Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 5
Registered: ‎04-10-2012

FGS648 Switch help required in setting up VLANS

Hello

First Brocade equipment - FGS648Poe. Running primary flash(Switch). Have no expereince with managed switches.

3 of them are stacked and on first floor(CX linked round robin), 2 are on ground floor, non stacked. We will deploy the FGS against NPS server to have dynamic port VLANs. IP space is flat. 172.16.0.0 255.255.0.0. Our only requirement of vlan is to reduce broadcasts. We have allocated one number for each department.

Eg - Sales is 172.16.20.0 255.255.0.0, IT is 172.16.30.0 255.255.0.0.  All have gateway 172.16.0.1 255.255.0.0(running TMG)

My questions -

a) Do I have to enter the config in all switches (or only active controller on stacked and both unstacked?) Can some sort of VTP can be used?

b) I will be following "Depolying MAC authentication with IAS server" found on downloads section of the site. Approx 10 Vlans will be configured.

c) I would like that MAC unable to unauthenicate puts the client in "guest mac". How do I "reduce the bandwidth" of this guest vlan to say 256kbps?

d) Can all this be done in switch mode? Or base L3 is required?

e) Is OSPF available with switch?

Rgds

Nitin

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FGS648 Switch help required in setting up VLANS


Hi nitin1,

My questions -

a) Do I have to enter the config in all switches (or only active controller on stacked and both unstacked?) Can some sort of VTP can be used?

     A : a memeber of the stack plus both unstacked - do not know VTP sorry, like CDP? if so then you could use FDP for that.

b) I will be following "Depolying MAC authentication with IAS server" found on downloads section of the site. Approx 10 Vlans will be configured.

     A : no too sure here, how many MAC per port 1 or <1?

c) I would like that MAC unable to unauthenicate puts the client in "guest mac". How do I "reduce the bandwidth" of this guest vlan to say 256kbps?

     A : are you wanting to use 802.1X here? You could use ACL-based rate limiting policy in layer 2 or layer 3 code for this.

d) Can all this be done in switch mode? Or base L3 is required?

     A : Not sure as I do know understand exacty want you want to do.

e) Is OSPF available with switch?

     A : yes OSPF is part of the layer 3 code found on the secondry flash.

Thanks

Michael.

Occasional Contributor
Posts: 5
Registered: ‎04-10-2012

Re: FGS648 Switch help required in setting up VLANS

Thank You Mr Schipp for coming back (for 2 days I am waiting).

a) VTP is I think follow the VLAN.(VTP is Cisco). I will be following

http://community.brocade.com/docs/DOC-1994

I need to know if everything can be achieved in Layer 2 only and no router is required.

b) The file used ishttp://www.brocade.com/downloads/documents/white_papers/wp-deploying-mac-with-ias.pdf

I need to do this in Active controller + Both standalone switches (please confirm). Yes - there will be dual mode used (phones+ data on single port)

c) I dont know ANYTHING about layer 3 so I am afraid to use anything Layer 3. Thats why I am asking if this can be done in layer 2.

d) Same as c

As additional info, I will try to explain (what i need to implement- All using Radius, MAC auth)

  • VLAN 100 is Servers, 172.16.100.0 mask 255.255.0.0
  • VLAN 200 is Clients 172.16.10.0 mask 255.255.0.0
  • VLAN 300 is Phones 172.16.xxxx (dual mode)
  • so on...
  • VLAN 900 is all people who couldnot authenticate to Radius (and have reduced BW)

All of them need to get DHCP from one single server (which is in VLAN 100) and all of them have default GW as 172.16.0.1 (which is TMG, and has no VLAN)

Can this be done is simple scripts?

Thank You

Nitin

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FGS648 Switch help required in setting up VLANS

Hi nitin1,

     Ok the first link to the doc is for layer 3 only.  looking at what you want to do I would use L3 code and have a subnet per vlan and not use the 'IP follow' at all.

     Second doc is very old.  Not sure if there is an updated doc for that one. It is all layer 2 BTW.

     No scipts that will automatticaly do what you want.

     All that you want can be done but would suggest that contract it out.  A simple L3 design with MAC Auth is what you need here.

Thanks

Michael.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FGS648 Switch help required in setting up VLANS

Thank You Mr Schipp for coming back (for 2 days I am waiting).  Sorry been on holidays and do this just for fun

Occasional Contributor
Posts: 5
Registered: ‎04-10-2012

Re: FGS648 Switch help required in setting up VLANS

Well - As I have no expereince with Brocade, i tried contracting via freelancer/Guru. One of them was helpful but my project was delayed, so lost contact.

The one on Guru gave me useless stuff (an took money).

