet ports in a NAS cloud
  • Static and dynamic vNICs created through service profiles
  • VM vNICs created as part of a port profile in a hypervisor in hypervisor domain

Based on the number of VLANs configured for these ports, Cisco UCS Manager keeps track of the cumulative count of VLAN port instances and enforces the VLAN port limit during validation. Cisco UCS Manager reserves some pre-defined VLAN port resources for control traffic. These include management VLANs configured under HIF and NIF ports.

VLAN Port Limit Enforcement

Cisco UCS Manager validates VLAN port availability during the following operations.

  • Configuring and unconfiguring border ports and border port channels
  • Adding or removing VLANs from a cloud
  • Configuring or unconfiguring SAN or NAS ports
  • Associating or disassociating service profiles that contain configuration changes
  • Configuring or unconfiguring VLANs under vNICs or vHBAs
  • Upon receiving creation or deleting notifications from a VMWare vNIC, from an ESX hypervisor

    Note


    This is outside the control of Cisco UCS Manager


  • Fabric interconnect reboot
  • Cisco UCS Manager upgrade or downgrade

Cisco UCS Manager strictly enforces the VLAN port limit on service profile operations. If Cisco UCS Manager detects that you have exceeded the VLAN port limit service profile configuration will fail during deployment.

Exceeding the VLAN port count in a border domain is less disruptive. When the VLAN port count is exceeded in a border domainCisco UCS Manager changes the allocation status to Exceeded. In order to change the status back to Available, you should complete one of the following actions:

  • Unconfigure one or more border ports
  • Remove VLANs from the LAN cloud
  • Unconfigure one or more vNICs or vHBAs

Configuring Named VLANs

Creating a Named VLAN

In a Cisco UCS domain that is configured for high availability, you can create a named VLAN that is accessible to both fabric interconnects or to only one fabric interconnect.

Important:

You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

Procedure
    Step 1   In the Navigation pane, click the LAN tab.
    Step 2   On the LAN tab, click the LAN node.
    Step 3   In the Work pane, click the VLANs tab.
    Step 4   On the icon bar to the right of the table, click +.

    If the + icon is disabled, click an entry in the table to enable it.

    Step 5   In the Create VLANs dialog box, complete the following fields:
    Name Description

    VLAN Name/Prefix field

    For a single VLAN, this is the VLAN name. For a range of VLANs, this is the prefix that the system uses for each VLAN name.

    The VLAN name is case sensitive.

    This name can be between 1 and 32 alphanumeric characters. You cannot use spaces or any special characters other than - (hyphen), _ (underscore), : (colon), and . (period), and you cannot change this name after the object has been saved.

    Configuration options

    You can choose one of the following:

    • Common/Global—The VLANs apply to both fabrics and use the same configuration parameters in both cases
    • Fabric A—The VLANs only apply to fabric A.
    • Fabric B—The VLAN only apply to fabric B.
    • Both Fabrics Configured Differently—The VLANs apply to both fabrics but you can specify different VLAN IDs for each fabric.

    For upstream disjoint L2 networks, we recommend that you choose Common/Global to create VLANs that apply to both fabrics.

    VLAN IDs field

    To create one VLAN, enter a single numeric ID. To create multiple VLANs, enter individual IDs or ranges of IDs separated by commas. A VLAN ID can:

    • Be between 1 and 3967
    • Be between 4048 and 4093
    • Overlap with other VLAN IDs already defined on the system

    For example, to create six VLANs with the IDs 4, 22, 40, 41, 42, and 43, you would enter 4, 22, 40-43.

    Important:

    You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

    VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

    Sharing Type field

    Whether this VLAN is subdivided into private or secondary VLANs. This can be one of the following:

    • None—This VLAN does not have any secondary or private VLANs.
    • Primary—This VLAN can have one or more secondary VLANs, as shown in the Secondary VLANs area.
    • Isolated—This is a private VLAN. The primary VLAN with which it is associated is shown in the Primary VLAN drop-down list.

    Primary VLAN drop-down list

    If the Sharing Type field is set to Isolated, this is the primary VLAN associated with this private VLAN.

    Check Overlap button

    Click this button to determine whether the VLAN ID overlaps with any other IDs on the system.

