Global Technology Services Be Ne Lux Center MTS
Global Technology Services Be. Ne. Lux Center MTS Technical Support Competence Virtual Switches, SEA and VLAN: how it works Learn it through a nice journey in ZTRANS bernard_lemal@be. ibm. com Prepared during Austin ZTRANS Internship Aug 2010 © 2010 IBM Corporation
MTS Technical Support Competence Center Introduction q VLAN topic has already been presented in excellent reference materials related to Power. VM Ø SEA § http: //ausgsa. ibm. com/projects/o/oneteam/public/Education/Brown. Bag/Brown%20 B ag%20 on%20 SEA. ppt Ø VLAN Tagging § https: //w 3. tap. ibm. com/w 3 ki/download/attachments/931472/vlan. ppt? version=1 § http: //www. ibm. com/developerworks/systems/library/es-pwr 5 -virtualvlan/index. html Ø Redbook § http: //www. redbooks. ibm. com/redpapers/pdfs/redp 4194. pdf q The objective of this presentation is to complement it Ø explain what I learned thanks to teaming between VIO and network people Ø show it works on a real example, playing role of IP packet Ø share my findings with graphics and animation Ø tell a nice story, with a happy end Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Basic terminology clarification q VLAN = Virtual LAN Ø virtual network of hosts that behave as if they are physically connected regardless of their switch connexion Ø There is usually one to one correspondance between VLAN (layer 2) and IP subnet (layer 3) q PVID = Port VLAN ID Ø Characteristic of the port of a virtual or physical switch Ø It will determine the handling of IP packet passing through it: tagging, untagging, dropping q VID = VLAN ID Ø Tag of the IP Packet Ø encapsulated or removed when passing through a switch port Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Let’s experiment the life of an IP packet … q by exploring the virtual and real networking worlds during a funny, wired journey q and imagine that we are an IP packet q An IP packet can be: Ø “untagged” (no header with VLAN ID) IP Packet Ø tagged with a VLAN ID (= VID), got from a PVID (Port VID) VID (we are in Austin, TX) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center This is the virtual and physical world I will explore VIOS 1 Client 2 VIOS 2 SEA ent 2 VEA ent 1 PVID 1 no VLAN 802. 1 q PEA ent 0 VEA PVID 1 no VLAN Virtual Switch 1 VEA PVID 1 no VLAN VEA ent 1 PVID 1 no VLAN 802. 1 q SEA virtual adapter ent 2 was created by mkvdev –sea – ent 0 –vadapter ent 1 – default ent 1 –defaultid 1 SEA in trunk mode (IEEE 802. 1 q) PEA Clients VEA in access mode ent 0 CISCO switch also in access mode Virtual Switch 2 Hypervisor PVID 1 no VLAN Physical Switch (“access mode” = no trunk) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Let’s visit my friend Client 2, who is closed to me Youpee ! Was a long journey, but I got it !! Got it again: this is now I could pass, but lost my Btw, I just lostbusiness my headaswhen passing the door usual. VID, because it matched VIOS 1 Client 2 VIOS 2 PVID of the Client 1 VEA 1 SEA ent 2 VEA ent 1 PVID 1 no VLAN 802. 1 q PEA ent 0 VEA PVID 1 no VLAN SEA ent 2 No way: When passing this is virtual another port, VEA PEA I got PVID switch. . . a. VEA VID Need = his toent 1 PVID go through 1 PVID 1 ent 0 (VEA another access way !! nomode) no in VLAN 802. 1 q I could leave the switch, But lost my VID, matching the PVID of the port. 1 Switch 1 No Virtual problem to access. Virtual Switch 2 And I got the PVID of the port. Hypervisor 1 PVID 1 no VLAN Physical Switch (“access” mode = no trunk) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center So, this is what I learned so far: q In an open, unsecure world (all switches have same, default PVID = 1), my freedom of move is mainly limited by the wiring (real or virtual switch connections) q They all want to put me a hat, then to remove it. So far, it hasn’t a big value. Probably something invented by network guys … (NB: in the mean time, these guys have detected some intrusion and changed the PVID settings of the Cisco switch) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Let’s now go back to Client 1 … I am so confident, since this time I know the way ! VIOS 1 Client 2 VIOS 2 SEA ent 2 VEA ent 1 PVID 1 no VLAN 802. 