Topic
4 replies Latest Post - ‏2013-02-21T21:44:38Z by seroyer
SystemAdmin
SystemAdmin
1744 Posts
ACCEPTED ANSWER

Pinned topic Can the SEA defaultid be same as External network PVID?

‏2013-02-20T13:55:23Z |
I had an interesting situation yesterday. I was setting up a vio pair and while setting up the SEA, I managed to kill the entire VLAN. We haven't yet been able to figure out why, please comment if you have insight. Here's the setup:
VIO (both vio servers have the same setup, priorities are correct)
ent0+ent1 => EtherChannel ent8
ent2,ent3: Not used
ent4: slot 300, PVID 1, No VID, No Bridging
ent5: slot 301, PVID 1, No VID, Bridged
ent6: slot 302, PVID 3302, VID 2, Bridged
ent7: slow 402, PVID 3402, No VID, No Bridging
ent9 (SEA):
real: ent8
virtual: ent5,ent6
defaultid: 2
ha_mode: sharing

Client1:
ent0: slot 302, PVID 1, No VID, No Bridging
Client2:
ent0: slot 302, PVID 1, No VID, No Bridging

External Switch ports have a PVID (native VLAN) of 2

What the network team saw was high CPU utilization on the 2nd vio server's external Ethernet port due to massive MAC address flapping. Somehow the VIO server was claiming to have all IP destinations (and thus all MAC addresses).
All network traffic on VLAN 2 came to a standstill.
Updated on 2013-02-21T21:44:38Z at 2013-02-21T21:44:38Z by seroyer
  • SystemAdmin
    SystemAdmin
    1744 Posts
    ACCEPTED ANSWER

    Re: Can the SEA defaultid be same as External network PVID?

    ‏2013-02-20T16:23:52Z  in response to SystemAdmin
    The purpose of the defaultid field is to allow you to specify how you wish to handle untagged traffic. So, when traffic comes inbound from your network that is untagged, where should the VIOS send it? Similarly, when you have 2 virtual Ethernet ports on an SEA, it tells the VIOS what to do with untagged outbound traffic. If the VIOS received traffic from within the box on vlan 3302, where should it send it? Or on vlan 1, where should it send it?

    So typically (I don't know of a case where you wouldn't), you should use the defaultid to specify which of the PVIDs to use. So in your case it would either be 1 or 3302. That said, you usually want the defaultid to match your external network as you've done. I suspect that you don't want VLAN ID 1 anywhere, and that you really want 3302 and 3304 to be tagged as your external switch supports those VLANs? So really, the way you likely should configure your system would be as follows:

    ent0+ent1 => EtherChannel ent8
    ent2,ent3: Not used
    ent4: slot 300, PVID 2, No VID, No Bridging <-- I assume you want to put your network interface here - you can also put it on ent5, but if you want to keep them separate, that's fine too.
    ent5: slot 301, PVID 2, VID 3302, 3402, Bridged
    ent6: slot 302, PVID 3302, No VID, Bridged <-- No reason for this - you can do it all with a single virtual Ethernet bridged. The only reason to use a second one on the same SEA is if you want to do load balancing of traffic between 2 VIOSs.
    ent7: slow 402, PVID 3402, No VID, No Bridging <-- Not sure the purpose in this...is this to allow the VIOS to play on external vlan 3402? If so - leave it in...
    ent9 (SEA):
    real: ent8
    virtual: ent5,ent6
    defaultid: 2
    ha_mode: sharing

    Client1:
    ent0: slot 302, PVID 2, No VID, No Bridging
    Client2:
    ent0: slot 302, PVID 2, No VID, No Bridging
    Client3:
    ent0: slot 302, PVID 3402, No VID, No Bridging <-- This let's client3 communicate externally on vlan 3402 without the OS needing to be vlan aware.

    What this config does is give you access to vlans 3302 and 3402 both inside and outside of the box. All untagged traffic would go on PVID 2.

    Hopefully that's what you were looking to try and do...
  • SystemAdmin
    SystemAdmin
    1744 Posts
    ACCEPTED ANSWER

    Re: Can the SEA defaultid be same as External network PVID?

    ‏2013-02-20T22:23:09Z  in response to SystemAdmin
    Hi,

    Your setup is not very detailed but :

    1/ Where is you control chaennel adapter ? You are trying to setup an sea failover in sharing mode without a control channel ? Serious ?
    2/ Same PVID in the same SEA or in the same vswitch (I assume all this adapters are in ETHERNET0) can result in a broadcast storm, both slot 300 and 301 are configured with a PVID to 1? In the same vswitch ? (ent4 is not used ....)
    3/ ent4 and ent7 are not used, why are they in this configuration ?
    4/ My advice is not to mix access and tagging on switch port (I assume switch port is configured with vlan 2 in access (PVID), and vlan 3302 and 3402 in trunk (VID)).
    5/ Redbook sg2472490 says "Important: To create or enable the SEA failover with Load Sharing, you have to enable the load sharing mode on the primary SEA first before enabling load sharing mode on the backup SEA. ", I hope you were not in this case.

    I Hope this can help.

    Benoît.

    http://chmod666.org
    • SystemAdmin
      SystemAdmin
      1744 Posts
      ACCEPTED ANSWER

      Re: Can the SEA defaultid be same as External network PVID?

      ‏2013-02-21T21:26:56Z  in response to SystemAdmin
      Ok, some clarification:
      ent4 isn't relevant in this setup - true.
      ent7 is the control channel. There are 2 VIO servers with the identical setup.
      On further investigation, it appears I'm in good company in creating a broadcast storm. Presumably this happened by my changing the ha_mode in the wrong order (backup first, not primary). I distinctly remember checking which was primary before I did it, but there's always the possibility that my memory is wrong.

      So, please (if you can) tell me how this broadcast storm would work? I see some references to it by IBM, but I have yet to hear how it would work - or break.

      I'm assuming that since IBM recommends having BPDU Guard on at the physical network port, that the SEA is using BPDU packets inside to determine which VIO server is active? From my understanding BPDU is a function of Spanning Tree Protocol, so is the POWER Hypervisor running STP on the ETHERNET0?
      If so, I can see why we might possibly have a broadcast storm, with BPDU Guard off. But with BPDU Guard on, how could there have been a broadcast storm that affected the entire external VLAN?
      • seroyer
        seroyer
        352 Posts
        ACCEPTED ANSWER

        Re: Can the SEA defaultid be same as External network PVID?

        ‏2013-02-21T21:44:38Z  in response to SystemAdmin
        Neither the SEA or Power hypervisor use BPDU packets. They are treated no differently than any other packets.

        Enabling BPDU guard on the physical switch allows the physical switch to detect a loop created by what is called "split-brained" SEA. Both SEAs think they are Primary and so should be in bridging mode. Usually this happens when the control channel is misconfigured. When the truely primary SEA receives a broadcast packet from the physical network and bridges it to the virtual network, the truely backup SEA will receive that broadcast over the virtual network and bridge it back out to the physical network. This causes a network loop.

        Starting with 760 firmware and VIOS 2.2.2, firmware will actively prevent that loop from forming. The backup virtual Ethernet trunk adapter will not receive any packets until it becomes primary again. You must have VIOS 2.2.2 and firmware 760 for that feature to be enabled.

        Steve