network question native vlan 888

[lakedude]

Oh boy where to start. I work for a big company with a big network. I'm in charge (sort of) of a very small slice of the network. Normally I just monitor the network, maybe turn a port on of off, make changes when new equipment arrives etc. Biggest thing I ever did was upgrade all the firmware for our managed switches a couple years ago.

So we just got some new hardware and it is not the typical stuff I'm accustom to. We replaced a trunk switch with a new trunk switch stack and added hardware firewalls. This has been my first exposure to trunks. To make a long story short I'm trying to figure out how to configure the ports between our core network and this trunk switch that they are calling the "comm" switch. It looks like other similar units are set to pass vlan 1 and are set to native vlan 888. Right now the ports are set to pass all vlans and there is no native vlan set.

Can someone explain about the vlans, especially 888?

 

[dave_the_nerd]

A VLAN is just a way that you assign a switch port to participate in a particular group (VLAN). Each group can be thought of as its own virtual switch. So if you have VLAN 1 and 2 configured on a switch, the ports assigned to VLAN2 and VLAN3 ignore each other, just like they would if you had two physically separate, smaller switches.

This is most frequently used to isolate different kinds of traffic, or different segments of the network. There are security and performance advantages.

A trunk is a port(s) that is/are configured to allow traffic from multiple VLANs.

A switch's native VLAN is usually used to provide a management IP. By default it's vlan 1, so you shouldn't use that VLAN for other stuff. (It's special.)

It sounds like your trunk/comm switch is acting as a bridge between your network's core, and your other secondary switches. It also sounds like they've configured the trunk switches to have a different management/native VLAN than the VLAN1 that's the default for your other switches. (Hence why they're configured to pass vlan1 even though their own native vlan is 888.) That sounds like the sort of thing a security consultant would recommend.

So it would be normal for it to simply have all its ports configured in trunk mode. The other switches would have their uplink ports configured in trunk mode as well, and then the other ports (which are presumably connected to end devices like servers or desktop computers) would be configured according to the needs of your end devices. (Most servers and desktop would need an access port to a particular vlan. Some things, like ESX hosts, would normally get their own trunk port.)

 

[lakedude]

Wow, thanks Dave.

Our local network is configured starting from the cloud/outside to the new hardware firewalls, then to the new stacked "comm" switches and then the core. So these trunk switches are between the core and the firewall to the outside.

Our little site has some older non-standard hardware and that is causing problems when they send us new stuff because our old hardware is not what the senders expect. For example our core is not a stacked core with a single IP but rather several switches each with their own IP and then crosslinked by fiber in the front. Our configuration has no free fiber ports and yet they sent stuff and told us to hook it up to the core using fiber. Bigger sites have stacked cores (stacked in back with blade-stack cables) and they have unused fiber ports but we do not.

The bigger sites would hook their stacked "comm" switch to their stacked core switches using EtherChannel/port-channel.

Since our site does not have a stacked core we evidently can not use the port-channel described in the instructions.

I got the thing working by switching the ports from access mode to trunk mode but that is all I did. The other bigger sites have additional configurations, some of which will definitely not work in our situation and some of which I should perhaps implement. The port-channel stuff is a no-go but the vlan stuff seems like something that should be in there.

It is possible that someone in our engineering department is working on this but is also just as likely that our little site just slipped through the cracks. The last I heard was that engineering was waiting for us to get a stacked core but we may never get a stacked core...

 

[dave_the_nerd]

It is possible that someone in our engineering department is working on this but is also just as likely that our little site just slipped through the cracks.

That is likely.

But hey, at least you got it working.