Feature Code Supported Ethernet Adapters
Total Page:16
File Type:pdf, Size:1020Kb
Ethernet Hardware Installed
I’m really interested in the upgrade features that are installed in the Ethernet switches… so the following is just for completeness. My best guess assumptions are highlighted below in red. Please identify / confirm / correct the Ethernet adapters, switches installed AND the qty & features .
Feature Code Supported Ethernet adapters 1762 IBM Flex System EN4054 4-port 10Gb Ethernet Adapter 1763 IBM Flex System EN2024 4-port 1Gb Ethernet Adapter Qty 1 installed ??
IBM Flex System Fabric EN4093 10Gb Scalable Switch – 42x internal ports, 14x 10 Gb and 2x 40 Gb (convertible to 8x 10 Gb) uplinks – Base switch: 10x external 10 Gb uplinks, 14x 10 Gb internal 10 Gb ports – Upgrade 1: Adds 2x external 40 Gb uplinks and 14x internal 10 Gb ports – Upgrade 2: Adds 4x external 10 Gb uplinks, 14x internal 10 Gb ports
IBM Flex System EN2092 1Gb Ethernet Scalable Switch Qty 2 installed ?? – 28 Internal ports, 20 x 1 Gb and 4 x 10 Gb uplinks – Base: 14 internal 1 Gb ports, 10 external 1 Gb ports Qty 2 installed – Upgrade 1: Adds 14 internal 1 Gb ports, 10 external 1 Gb ports Qty 2 ?? – Uplinks upgrade: Adds four external 10 Gb uplinks
IBM Flex System EN4091 10Gb Ethernet Pass-thru – 14x 10 Gb internal server ports – 14x 10 Gb external SFP+ ports
Considerations for Handling VLAN 225
There are several methods, all of which work equally well….. so it will depend upon your goals, security needs, personal preferences, etc. etc.
Options:
1. split the VLAN 225 traffic, at the EXTERNAL EN2092 switches, onto unique ports
considerations:
enough spare ports attached to the VIO Server
probably means removing ports connected to the SEA, thus (possibly) reducing bandwidth available to the SEA. May or may not be an issue. Depends on how much bandwidth is needed.
probably 4 ports now, so reduce the Etherchannel on the SEA to 2 ports and then set up a separate Etherchannel using 2 ports for VLAN 225 allows future manipulation of the SEA without risk of disconnecting your terminal session. Assuming your terminal session is connected via VLAN 225 (and not by a vtterminal from the FSM).
VLAN 225 packets can be tagged or untagged when presented to the VIO Server (probably untagged….. but you have a choice)
VLAN 225 packets are NOT available to the AIX clients. (there are ways around this, such as creating a 2nd SEA but for now I’ll assume this is not a consideration)
some security auditors may insist on this separation. Other security auditors may not care. All these methods are equally secure IMHO.
of all the options, probably the easiest to troubleshoot & easiest to understand / implement…. but you need the spare / extra ports.
2. pass VLAN 225 traffic to the SEA, untagged. Other VLANs would be tagged.
considerations:
any untagged VLAN traffic generated by the AIX clients (purposely, by a hacker, or by accident) would get onto VLAN 225. (sorry not correct)
please consider the above statement retracted. The Virtual Ethernet Adapter (defined in the hypervisor) can be set up to prevent this…… thus it is possible to drop any untagged traffic from the AIX Clients.
regardless, I try to avoid setting up situations where we mix tagged and untagged traffic.
this is what has been initially configured
SEA can continue to utilize 4 ports in the Etherchannel.
3. pass VLAN 225 traffic to the SEA, tagged. Other VLANs would be tagged. Effectively all packets are tagged.
considerations:
any untagged VLAN traffic generated by the AIX clients would be dropped. I assume this is a more desirable effect.
SEA can continue to utilize 4 ports in the Etherchannel. future requirements of adding VLAN 225 to the AIX clients can be accommodated as needed without a lot of re-configuration
need to change the PVID in the switches to a bogus / unused VLAN
additional configuration is required in the VIO Server to recognize VLAN 225. Either:
A. add VLAN 225 (as a new adapter) to the SEA and then add IP onto the newly created adapter. All done within the VIO Server. TCP/IP within the VIO Server is now VLAN aware. OR
B. in the hypervisor (within the VIO Server profile), create 1 additional Virtual Ethernet Adapter with the PVID settings of VLAN 225. IEEE802.q is not set & no additional VLANs are set. Then, within the VIO Server add TCP/IP onto this new virtual adapter. TCP/IP within the VIO Server is VLAN unaware in this case.
Personal Recommendation:
While all options can be made to work….. my personal preference is:
with NO bandwidth considerations:
o #1 OR # 3B OR 3A before
o #2
with bandwidth considerations:
o #3B OR #3A before
o #2
if this is an educational exercise (aka to learn more on how to do things) then go with #3B
the final choice is yours
once a choice is finalized there may be other minor configuration changes needed to get it all to work together that I have failed to document. So let me know the choice and then I’ll look at it once more.
As always, if you have questions, please ask.