Global VLANs

Global VLAN

Cisco UCS Central enables you to define global VLANs in LAN cloud at the domain group root or at the domain group level. You can create a single VLAN or multiple VLANs in one operation.

Global VLAN resolution takes place in Cisco UCS Central prior to global service profiles deployment. If a global service profile references a global VLAN, and that VLAN does not exist, the global service profile deployment fails in the Cisco UCS domain due to insufficient resources. All global VLANs created in Cisco UCS Central must be resolved before deploying that global service profile.

Global VLANs are pushed to Cisco UCS along with the global service profiles that reference them. Global VLAN information is visible to Cisco UCS Manager only if a global service profile with reference to a global VLAN is deployed in that UCS domain. When a global VLAN is deployed and becomes available in the UCS domain, locally-defined service profiles and policies can reference the global VLAN. A global VLAN is not deleted when a global service profile that references it is deleted.

VLAN Org Permission

All VLANs configured in Cisco UCS Central are common to the orgs in which they are created. You must assign organization permissions before the Cisco UCS Manager instances that are part of the organizations can consume the resources. When you assign org permission to a VLAN, the VLAN is visible to those organizations, and available to be referenced in service profiles maintained by the Cisco UCS Manager instances that are part of the organization.

VLAN name resolution takes place within the hierarchy of each domain group. If a VLAN with the same name exists in multiple domain groups, the organization permissions are applied to all VLANs with the same name across the domain groups.

You can create, modify or delete VLAN org permission.


Note

Make sure to delete the VLAN org permission from the same org you created it in. On Cisco UCS Central GUI you can view the org structure where this VLAN is associated. But at the sub org level on the Cisco UCS Central CLI, you cannot view the VLAN org permission association hierarchy, so if you try to delete the VLAN at the sub org level on the Cisco UCS Central CLI the delete operation will fail.

Creating a Single VLAN

This procedure describes how to create a single VLAN in the domain group root or in a specifc domain group.

Procedure

  Command or Action Purpose

Step 1

UCSC # connect resource-mgr

Enters resource manager mode.

Step 2

UCSC(resource-mgr) # scope domain-group domain-name

Enters the UCS domain group root.

Step 3

UCSC(resource-mgr) # scope eth-uplink

Enters Ethernet uplink command mode.

Step 4

UCSC(resource-mgr) /domain-group/eth-uplink # create vlan vlan-name vlan-id

Creates a VLAN and assigns a VLAN ID.

Note

 

The VLAN name is case sensitive.

Step 5

UCSC(resource_mgr)/domain-group/eth-uplink/vlan # set mcastpolicy {default | policy-name}

(Optional)

Assigns a specific multicast policy name. If you do not enter a multicast policy name, the name is resolved from the Cisco UCS Manager domain upon deployment.

Step 6

UCSC(resource-mgr) /domain-group/eth-uplink/vlan# commit-buffer

Commits the transaction to the system.

Example

The following example shows how to create a VLAN named Administration in the domain group root and ssign it VLAN ID 15: 

UCSC# connect resource-mgr
UCSC(resource-mgr)# scope domain-group /
UCSC(resource-mgr) /domain-group # scope eth-uplink
UCSC(resource-mgr) /domain-group/eth-uplink create vlan Administration 15
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # commit-buffer
UCSC(resource-mgr) /domain-group/eth-uplink/vlan #

The following example shows how to create a VLAN named Administration in domain group 12 and assign it VLAN ID 15: 

UCSC# connect resource-mgr
UCSC(resource-mgr)# scope domain-group 12
UCSC(resource-mgr) /domain-group # scope eth-uplink
UCSC(resource-mgr) /domain-group/eth-uplink create vlan Administration 15
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # commit-buffer
UCSC(resource-mgr) /domain-group/eth-uplink/vlan #

Creating Multiple VLANs

This procedure describes how to create multiple VLANs.

Procedure

  Command or Action Purpose

Step 1

UCSC# connect resource-mgr

Enters resource manager mode.

Step 2

UCSC(resource-mgr) #scope domain-group domain-group

Enters the UCS domain group root.

Step 3

UCSC(resource-mgr) #scope eth-uplink .