    Step 6   If you clicked the Check Overlap button, do the following:
    1. Click the Overlapping VLANs tab and review the following fields to verify that the VLAN ID does not overlap with any IDs assigned to existing VLANs.
      Name Description

      Fabric ID column

      This can be one of the following:

      • A
      • B
      • Dual—The component is accessible to either fabric interconnect. This setting applies to virtual LAN and SAN networks created at the system level as opposed to the fabric interconnect level.

      Name column

      The name of the VLAN.

      VLAN column

      The numeric id for the VLAN.

      DN column

      The full path to the VLAN. Click the link in this column to view the properties for the VLAN.

    2. Click the Overlapping VSANs tab and review the following fields to verify that the VLAN ID does not overlap with any FCoE VLAN IDs assigned to existing VSANs:
      Name Description

      Fabric ID column

      This can be one of the following:

      • A
      • B
      • Dual—The component is accessible to either fabric interconnect. This setting applies to virtual LAN and SAN networks created at the system level as opposed to the fabric interconnect level.

      Name column

      The name of the VSAN.

      ID column

      The numeric id for the VSAN.

      FCoE VLAN ID column

      The unique identifier assigned to the VLAN used for Fibre Channel connections.

      DN column

      The full path to the VSAN. Click the link in this column to view the properties for the VSAN.

    3. Click OK.
    4. If Cisco UCS Manager identified any overlapping VLAN IDs or FCoE VLAN IDs, change the VLAN ID to one that does not overlap with an existing VLAN.
    Step 7   Click OK.

    Cisco UCS Manager adds the VLAN to one of the following VLANs nodes:

    • The LAN Cloud > VLANs node for a VLAN accessible to both fabric interconnects.
    • The Fabric_Interconnect_Name > VLANs node for a VLAN accessible to only one fabric interconnect.

    Deleting a Named VLAN

    If Cisco UCS Manager includes a named VLAN with the same VLAN ID as the one you delete, the VLAN is not removed from the fabric interconnect configuration until all named VLANs with that ID are deleted.

    If you are deleting a private primary VLAN, make sure to reassign the secondary VLANs to another working primary VLAN.

    Before You Begin

    Before you delete a VLAN from a fabric interconnect, ensure that the VLAN has been removed from all vNICs and vNIC templates.


    Note


    If you delete a VLAN that is assigned to a vNIC or vNIC template, the vNIC could allow that VLAN to flap.


    Procedure
      Step 1   In the Navigation pane, click the LAN tab.
      Step 2   On the LAN tab, click the LAN node.
      Step 3   In the Work pane, click the VLANs tab.
      Step 4   Click one of the following subtabs, depending upon what type of VLAN you want to delete:
      Subtab Description

      All

      Displays all VLANs in the Cisco UCS domain.

      Dual Mode

      Displays the VLANs that are accessible to both fabric interconnects.

      Fabric A

      Displays the VLANs that are accessible to only fabric interconnect A.

      Fabric B

      Displays the VLANs that are accessible to only fabric interconnect B.

      Step 5   In the table, click the VLAN you want to delete.

      You can use the Shift key or Ctrl key to select multiple entries.

      Step 6   Right-click the highlighted VLAN or VLANs and select Delete.
      Step 7   If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.

      Configuring Private VLANs

      Creating a Primary VLAN for a Private VLAN

      In a Cisco UCS domain that is configured for high availability, you can create a primary VLAN that is accessible to both fabric interconnects or to only one fabric interconnect.

      Important:

      You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

      VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

      Procedure
        Step 1   In the Navigation pane, click the LAN tab.
        Step 2   On the LAN tab, click the LAN node.
        Step 3   In the Work pane, click the VLANs tab.
        Step 4   On the icon bar to the right of the table, click +.

        If the + icon is disabled, click an entry in the table to enable it.

        Step 5   In the Create VLANs dialog box, complete the following fields:
        Name Description

        VLAN Name/Prefix field

        For a single VLAN, this is the VLAN name. For a range of VLANs, this is the prefix that the system uses for each VLAN name.

        The VLAN name is case sensitive.

        This name can be between 1 and 32 alphanumeric characters. You cannot use spaces or any special characters other than - (hyphen), _ (underscore), : (colon), and . (period), and you cannot change this name after the object has been saved.

