Solved: Re: BES-53248 default vLAN 1 - change for stigs

Loxley · ‎2022-12-13

I have 2 BES-53248 switches clustered using Netapps BES-53248-RCF-v1.8-Cluster config. Prior to installing this config I was able to change the default vlan from 1 to 999 as part of security stigs I need to apply. After running the config I can no long change that setting or at least when I run

(cs01)(Interface 0/1)#vlan pvid 999

I do see 999 applied to the running config but when I run

(cs01)#show vlan port all

0/1 Port vlan ID configured and current are both vlan 1 .

Any thoughts? I have a felling it has something to do with the clustering, but I just don't know enough about these switches to speak to it.

andris · ‎2022-12-14

What EFOS version are you on?

Make sure you add VLAN 999 to the VLAN database.

The cluster node ports are in "trunk"mode.

So, you would set the native VLAN to 999 (it defaults to VLAN 1) for your untagged ingress traffic.

interface 0/1-0/16
switchport trunk native vlan 999

View solution in original post

andris · ‎2022-12-14

What EFOS version are you on?

Make sure you add VLAN 999 to the VLAN database.

The cluster node ports are in "trunk"mode.

So, you would set the native VLAN to 999 (it defaults to VLAN 1) for your untagged ingress traffic.

interface 0/1-0/16
switchport trunk native vlan 999

Loxley · ‎2022-12-15

@andris thank you for the response.

I'm running EFOS, 3.9.0.2

vLan 999 has been added to the vlan database

here is the running-config on port 0/1

interface 0/1
service-policy in CLUSTER
no shutdown
description "10/25GbE Node Port"
spanning-tree edgeport
mtu 9216
switchport mode trunk
switchport trunk allowed vlan 1,17-18
datacenter-bridging
priority-flow-control mode on
priority-flow-control priority 2 no-drop
priority-flow-control priority 5 no-drop
exit
exit

So I added 999 to the allowed vlans

and made 999 the native vlan.

 Current Configuration:
!
interface 0/1
service-policy in CLUSTER
no shutdown
description "10/25GbE Node Port"
spanning-tree edgeport
mtu 9216
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 1,17-18,999
datacenter-bridging
priority-flow-control mode on
priority-flow-control priority 2 no-drop
priority-flow-control priority 5 no-drop
exit
exit

 
          Port       Port                  Ingress    Ingress
          VLAN ID    VLAN ID  Acceptable   Filtering  Filtering  Default
Interface Configured Current  Frame Types  Configured Current    Priority
--------- ---------- -------- ------------ ---------- ---------  --------
0/1       999        999      Admit All    Enable     Enable     0
0/2       1          1        Admit All    Enable     Enable     0
0/3       1          1        Admit All    Enable     Enable     0
0/4       1          1        Admit All    Enable     Enable     0

This is exactly what I was looking for! Thank you.

If I can ask two more questions:

1: If port 0/1 will be using vlan 17 either as the Netapp connection or a server connection to the netapp it's ok to change the native vlan to 17 for that port correct?

2: My current config is switchport trunk allowed vlan 1,17-18,999 - vlan 1 is the default vlan - is there any reason why I can't remove vlan 1 from the trunk allowed vlan ?

Thank you very much for the help!

andris · ‎2022-12-15

A1: VLANs 17 and 18 are used for HA traffic on AFF/FAS platforms that use a shared cluster+HA Ethernet ports (AFF A320, AFF A250, FAS500f). Please do not change anything related to VLANs 17 and 18.

A2: The ISL ports 0/55 and 0/56 normally ONLY span VLAN 1 (default VLAN). You should NOT be spanning VLAN 17/18 (this is by design). Now with VLAN 999 being used natively for cluster traffic, I would go with this config:
switchport trunk allowed vlan 1,999

I believe VLAN 1 is still used for some control traffic (e.g. CDP/ISDP), so that's why I'm keeping VLAN 1 in there. But you can remove it and see what happens 🙂

Loxley · ‎2022-12-15

Thanks for the info - I'll play with the config for a bit and see how everything works out.

Thanks again for the help have a Merry Christmas