Enters Ethernet uplink command mode.

Step 4

UCSC(resource-mgr) /domain-group/eth-uplink #create vlan vlan-name vlan-id

Creates a VLAN and with the VLAN name and VLAN ID you enter.

Note

 

The VLAN name is case sensitive.

Step 5

UCSC (resource-mgr) /domain-group/eth-uplink/vlan # set mcastpolicy {default | policy-name}

(Optional)

Assigns a particular multicast policy name. If you do not enter a multicast policy name, the name is resolved from the Cisco UCS Manager upon deployment.

Step 6

UCSC (resource-mgr) /domain-group/eth-uplink/vlan # commit-buffer

Commits the transaction to the system.

Example

The following example shows how to create two VLANs in domain group 12 and assign multicast policies: 
UCSC# connect resource-mgr
UCSC(resource-mgr)# scope domain-group 12
UCSC(resource-mgr) /domain-group # scope eth-uplink
UCSC(resource-mgr) /domain-group/eth-uplink create vlan Administration 15
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # set mcastpolicy default
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # create vlan Finance 20
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # set mcastpolicy mpolicy
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # commit-buffer
UCSC(resource-mgr) /domain-group/eth-uplink/vlan

Enabling Global VLANs in a Cisco UCS Manager Instance

The publish vlan command allows you to use global VLANs that were created in Cisco UCS Central in a Cisco UCS Manager instance without deploying a service profile.

Procedure

  Command or Action Purpose

Step 1

UCSC# connect resource-mgr

Enters resource manager mode.

Step 2

UCSC(resource-mgr) #scope domain-mgmt

Enters the UCS domain management configuration mode.

Step 3

UCSC(resource-mgr) /domain-mgmt #scope ucs-domain domain-ID

Enters the UCS domain configuration mode for the specified domain ID.

Note

 

If you do not know the UCS domain ID, use the show ucs-domain command.

Step 4

UCSC(resource-mgr) /domain-mgmt/ucs-domain #publish vlan vlan_name .

Pushes the selected global VLAN to the Cisco UCS Manager instance.

Example

The following example shows how to enable global VLAN globVLAN in the local domain 1008: 

UCSC# connect resource-mgr
UCSC(resource-mgr) # scope domain-mgmt 
UCSC(resrouce-mgr) /domain-mgmt # scope ucs-domain 1008
UCSC(resrouce-mgr) /domain-mgmt/ucs-domain # publish vlan globVLAN

Publish Vlan is a standalone operation. You may lose any uncommitted changes in this CLI session.
Do you want to continue? (yes/no): yes
UCSC(resource-mgr) /domain-mgmt/ucs-domain #

Deleting a VLAN

This procedure describes how to delete a VLAN from a domain group.

Before you begin

Consider the following points before deleting global VLANs in Cisco UCS Central:

  • Before deleting global VLANs, ensure that any global service profiles that reference them are updated.

  • Before deleting the last global VLAN from a domain group, you should remove its organization permissions.

  • If you delete a global VLAN, it is also deleted from all registered Cisco UCS Manager instances that are associated with the domain groups in which the VLAN resides.

  • Global service profiles that reference a global VLAN that is deleted in Cisco UCS Central will fail due to insufficient resources. Local service profiles that reference a global VLAN that is deleted will be set to virtual network ID 1.

Procedure

  Command or Action Purpose

Step 1

UCSC # connect resource-mgr

Enters resource manager mode.

Step 2

UCSC(resource-mgr) # scope domain-group {/ | domain-name}

Enters the UCS domain group root or the domain group name you enter.

Step 3

UCSC(resource-mgr) # scope eth-uplink

Enters Ethernet uplink command mode.

Step 4

UCSC(resource-mgr) /domain-group/eth-uplink # delete vlan vlan-name

Deletes the VLAN with the name you entered.

Step 5

UCSC(resource-mgr) /domain-group/eth-uplink # commit-buffer

Commits the transaction to the system.