        Configuration options

        You can choose one of the following:

        • Common/Global—The VLANs apply to both fabrics and use the same configuration parameters in both cases
        • Fabric A—The VLANs only apply to fabric A.
        • Fabric B—The VLAN only apply to fabric B.
        • Both Fabrics Configured Differently—The VLANs apply to both fabrics but you can specify different VLAN IDs for each fabric.

        For upstream disjoint L2 networks, we recommend that you choose Common/Global to create VLANs that apply to both fabrics.

        VLAN IDs field

        To create one VLAN, enter a single numeric ID. To create multiple VLANs, enter individual IDs or ranges of IDs separated by commas. A VLAN ID can:

        • Be between 1 and 3967
        • Be between 4048 and 4093
        • Overlap with other VLAN IDs already defined on the system

        For example, to create six VLANs with the IDs 4, 22, 40, 41, 42, and 43, you would enter 4, 22, 40-43.

        Important:

        You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

        VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

        Sharing Type field

        Whether this VLAN is subdivided into private or secondary VLANs. This can be one of the following:

        • None—This VLAN does not have any secondary or private VLANs.
        • Primary—This VLAN can have one or more secondary VLANs, as shown in the Secondary VLANs area.
        • Isolated—This is a private VLAN. The primary VLAN with which it is associated is shown in the Primary VLAN drop-down list.

        Primary VLAN drop-down list

        If the Sharing Type field is set to Isolated, this is the primary VLAN associated with this private VLAN.

        Check Overlap button

        Click this button to determine whether the VLAN ID overlaps with any other IDs on the system.

        Step 6   If you clicked the Check Overlap button, do the following:
        1. Click the Overlapping VLANs tab and review the following fields to verify that the VLAN ID does not overlap with any IDs assigned to existing VLANs.
          Name Description

          Fabric ID column

          This can be one of the following:

          • A
          • B
          • Dual—The component is accessible to either fabric interconnect. This setting applies to virtual LAN and SAN networks created at the system level as opposed to the fabric interconnect level.

          Name column

          The name of the VLAN.

          VLAN column

          The numeric id for the VLAN.

          DN column

          The full path to the VLAN. Click the link in this column to view the properties for the VLAN.

        2. Click the Overlapping VSANs tab and review the following fields to verify that the VLAN ID does not overlap with any FCoE VLAN IDs assigned to existing VSANs:
          Name Description

          Fabric ID column

          This can be one of the following:

          • A
          • B
          • Dual—The component is accessible to either fabric interconnect. This setting applies to virtual LAN and SAN networks created at the system level as opposed to the fabric interconnect level.

          Name column

          The name of the VSAN.

          ID column

          The numeric id for the VSAN.

          FCoE VLAN ID column

          The unique identifier assigned to the VLAN used for Fibre Channel connections.

          DN column

          The full path to the VSAN. Click the link in this column to view the properties for the VSAN.

        3. Click OK.
        4. If Cisco UCS Manager identified any overlapping VLAN IDs or FCoE VLAN IDs, change the VLAN ID to one that does not overlap with an existing VLAN.
        Step 7   Click OK.

        Cisco UCS Manager adds the primary VLAN to one of the following VLANs nodes:

        • The LAN Cloud > VLANs node for a primary VLAN accessible to both fabric interconnects.
        • The Fabric_Interconnect_Name > VLANs node for a primary VLAN accessible to only one fabric interconnect.

        Creating a Secondary VLAN for a Private VLAN

        In a Cisco UCS domain that is configured for high availability, you can create a secondary VLAN that is accessible to both fabric interconnects or to only one fabric interconnect.

        Important:

        You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

        VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

        Before You Begin

        Create the primary VLAN.

        Procedure
          Step 1   In the Navigation pane, click the LAN tab.
          Step 2   On the LAN tab, click the LAN node.
          Step 3   In the Work pane, click the VLANs tab.
          Step 4   On the icon bar to the right of the table, click +.

          If the + icon is disabled, click an entry in the table to enable it.

          Step 5   In the Create VLANs dialog box, complete the following fields:
          Name Description

          VLAN Name/Prefix field

          For a single VLAN, this is the VLAN name. For a range of VLANs, this is the prefix that the system uses for each VLAN name.

          The VLAN name is case sensitive.

          This name can be between 1 and 32 alphanumeric characters. You cannot use spaces or any special characters other than - (hyphen), _ (underscore), : (colon), and . (period), and you cannot change this name after the object has been saved.

