VLAN Tagging Question v.s Untagged Traffic


Hi there,

I am new to Extreme switching ( Enterasys B5k Switch) with my new gig, please help.

Here it's the scope of what issue we are having & what we need to accomplish:

Our switch stack passing through couple vlan tagged traffic ( V10 & V100), but we have a 3rd party threat scanner (physical gear) is not VLAN aware (all vlan tagged traffic are dropped).

We already tried create a port mirror on another switch & passing the traffic through, still not working.

Any suggestions?

Thanks

10 replies

Userlevel 6
If the device connected to the switch is not VLAN aware the port should be added to the VLAN as untagged. For the uplink traffic you can still add the uplink port to the same VLAN as tagged from switch to switch.

Please let me know if there is something I am missing and I will help!
Hi Patrick,

Thanks for the suggestion. That's what we did, and our 3rd party vendor even can remote into the device from side our network. But the device just can't see any of our internal traffic (since it is doing passive scanning) which all of them are dropped. Does Extreme B5 line support VLAN translation (like Cisco), or anything similar?

Thnaks
Userlevel 4
have you set the port vlan?

set port vlan ge.1.2 123
Hi Curtis,

Yes, we did. - See Below:

set port vlan ge.1.33;ge.1.35 11 modify-egress
set port mirroring create ge.1.33 ge.1.34

Once this was done, we can't pass any traffic.

any thoughts or suggestions would be appreciated.

Thanks
Userlevel 4
In this instance it is ge.1.34, as the mirror monitor port, that would need to be set to egress VLAN 11 untagged. Also, earlier you mentioned VLANs 10 and 100 but not VLAN 11. A broader view of the configuration might be helpful here.
Hi Will,
If you simply want to egress multiple vlans out a specific port, untagged, it looks like the B5's will let you do that:
set vlan egress 10,100 ge.1.34 untagged

If this doesn't work out, you may be able to mirror the traffic to a vlan and egress that vlan untagged to your threat scanner.

Hope this helps
Kees, Kevin wrote:

Hi Will,
If you simply want to egress multiple vlans out a specific port, untagged, it looks like the B5's will let you do that:
set vlan egress 10,100 ge.1.34 untagged

If this doesn't work out, you may be able to mirror the traffic to a vlan and egress that vlan untagged to your threat scanner.

Hope this helps

Thank You Kevin,

I will give it a shot tomorrow.

Thanks again
Userlevel 4
It is likely that you will be able to get this working without resorting to mirroring to a VLAN - which I will state as being "somewhat" unsupported in the conventional sense. Some SecureStack models - including the B5-Series - do support "
code:
VLAN marking of mirrored traffic - Edge only
" which can have the effect of VLAN mirroring.

You may or may not find it to be useful here, noting that a key element is the (optional) VLAN-tagging of mirrored traffic. As desired, configuration guidelines are in Hub Article 10518, "G/C5/C3/B5/B3-Series Considerations for Use of Remote Port Mirroring".
Paul Poyant wrote:

It is likely that you will be able to get this working without resorting to mirroring to a VLAN - which I will state as being "somewhat" unsupported in the conventional sense. Some SecureStack models - including the B5-Series - do support "

code:
VLAN marking of mirrored traffic - Edge only
" which can have the effect of VLAN mirroring.

You may or may not find it to be useful here, noting that a key element is the (optional) VLAN-tagging of mirrored traffic. As desired, configuration guidelines are in Hub Article 10518, "G/C5/C3/B5/B3-Series Considerations for Use of Remote Port Mirroring".

Hi Paul,

Thanks for the awesome tips! I will definitely explore that option with the support. It just troubles me that this wont' work with this simple setup which I could get it done with Cisco very quickly.

thank You
Hi Guys,

Thanks again for all the tips. i have found the root cause for our issue - spanning Tree configuration was the one causing the Check Server not able to see the traffic.

Once I put in cisco Switch in the middle as jumper with generic vlan created, everything worked.

Thanks again.

Will

Reply