1 q PEA ent 0 VEA PVID 1 no VLAN VEA ent 1 PVID 1 no VLAN trunk PEA ent 0 Fiddlesticks… !!! The network guy changed something … I am dead 1 Virtual Switch 2 Hypervisor PVID 5 no VLAN Physical Switch (“access” mode = no trunk) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center So, this is what I learned so far: q Never rely on network guys. But this, I already knew… q Life of an IP packet is fragile …They want to secure the world, but this at your own life cost ! q Before travelling around the world, always be very cautious: check that every port of the secure world will be safe to you q Now they want to kill us, let’s use their weapons : I will make sure I have the right tag, by changing PVID of my origin switch port Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center I am back. Fortunately, as I am very cautious, I had created some clones of Myself. So, I am now Dolly IP packet. VIOS 1 Client 2 SEA ent 2 VEA ent 1 PVID 1 no VLAN 802. 1 q PEA ent 0 VIOS 2 What is happening now again ? ? SEA VEA PVID 5 no VLAN VEA ent 1 PVID 1 no VLAN 802. 1 q PEA ent 0 5 Virtual Switch 1 Virtual Switch 2 Hypervisor PVID 5 no VLAN Physical Switch (“access” mode = no trunk) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center So, this is what I learned now: q I forgot to check the VIO port… And any mistake is fatal q Never rely on your own guys either. You can be thrown away in your own country, and in virtual as well as physical world … q So, let’s change also the PVID of both VIOS to 5 Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center I already tested with PVID=1 everywhere, but let’s quickly test 5. Who knows ? (twice bitten twice shy…) VIOS 1 5 Client 1 Client 2 VIOS 2 SEA ent 2 VEA ent 1 PVID 5 no VLAN 802. 1 q PEA ent 0 VEA PVID 5 no VLAN VEA ent 1 PVID 5 no VLAN 802. 1 q PEA ent 0 5 Virtual Switch 1 Virtual Switch 2 Hypervisor 5 PVID 5 no VLAN Physical Switch (“access” mode = no trunk) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center So, this is current status: q Through life experience (the most valuable one), I got some knowledge on how PVID and VID work q Let’s now be more ambitious: VIO Clients would like to be on a separate VLAN (50), and still be able to talk together… q I am wondering if I shouldn’t sit together with network guys and transform them into partners, for managing the world more efficiently… I am afraid there is no other way Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Let’s visit again my friend Client 2 Great ! Now, I can really enjoy my trip. Client 1 ! VIOS 1 Client 2 VIOS 2 Need to do something: SEA Let me put an additional ent 2 VLAN ID to ent 1 VEA ent 1 PVID 5 +no VLAN 50 802. 1 q PEA ent 0 VEA PVID 50 ent 1 PVID 5 +no VLAN 50 802. 1 q PEA ent 0 50 I could enter. But I got VID 5 Virtual again. Switch 1 And I would like to Switch 2 keep 50 … Hypervisor 5 PVID 5 no VLAN Physical Switch (“access” mode = no trunk) Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center So, what to do now ? q I am now ready for one more step: get familiar with VLAN usage. One small step for an IP packet, one giant leap for packet mankind q This time, I really need to discuss this with network guys… q They explain me the following: in addition to allowing VLAN 50 on the Cisco switch, I should also change my VIOS settings, for allowing me to keep my VID 50 when leaving home q I found this amazing ! The network guys now helping me to resolve my own VIO issues !? ? q Actually, a new collaborative, efficient world is now happening, with good relationship and communication between all people ! Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Let’s visit my friend Client 2, who is closed to me So, let’s start again… VIOS 1 ent 3 SEA ent 2 PEA ent 0 VEA ent 1 PVID 5 +VLAN 50 802. 1 q Client 1 Client 2 VEA PVID 50 Three actions are required: VIOS 2 ent 3 SEA ent 2 VEA ent 1 PVID 5 +VLAN 50 802. 1 q PEA ent 0 50 Virtual Switch 1 1. Add VLAN 50 to ent 1 in profile of boh VIOS This allows me to pass ent 1 (already done) 2. mkvdev –vlan ent 2 –tagid 50 on both VIOS This creates ent 3 and allows my VID 50 to be kept 3. Set CISCO ports to trunk mode and add VLAN 50 Virtual Switch 2 Hypervisor PVID 5 +VLAN 50 Physical Switch (trunk mode) Virtual Switches and VLAN : how it works PVID 5 + VLAN 50 © 2010 IBM Corporation
MTS Technical Support Competence Center Conclusions q It was a nice journey, where I learned a lot… q I loved my role of IT packet q IT packets are passing and dying. But human trace of nice teaming stay forever q Thank you, ZTRANS, a jewel within IBM. Not only you are resolving Customer’s issues. But you demonstrate a new collaborative world in IBM q Movies, drawings and animations are more effective for communication and learning than using paper, whiteboard and vi Virtual Switches and VLAN : how it works © 2010 IBM Corporation
MTS Technical Support Competence Center Virtual Switches and VLAN : how it works © 2010 IBM Corporation
- Slides: 18
