09-24-2012 06:23 PM
At my place of employment we've implemented a couple PAN-2020s in HA and have defined about 6 to 8 networks 1 attached to 1 physical port in a L3 configuration. We have cables running to a switch that each are untagged with different vLAN ID's (LAN = Default_VLAN, DMZ = DMZ_VLAN, etc). The vLAN'ing is done on the switch (HP ProCurve 2810-48G) and other ports are tagged and represented to VMware hosts.
PAN --> HP 2810-48G ==< VMware HOSTs
I have a few open ports, but am needing to create about 3 more networks to use and have quickly run out of physical ports.
For those of you who have done this, or any PAN techs helping out here, what is the best practice for implementing vLANS in this type of environment. I've seen some example of L2 configurations as well as L3 and I am a bit confused on what is best.
What is the best way to make a handful of physical ports aggregate on the firewall to present those vLANs to the switches, and then to the VMware hosts without doing that over just one cable? Do I need to configure the vLANs on the switch as well and tag those ports?
I realize these are a lot of questions - unfortunately the project was escalated a few months ago and I did not get sufficient time to design this out, so it's made it hard to design well, and I have some opportunity to implement changes before this environment goes 100% into production. So I don't have quite the liberty to test this out.
Am I on the right track with this document?
Thanks for all your help!
09-24-2012 08:06 PM
For terminating multiple VLANs on the same physical interface, multiple tagged sub-interfaces should be created
09-25-2012 04:08 PM
Can you aggregate these across interfaces?
09-25-2012 04:12 PM
09-25-2012 04:46 PM
Yeah,this configuration was accepted by the firewall.
10-10-2012 01:46 PM
I had one additional question pertaining to this initial question.
So within my network, I have setup all the VLANs on L3 interfaces, with no networks defined (untagged) - everything works great. However, when I define a network on another L3 interface, without any VLANing all my networking goes crazy. The reason I am needing to do this is because some devices that have management interfaces (like our SAN, PAN FWs, and KVM) does not support vlan tagging on their interfaces. But since I can't specify a network on the default vlan L3 interface, I am now unable to manage these devices (without buying another switch. So my question was, can I create another virtual router and setup a L3 interface with the untagged vlan and network (a management network of sorts) present that to the default vlan on my switch, to manage such devices and then just route traffic between the to VRs? Does that make sense. Anyone else run into this before?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!