Example

The following example shows how to delete the VLAN named Finance from the domain group root: 

UCSC# connect resource-mgr
UCSC(resource-mgr)# scope domain-group /
UCSC(resource-mgr) /domain-group # scope eth-uplink
UCSC(resource-mgr) /domain-group/eth-uplink delete vlan Finance
UCSC(resource-mgr) /domain-group/eth-uplink/vlan* # commit-buffer
UCSC(resource-mgr) /domain-group/eth-uplink/vlan #

Creating VLAN Permissions for an Organization

This procedure describes how to assign a VLAN permission to organizations in Cisco UCS Central.

Procedure

  Command or Action Purpose

Step 1

UCSC# connect resource-mgr

Enters resource manager mode.

Step 2

UCSC# (resource-mgr) scope org {org-name}

Enters organization management mode for the organization name you enter.

Step 3

UCSC(resource-mgr) /org # create vlan permit vlan-name

Assigns the specified VLAN permission to the organization, and all of the suborganizations that belong to it.

Note

 

VLAN name is case sensitive.

Step 4

UCSC(resource-mgr) /org # commit-buffer

Commits the transaction to the system.

Example

The follwing example shows how to assign the VLAN named Administration permission to Sub-Org1: 

UCSC# connect resource-mgr
UCSC(resource-mgr)# scope org Sub-Org1
UCSC(resource-mgr) /org #create vlan-permit Administration
UCSC(resource-mgr) /org* #commit-buffer
UCSC(resource-mgr) /org #

Deleting VLAN Permissions from an Organization

This procedure describes how to delete a VLAN Org permission in Cisco UCS Central.

Procedure

  Command or Action Purpose

Step 1

UCSC# connect resource-mgr

Enters resource manager mode.

Step 2

UCSC# (resource-mgr) scope org {org-name}

Enters organization management mode for the organization name you enter.

Step 3

UCSC(resource-mgr) /org # delete vlan-permit vlan-name

Deletes permission for the specified VLAN from the organization and all sub organizations that belong to it.

Note

 

VLAN name is case sensitive.

Step 4

UCSC(resource-mgr) /org # commit-buffer

Commits the transaction to the system.

Example

The follwing example shows how to delete permission for the VLAN named Administration from Sub-Org1: 

UCSC# connect resource-mgr
UCSC(resource-mgr)# scope org Sub-Org1
UCSC(resouce-mgr) /org #delete vlan-permit Administration
UCSC(resouce-mgr) /org* #commit-buffer
UCSC(resouce-mgr) /org #

About Native VLAN

The Native VLAN and the default VLAN serve different purposes within a network. Native VLAN refers to the VLAN that handles untagged traffic—Ethernet frames transmitted without an 802.1Q VLAN tag. Native VLAN traffic is untagged, and its frames are transmitted without modification. The Native VLAN can either be assigned to a specific VLAN or left unconfigured.

It is possible to tag all VLAN traffic and eliminate the use of a Native VLAN across your network. By default, VLAN 1 is assigned as the Native VLAN on switches, but this setting can be modified to meet specific network requirements.

The UCS Central allows you to configure VLANs and change the Native VLAN setting. Changing the Native VLAN triggers a single port flap, resulting in a temporary connectivity loss of approximately 20–40 seconds. This port flap is necessary for the change to take effect. However, continuous port flapping is not expected and may indicate underlying configuration issues that require troubleshooting.

Native VLAN Guidelines

  • Native VLANs can only be configured on trunk ports.

  • When changing the native VLAN on a UCS vNIC, a port flap will occur, leading to brief traffic interruptions.

  • Cisco recommends using the Native VLAN 1 setting to minimize traffic interruptions, particularly when using the Cisco Nexus 1000v switches. Ensure the Native VLAN configuration is consistent between the Nexus 1000v port profiles and the UCS vNIC definition.

  • If there is a continuous port flapping, incorrect traffic routing, or outages, verify the configuration of your disjoint Layer 2 network for potential issues.

  • Using VLAN 1 for management access across all devices can lead to potential security risks if another switch is connected to the same VLAN as your management devices.


Note

When modifying the Native VLAN settings, a warning message will inform you about the required port flap and its brief connectivity impact (20-40 seconds). You can choose to proceed with the changes by selecting Yes or No.