We are outside US(Dubai), so have limited option (dont think of contacting local support - Support word doesnot exist in this country).

Can you help?

Rgds

Nitin

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: FGS648 Switch help required in setting up VLANS

Had a look and I cannot see any Brocade partners in Dubai, so I can understand your issues.  I am located in Australia, so not a lot of hands on help to you.  You should be looking for a local BCNE (Brocade Certified Network Engineer) or better. I cannot build you the config over a support forum as there are too many combinations sorry.

Occasional Contributor
Posts: 5
Registered: ‎04-10-2012

Re: FGS648 Switch help required in setting up VLANS

So, I should boot the switch into Layer 3. I have done it (using your post).

But stacking is disabled in L3 mode. Stack commands come as unknown.

Can you help me in the following steps-

a) Boot the switch in L3 mode (yes - done)

b) Convert it into L2 functionality (so that it starts switching)

c) Assign an IP address to the router (for management so that I dont have to connect it using com cable)

d) Switch on VLAN arp

e) Switch on GVRP (this is VTP)

These are pretty basic questions but since I dont know brocade...

Rgds

Nitin

Occasional Contributor
Posts: 6
Registered: ‎04-28-2011

Re: FGS648 Switch help required in setting up VLANS

A couple of things.

1. In a stack, you should be able to configure all switches in the stack from one session, but ports will have to be referenced (configured) individually as 1/1/1, 2/1/1 etc. depending on the stack ID.

2. VLANs are of no use in a flat network unless the Virtual LAN segments don't need to communicate at all. In that case, each segment is entirely on its own (172.16.20.1 in one segment has no relationship to 172.16.20.1 in another segment). The only way to get from one VLAN to another is to route, meaning each VLAN must be in a different subnet. If you bridge the VLANs, that would make one big LAN just as if you had no VLANs - a single broadcast domain. To contain broadcasts you would need to divide your 172.16/16 network into smaller subnets and keep each in its own VLAN (172.16.20.0/24, 172.16.30.0/24. Then set up Virtual Ethernet interfaces on each VLAN so you can route between them, use the switch as the default gateway for hosts, keep the subnet mask /16 on the Internet gateway router, and make it the switch's default gateway. This is the same in Cisco or any other VLAN situation.

3) I'm no help on the RADIUS config.

4) You'll need base layer-3 for routing between VLANS, probably full layer-3 for OSPF. May I ask why you need OSPF? It sounds like this layer-3 switch is your single distribution point for all subnets. Even if it doesn't directly attach to every subnet, you can trunk multiple VLANS back to it and still use it as the router for all of them (because you have a virtual interface on efvery configured VLAN). With all of the subnet interfaces directly configured on this switch, you wouldn't need any routing protocols running, not even any static routes (other than the default route so Internet-bound packets have somewhere to go).

Kurt

Occasional Contributor
Posts: 5
Registered: ‎04-10-2012

Re: FGS648 Switch help required in setting up VLANS

1. Yes - I am doing it with int e 1/1/1 to 1/1/48. I am able to make stack in L2 so it works(though connecting by serial port as I am unable to make http user). But I am unable to get it stacked when router in base L3. Stack command is not available when booted in L3.

2. I disagree. The whole idea of flat vlan is to reduce the broadcasts. An endpoint 172.16.10.20 is unable to send broadcast to 172.16.20.20 though both have same mask, 255.255.0.0 becasue they are in different vlans. Most people think VLANs as security - I think vlan as boundry to broadcasts. Security comes from MAC. What I thought was Brocade is able to do proxy arp to connect different VLANs of same subnet. This all can be done in L2. But Mr Schipp (referencing the link I provided) has said tht it needs L3.

3. This is real security. The doc referenced is very clear (though dated)

4. I "thought" OSPF is required because we have lots of office to office tunnels. Though its not a requirement I thought that maybe it helps. (though I now know it will not and a dedicated router is much better choice for handling tunnels and direct connects)

I will have to say the bitter truth - compared to "known" brands, Brocade documentation is VERY poor. On search, I can find multiple versions of the same document with no clear distinction. In the same manual, what is applicable to which (eg if it works in L3 or it works on switch) is not clear. Also, documentation is way down to wrong. Eg - In FGS, even if the switch is not stacked, you have to reference stackid.(documentation says 1/1 but in reality its 1/1/1).Till now, I dont understand why stacking is not possible in L3. I believe now that stack commands are not avail in L3(not written anywhere).

Also, for newbies, there is no clear quick path. The downloads contain hardly 10-20 quick guides which are years old.

There are only a few people active on forums. So, getting help (when we cannot hire brocade consultant due to geographic reasons) is not possible (unlike other brands)

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.