I realize this involves blades and chassis configuration, but this appears to be a problem with routing through the Force10 swith so I have posted this here.
We have an M1000e deployed with Force10 switches. We have 3 networks with the following VLANs:
- ISSNET (No VLAN): Fabric C connected via 4 port LAG to stack of Cisco 2960 switches.
- DEVNET (VLAN14): Fabric A connected via 2 port LAG to single Cisco 2960 switch with a few physical machines connected to it.
- MGMTNET (VLAN17): M1000e CMC connected to Cisco SF200 switch with other DRAC/iLo ports connected to it. Goal is to use some ports on fabric A connected via 2 port LAG to single Cisco SF200 switch with a few DRAC/iLo connected to it.
Note: Fabric B is the SAN/vMotion network and is not connected to the firewall or any other network.
We want to use a virtual machine as a firewall running on the M1000e to control access to MGMTNET and DEVNET from ISSNET. We were previously running the firewall as a VM on an R710 that I am trying to get rid of and would like to move the VM to the appropriate blade. The blade(s) it will run on is connected to all fabrics. For simplicity, I will use blade 16 for the example.
The firewall is working between DEVNET and ISSNET. The Force10 config for the DEVNET is:
Internal blade port
interface TenGigabitEthernet 0/16
description Internal_server_NIC
no ip address
mtu 12000
portmode hybrid
switchport
flowcontrol rx on tx off
spanning-tree rstp edge-port
no shutdown
Force10 external port connected to Cisco 2960 switch
interface TenGigabitEthernet 0/49
description VLT_LAG_member
no ip address
flowcontrol rx on tx off
!
port-channel-protocol LACP
port-channel 1 mode active
no shutdown
LAG port channel to Cisco 2960 switch
interface Port-channel 1
description PoC-1_VLT_LAG
no ip address
portmode hybrid
switchport
vlt-peer-lag port-channel 1
no shutdown
VLAN14
interface Vlan 14
description ESXi_&_vCenter
no ip address
tagged TenGigabitEthernet 0/1-29
tagged Port-channel 1
untagged TenGigabitEthernet 0/41-42,50
no shutdown
Cisco 2960
2 LAG ports are configured in trunk mode and default VLAN is set to 14 for the switch.
I thought I would just need to configure a similar setup for VLAN17, LAG port channel to Cisco SF200, and Force10 port external port to Cisco SF200 so I configured the below:
Internal blade port
interface TenGigabitEthernet 0/32
description Internal_server_NIC
no ip address
mtu 12000
portmode hybrid
switchport
flowcontrol rx on tx off
spanning-tree rstp edge-port
no shutdown
Force10 external port connected to Cisco SF200 switch
interface TenGigabitEthernet 0/52
description VLT_LAG_17_member
no ip address
flowcontrol rx on tx off
!
port-channel-protocol LACP
port-channel 17 mode active
no shutdown
LAG port channel to Cisco SF200 switch
interface Port-channel 17
description PoC-17_VLT_LAG
no ip address
portmode hybrid
switchport
vlt-peer-lag port-channel 17
no shutdown
VLAN17
interface Vlan 17
description ManagementNet
no ip address
tagged TenGigabitEthernet 0/30-32
tagged Port-channel 17
no shutdown
Cisco SF200
2 LAG ports are configured in trunk mode and default VLAN is set to 17 for the switch.
The firewall cannot connect to the Cisco SF200 switch, the chassis CMC, or the Force10 management ports. I cannot connect to the firewall from a machine connected to the Cisco SF200 switch, but I can connect to the chassis CMC and Force10 management ports.
The firewall can connect to other virtual machines on VLAN17 on the same and other blades so it doesn't appear to be a problem with the internal blade port. It seems to be a problem with the LAG connection.
I cannot figure out what I am doing wrong or if this is even possible. Since the CMC is connected to the Cisco SF200 switch, I am wondering if that is going to prevent this configuration from working. Does anyone have any ideas?