          Configuration options

          You can choose one of the following:

          • Common/Global—The VLANs apply to both fabrics and use the same configuration parameters in both cases
          • Fabric A—The VLANs only apply to fabric A.
          • Fabric B—The VLAN only apply to fabric B.
          • Both Fabrics Configured Differently—The VLANs apply to both fabrics but you can specify different VLAN IDs for each fabric.

          For upstream disjoint L2 networks, we recommend that you choose Common/Global to create VLANs that apply to both fabrics.

          VLAN IDs field

          To create one VLAN, enter a single numeric ID. To create multiple VLANs, enter individual IDs or ranges of IDs separated by commas. A VLAN ID can:

          • Be between 1 and 3967
          • Be between 4048 and 4093
          • Overlap with other VLAN IDs already defined on the system

          For example, to create six VLANs with the IDs 4, 22, 40, 41, 42, and 43, you would enter 4, 22, 40-43.

          Important:

          You cannot create VLANs with IDs from 3968 to 4047. This range of VLAN IDs is reserved.

          VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.

          Sharing Type field

          Whether this VLAN is subdivided into private or secondary VLANs. This can be one of the following:

          • None—This VLAN does not have any secondary or private VLANs.
          • Primary—This VLAN can have one or more secondary VLANs, as shown in the Secondary VLANs area.
          • Isolated—This is a private VLAN. The primary VLAN with which it is associated is shown in the Primary VLAN drop-down list.

          Primary VLAN drop-down list

          If the Sharing Type field is set to Isolated, this is the primary VLAN associated with this private VLAN.

          Check Overlap button

          Click this button to determine whether the VLAN ID overlaps with any other IDs on the system.

          Step 6   If you clicked the Check Overlap button, do the following:
          1. Click the Overlapping VLANs tab and review the following fields to verify that the VLAN ID does not overlap with any IDs assigned to existing VLANs.
            Name Description

            Fabric ID column

            This can be one of the following:

            • A
            • B
            • Dual—The component is accessible to either fabric interconnect. This setting applies to virtual LAN and SAN networks created at the system level as opposed to the fabric interconnect level.

            Name column

            The name of the VLAN.

            VLAN column

            The numeric id for the VLAN.

            DN column

            The full path to the VLAN. Click the link in this column to view the properties for the VLAN.

          2. Click the Overlapping VSANs tab and review the following fields to verify that the VLAN ID does not overlap with any FCoE VLAN IDs assigned to existing VSANs:
            Name Description

            Fabric ID column

            This can be one of the following:

            • A
            • B
            • Dual—The component is accessible to either fabric interconnect. This setting applies to virtual LAN and SAN networks created at the system level as opposed to the fabric interconnect level.

            Name column

            The name of the VSAN.

            ID column

            The numeric id for the VSAN.

            FCoE VLAN ID column

            The unique identifier assigned to the VLAN used for Fibre Channel connections.

            DN column

            The full path to the VSAN. Click the link in this column to view the properties for the VSAN.

          3. Click OK.
          4. If Cisco UCS Manager identified any overlapping VLAN IDs or FCoE VLAN IDs, change the VLAN ID to one that does not overlap with an existing VLAN.
          Step 7   Click OK.

          Cisco UCS Manager adds the primary VLAN to one of the following VLANs nodes:

          • The LAN Cloud > VLANs node for a primary VLAN accessible to both fabric interconnects.
          • The Fabric_Interconnect_Name > VLANs node for a primary VLAN accessible to only one fabric interconnect.

          Viewing the VLAN Port Count

          Procedure
            Step 1   In the Navigation pane, click the Equipment tab.
            Step 2   On the Equipment tab, expand Equipment > Fabric Interconnects.
            Step 3   Click the fabric interconnect for which you want to view the VLAN port count.
            Step 4   In the Work pane, click the General tab.
            Step 5   In the General tab, click the down arrows on the VLAN Port Count bar to expand that area.

            Cisco UCS Manager GUI displays the following details:

            Name Description

            VLAN Port Limit field

            The maximum number of VLAN ports allowed on this fabric interconnect.

            Access VLAN Port Count field

            The number of available VLAN access ports.

            Border VLAN Port Count field

            The number of available VLAN border ports.

            Allocation Status field

            The VLAN port allocation status.