topic Re: BES-53248 default vLAN 1 - change for stigs in ONTAP Hardware

BES-53248 default vLAN 1 - change for stigs

Loxley — Wed, 04 Jun 2025 09:54:24 GMT

I have 2 BES-53248 switches clustered using Netapps BES-53248-RCF-v1.8-Cluster config. Prior to installing this config I was able to change the default vlan from 1 to 999 as part of security stigs I need to apply. After running the config I can no long change that setting or at least when I run

(cs01)(Interface 0/1)#vlan pvid 999

I do see 999 applied to the running config but when I run

(cs01)#show vlan port all

0/1 Port vlan ID configured and current are both vlan 1 .

Any thoughts? I have a felling it has something to do with the clustering, but I just don't know enough about these switches to speak to it.

Re: BES-53248 default vLAN 1 - change for stigs

andris — Wed, 14 Dec 2022 19:57:23 GMT

What EFOS version are you on?

Make sure you add VLAN 999 to the VLAN database.

The cluster node ports are in "trunk"mode.

So, you would set the native VLAN to 999 (it defaults to VLAN 1) for your untagged ingress traffic.

interface 0/1-0/16
switchport trunk native vlan 999

Re: BES-53248 default vLAN 1 - change for stigs

Loxley — Thu, 15 Dec 2022 12:00:47 GMT

@andris thank you for the response.

I'm running EFOS, 3.9.0.2

vLan 999 has been added to the vlan database

here is the running-config on port 0/1

interface 0/1 service-policy in CLUSTER no shutdown description "10/25GbE Node Port" spanning-tree edgeport mtu 9216 switchport mode trunk switchport trunk allowed vlan 1,17-18 datacenter-bridging priority-flow-control mode on priority-flow-control priority 2 no-drop priority-flow-control priority 5 no-drop exit exit

So I added 999 to the allowed vlans

and made 999 the native vlan.

Current Configuration: ! interface 0/1 service-policy in CLUSTER no shutdown description "10/25GbE Node Port" spanning-tree edgeport mtu 9216 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 1,17-18,999 datacenter-bridging priority-flow-control mode on priority-flow-control priority 2 no-drop priority-flow-control priority 5 no-drop exit exit

Port Port Ingress Ingress VLAN ID VLAN ID Acceptable Filtering Filtering Default Interface Configured Current Frame Types Configured Current Priority --------- ---------- -------- ------------ ---------- --------- -------- 0/1 999 999 Admit All Enable Enable 0 0/2 1 1 Admit All Enable Enable 0 0/3 1 1 Admit All Enable Enable 0 0/4 1 1 Admit All Enable Enable 0

This is exactly what I was looking for! Thank you.

If I can ask two more questions:

1: If port 0/1 will be using vlan 17 either as the Netapp connection or a server connection to the netapp it's ok to change the native vlan to 17 for that port correct?

2: My current config is switchport trunk allowed vlan 1,17-18,999 - vlan 1 is the default vlan - is there any reason why I can't remove vlan 1 from the trunk allowed vlan ?

Thank you very much for the help!

Re: BES-53248 default vLAN 1 - change for stigs

andris — Thu, 15 Dec 2022 18:03:06 GMT

A1: VLANs 17 and 18 are used for HA traffic on AFF/FAS platforms that use a shared cluster+HA Ethernet ports (AFF A320, AFF A250, FAS500f). Please do not change anything related to VLANs 17 and 18.

A2: The ISL ports 0/55 and 0/56 normally ONLY span VLAN 1 (default VLAN). You should NOT be spanning VLAN 17/18 (this is by design). Now with VLAN 999 being used natively for cluster traffic, I would go with this config:
switchport trunk allowed vlan 1,999

I believe VLAN 1 is still used for some control traffic (e.g. CDP/ISDP), so that's why I'm keeping VLAN 1 in there. But you can remove it and see what happens 🙂

Re: BES-53248 default vLAN 1 - change for stigs

Loxley — Thu, 15 Dec 2022 18:08:24 GMT

Thanks for the info - I'll play with the config for a bit and see how everything works out.

Thanks again for the help have a Merry Christmas