1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco switch link configuration - VMware

Discussion in 'General Cisco Certifications' started by Cunningfox, Jul 2, 2013.

  1. Cunningfox

    Cunningfox Byte Poster

    Just for information at the moment (and for giggles if you will) how would you configure a port (or port channel) for a connection to an ESX host potentially hosting multiple VMs on different vlans....

    I'll get to why after a couple of replies, hopefully someone will have a great config that I can jump off of... which may a while given the speed of the site at the moment, where is everyone :(?
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  2. Cunningfox

    Cunningfox Byte Poster

    Boo at the lack of response.

    Ok here's the question, would you deploy root guard (spanning-tree guard root) on a trunk interface headed toward an ESX server?
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  3. Simonvm

    Simonvm Kilobyte Poster

    We usually have this kind of setup:

    Six NICS per cluster node: two access ports and 4 trunks
    Two server switches (3560G or Nexus in the DC) with 1 access port + 2 trunks per switch.

    In one of my last projects I had three ESXs with four NICS and four server switches so I had one port of each node per server switch.

    Here's my config:

    Last edited: Jul 9, 2013
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  4. Cunningfox

    Cunningfox Byte Poster

    Yay a bite :) thanks.

    Firstly if you are running spanning-tree bpduguard enable why the need for spanning-tree guard root ? If a BPDU is detected the port gets shut down regardless whether it's spoofed root or not.

    That wasn't the trap I was hoping you would fall into, BPDU Guard, however, was. vSwitches do not participate in spanning-tree and so just in case everyone I can pretty much find recommends running BPDU Guard, as you should run this where you should never see a BPDU, see a few quick links below, and I certainly have never found anyone saying don't use it:

    ESX 3 Cisco/VMWare PDF - http://www.vmware.com/files/pdf/vmi_cisco_network_environment.pdf
    Random Blog from 2010 - VMware Virtual Switch: no need for STP « ipSpace.net by @ioshints
    VMWare PDF Best Practices 2012 - http://www.vmware.com/files/pdf/support/landing_pages/Virtual-Support-Day-Best-Practices-Virtual-Networking-June-2012.pdf

    I've thought about it a bit and wondered why you would do this. Imagine the following scenario, you deploy a new VM assign two nics to it and shove them on the same vlan (depending on appliance/OS more fiddling may be involved) and you just bridged your nics creating a loop inside the vSwitch. So a BPDU comes in from the physical switch loops around and goes back out. Ahha BPDU guard comes in to save the day right? Right? Well no. Yeah it'll shut down the port for you 'protecting' your network and we're saved... for a few mins. Now your server has just popped off the network due to the port shutdown... hasn't VMWare got something clever to cover that eventuality? High Availability? Low and behold you have your VMWare cluster and your switch infrastructure playing whack-a-mole, pretty soon you'll have lost your entire VMWare cluster thanks to BPDU Guard. Hope there wasn't anything important like your entire server estate running on that :eek:

    In summary, I personally would only run spanning-tree guard root on any link connected to an ESX host.

    I understand that actually now in ESX 5.1 you can kill BPDUs on the vSwitch via command line, however, that imo just masks the incorrect behaviour. I'd love to hear any opinions on this :).
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  5. kevicho

    kevicho Gigabyte Poster

    I'm pretty sure you will just need to TAG the port the ESX server is connected to with each VLAN that the ESX server will use, that way traffic should pass through.
    Ill check our config later but I think this is how we do it here (although we use HP)
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal

Share This Page