VLANS, Promiscuous Mode, and Mac Addresses

webdawg

I was chasing down a bug in FreeNAS or one of my switches. When I connected one of my NAS units, my entire network would go down.

I still do not know what the issue is, but when I set the mac address for a NIC card on the NAS unit (just for the vlan, yes promiscuous mode), then everything started to work again.

Is there really any reason not to use Promiscuous mode on this 10 Gbit NIC? I mean, behind the modern switch, all traffic destined for it, is destined.

If I do set promiscuous mode, will I be able to assign mac addresses to VLANS?

JKnott

@webdawg

Promiscuous mode means an interface can read traffic that wasn't intended for it. For example, when running packet captures, the interface is placed in promiscuous mode. It has nothing to do with VLANs or MAC addresses. All traffic, including VLAN, that originates from an interface, will have the same MAC.

BTW, the only significant difference with a VLAN frame is the VLAN tag, which provides a different Ethertype field in the header.

webdawg

@jknott I think to set a mac address the nic has to be in Promiscuous mode?

How do I set a mac address that is different for each vlan on the same interface?

JKnott

@webdawg

You don't. Every frame that originates in that interface, VLAN or not, will have the same MAC. No exceptions.

BTW, why are you worried about MACs? You can't filter on them.

webdawg

@jknott I am having a huge issue here with a nas unit, and freenas lets you set a mac address per vlan, it solved a problem, and we are still trying to figure out what is going on:

https://www.truenas.com/community/threads/plug-nas-unit-into-switch-whole-network-goes-down.96655/

Basically when I plug the nas unit it, network goes down, and no logical reason why at this point.

NogBadTheBad

@webdawg Why would you need to change the MAC address of the VLAN interface?

johnpoz

@nogbadthebad said in VLANS, Promiscuous Mode, and Mac Addresses:

Why would you need to change the MAC address of the VLAN interface?

You shouldn't - off the top of my head were this could be a problem is when you do not have actual L2 isolation and now you see IPs change on the mac address..

JKnott

@webdawg said in VLANS, Promiscuous Mode, and Mac Addresses:

Basically when I plug the nas unit it, network goes down, and no logical reason why at this point.

Then do some packet capture, to see what's happening. VLANs are supposed to be logically separate networks. That means what happens on one shouldn't affect another, just as though they were physically separate. Also, MACs must be unique on a network.

BTW, changing a MAC is called "spoofing", so you could change the MAC for an interface, but that would change it for all VLANs.

Take a look at how VLANs are constructed. When you create a VLAN on an interface, all it does is insert the VLAN tag, which consists of 4 bytes, the first 2 of which are the Ethertype field.. This means that the original Ethertype is pushed back 4 bytes and what was, for exampe, an IP packet, now becomes a VLAN frame, with the original IP packet inside it. That is the only difference between a VLAN frame and every other Ethernet frame type. So, when you create a VLAN you are not changing the MAC, just the Ethertype.

webdawg

Figured it out.

The FreeNAS unit was misconfigured, and was setup to bridge via software 2x different VLAN interfaces.

If you are interested in knowing the details:

https://www.truenas.com/community/threads/plug-nas-unit-into-switch-whole-network-goes-down.96655/#post-667539

Is there anything else I can enable/run to detect an issue like this in the future?

Shouldn't RSTP have stopped this even with the weird switch loop?

I guess it was not really a loop heh. Just a bridge to a different network...

JKnott

@webdawg said in VLANS, Promiscuous Mode, and Mac Addresses:

Shouldn't RSTP have stopped this even with the weird switch loop?

No, spanning tree handles each VLAN separately, so it wouldn't even see a loop. Also, it relies on the STP frames which are received by switches, updated and passed on to the next switch. I don't know what that NAS box would do with them, though I wouldn't expect them to pass those frames.

BTW, I saw your comment in that link about pfsense not changing MACs for VLANs. I would not expect any device to do that. I explained in an earlier note that when you create a VLAN all you do is insert the VLAN tag. That doesn't change the MAC. There is no separate physical interface where you could change it.

johnpoz

@webdawg said in VLANS, Promiscuous Mode, and Mac Addresses:

Just a bridge to a different network...

Yeah there you go - that can cause all kinds of weirdness, especially with mac addresses that get seen with different IPs on them. Like with vlans on the same physical interface. Which should be isolated and devices in different vlans should really never know that interface with IP X on it has the same mac as IP Y.

Glad you got it sorted.