VLAN Tagging Question v.s Untagged Traffic

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Hi there,

                I am new to Extreme switching ( Enterasys B5k Switch) with my new gig, please help.

                Here it's the scope of what issue we are having & what we need to accomplish:

         Our switch stack passing through couple vlan tagged traffic ( V10 & V100), but we have a 3rd party threat scanner (physical gear) is not VLAN aware (all vlan tagged traffic are dropped).  

         We already tried create a port mirror on another switch & passing the traffic through, still not working.

Any suggestions?

Thanks
Photo of Will Hou

Will Hou

  • 120 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Patrick Voss

Patrick Voss, Employee

  • 11,484 Points 10k badge 2x thumb
If the device connected to the switch is not VLAN aware the port should be added to the VLAN as untagged. For the uplink traffic you can still add the uplink port to the same VLAN as tagged from switch to switch.

Please let me know if there is something I am missing and I will help!
(Edited)
Photo of Will Hou

Will Hou

  • 120 Points 100 badge 2x thumb
Hi Patrick,

               Thanks for the suggestion.  That's what we did, and our 3rd party vendor even can remote into the device from side our network.  But the device just can't see any of our internal traffic (since it is doing passive scanning) which all of them are dropped.  Does Extreme B5 line support VLAN translation (like Cisco), or anything similar?

Thnaks   
Photo of Curtis Parish

Curtis Parish

  • 3,332 Points 3k badge 2x thumb
have you set the port vlan?

set port vlan ge.1.2  123   
(Edited)
Photo of Will Hou

Will Hou

  • 120 Points 100 badge 2x thumb
Hi Curtis,

             Yes, we did. - See Below:

              set port vlan ge.1.33;ge.1.35 11 modify-egress
              set port mirroring create ge.1.33 ge.1.34

Once this was done, we can't pass any traffic.

any thoughts or suggestions would be appreciated.

Thanks 
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,516 Points 3k badge 2x thumb
In this instance it is ge.1.34, as the mirror monitor port, that would need to be set to egress VLAN 11 untagged.  Also, earlier you mentioned VLANs 10 and 100 but not VLAN 11.  A broader view of the configuration might be helpful here.
(Edited)
Photo of Kees, Kevin

Kees, Kevin, Employee

  • 60 Points
Hi Will,
If you simply want to egress multiple vlans out a specific port, untagged, it looks like the B5's will let you do that:
set vlan egress 10,100 ge.1.34 untagged

If this doesn't work out, you may be able to mirror the traffic to a vlan and egress that vlan untagged to your threat scanner.

Hope this helps
Photo of Will Hou

Will Hou

  • 120 Points 100 badge 2x thumb
Thank You Kevin,

                          I will give it a shot tomorrow.

Thanks again
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,516 Points 3k badge 2x thumb
It is likely that you will be able to get this working without resorting to mirroring to a VLAN - which I will state as being "somewhat" unsupported in the conventional sense.  Some SecureStack models - including the B5-Series - do support "VLAN marking of mirrored traffic - Edge only" which can have the effect of VLAN mirroring.

You may or may not find it to be useful here, noting that a key element is the (optional) VLAN-tagging of mirrored traffic. As desired, configuration guidelines are in Hub Article 10518, "G/C5/C3/B5/B3-Series Considerations for Use of Remote Port Mirroring".
Photo of Will Hou

Will Hou

  • 120 Points 100 badge 2x thumb
Hi Paul,

             Thanks for the awesome tips! I will definitely explore that option with the support.  It just troubles me that this wont' work with this simple setup which I could get it done with Cisco very quickly.

             thank You    
Photo of Will Hou

Will Hou

  • 120 Points 100 badge 2x thumb
Hi Guys,

              Thanks again for all the tips.  i have found the root cause for our issue - spanning Tree configuration was the one causing the Check Server not able to see the traffic.

              Once I put in cisco Switch in the middle as jumper with generic vlan created, everything worked.

Thanks again.

Will