09-09-2015 11:54 PM
I am a little confused about these tagged and untagged ports as to when they can be used.
I know tagged means trunk it can carry multiple vlans and untagged means cisco's access mode, it can carry just one vlan.
First question what should the port be tagged or untagged for a ESXi host that has host in multiple subnets? Only one subnet is part of a vlan (used for management) while the rest subnets are DMZ and local lan which is not configured as vlan. We are in the process of shifting to a datacenter setup which will have subnet with vlans and subnets without vlans like DMZ.
Second question I am using port based vlans. let's say I have a vlan 4000 on the Brocade switch which works on subnet 172.16.0.1/24.
So if a port that tagged in vlan 4000 and I want to connect a Server with IP address that does not belong to that subnet for example 184.108.40.206/24 will it work? My routing is done through Juniper Firewall which has a DMZ port without vlan and a port configured with vlan for management.
Third question What do i use to connect ports from firewall like DMZ port without vlans, tagged or untagged ports ?
09-16-2015 01:52 PM
Here my answers:
1) If you are tagging vlans at ESXI side you must tagged those vlans on Brocade side too.
2 also 3 )
You should use route-only interface to communicate with Firewalls which have no vlan config on it:
SSH@ICX7450-24P Router(config)#int e 1/1/24
route-only Disable Layer 2 switching
SSH@ICX7450-24P Router(config-if-e1000-1/1/24)#ip address 220.127.116.11 255.255.255.0
so you can communicate with 18.104.22.168 over L3 interface. Just static routing/default gw is needed on both Brocade and Juniper Firewall side.
If you have any questions please dont hestitate to ask.
09-17-2015 10:05 PM
Thanks Destan for your response.
You are right regarding tagging and untagging.
For my ESXi since it is not tagged with any vlan I will be able to pass traffic using default vlan 1 untagged interfaces.
My DMZ firewall interface on Juniper SRX cluster is not on a vlan so same as above.
I cannot use router commands because unfortunetly I use ICX 6430 switch which does not support these commands.
I am still in the testing phase. I will post more results as soon as I am finished.
12-01-2015 06:18 PM
The Brocade ICX 6430 should support the route-only command. Basic routing is included in the base license. If you will have multiple VLANs on the ESXi host I would recommend tagging all VMware traffic VLANs. I would use a separate interface for ESXi management and a separate interface for VMmotion as well (if applicable).