How to tag interface SFP+ ix0 on an XG-7100

stephenw10

Yes, you don't need to configure the internal switch at all if you're using ix0, the traffic would not go through it at all.

Steve

dedskwirl

So the traffic from ix0 would flow straight to VLAN 4090 for WAN?

Follow up question; would all VLANs with a parent interface of ix0 be automatically tagged on ix0 for that VLAN? There's no way to set ix0 to have an untagged "Primary VLAN"? Will that cause problems with routing?

stephenw10

I think there is some confusion here.

ix0 is a physical interface. WAN is a logical interface. You can assign ix0 as WAN if required.

By default the XG-7100 uses lagg0.4090 as WAN. That means, internally it's sending packets tagged 4090 over the lagg pair to the switch. The switch is configured, by default, with port 1 untagged on vlan 4090 which means Eth1 is WAN.

Traffic coming in on ix0 (or a VLAN on ix0) would come into pfSense on whatever interface that is assigned as and could be routed to WAN. Assuming firewall rules existed to allow it.

Traffic using an interface that is a VLAN on ix0 would indeed be tagged with that VLAN.

You can assign ix0 as an interface directly (untagged) separately to assigning VLANs on it. There is no problem doing that.
It is often discouraged as it's easy to misconfigure some devices and get untagged traffic on a VLAN trunk placed incorrectly onto a VLAN. Logically it's valid though.

Steve

12022804

@stephenw10

Hello, I've been struggling with configuration of ixl0 SPF+ and now I got this, I tested ix0 and seems to work now. You said

@stephenw10 said in How to tag interface SFP+ ix0 on an XG-7100:

lagg0.20 and ix0.20, and then bridge them. That's not really recommended if you can avoid it but it can be done.

What are the risks or effects on performance, if this is done? Maybe after 2 years this is now different. Thank you in advance!

stephenw10

All traffic has to be passed by the firewall rather than just forwarded by the switch so it's a significant load.

Nothing has really changed since I wrote that. When you are bridging VLANs you can end up seeing something unexpected if you try to do anything else with the interfaces. So if you assign ed the parent interface or added traffic shaping maybe. It can work if you just need to move traffic between the VLAN interfaces but it's recommended you avoid it if possible.

Steve

12022804

@stephenw10 Ok, thank you for your fast answer.

My next mind twisting thing is, in which interface I should have my routing point for each VLAN tied IP network, once I'm not using the internal switch for 10G ports IXL0 and IXL1.

I would have couple of VLANs, less than 10 in this case, but I feel like with "stupid" configurations I will end up pouring and bouncing traffic between interfaces in very complicated bridge/VLAN/routing inside the XG7100..

Eg for VLAN 10, IP network 10.0.10.0/24

Create VLAN 10 first per interface

• Interfaces --> VLANs tab --> Create VLAN 10, parent interface IXL0
• Interfaces --> VLANs tab --> Create VLAN 10 , parent interface IXL1

Then assign VLAN 10 on interfaces

• Interfaces --> Interface Assingments tab --> Add "VLAN 10 on IXL0"
• Interfaces --> Interface Assingments tab --> Add "VLAN 10 on IXL1"

Next assign static IP for VLAN 10 fw interface

• Interfaces --> Interface Assingments tab --> select VLAN 10 IXL0
• Assign static IP 10.0.10.1 /24
• make firewall rule (and DHCP settings if needed)

But which way around next:

1. should I bridge IXL0.10 <--> IXL1.10 in order to reach 10.0.10.1 from both interfaces IXL0 and IXL1? If so, what if IXL0 SFP+ module breaks, interface doesn't have routing point any more or is this routing point tied on physical SFP+ module at all?
2. if same single VLANs 10,11, 12 are needed to trunk through IX0 and IX1 as well, I will need to multiply this configuration as many times as single VLANs needed in a trunk, right?

Each of these trunks are going to different switch/server, I must

1. make LAGG per single interface and create some bridges between?
2. rather use real separate switches to handle trunking part?
3. on top of this, if I would make use of XG7100 ETH0---ETH8 ports as well say for VLAN 10, then I need to brigde ixl0.10 -- (lagg0.4091) or something like this.

Confusing, but there is certainly a logic

stephenw10

@12022804 said in How to tag interface SFP+ ix0 on an XG-7100:

If so, what if IXL0 SFP+ module breaks, interface doesn't have routing point any more or is this routing point tied on physical SFP+ module at all?

You would usually assign the bridge interface and put the IP address on that to avoid that problem.

Why are you trying to bridge two VLAN trunks like this though? You need to filter between the two trunks?

Steve

12022804

@stephenw10 Why to use VLANs in general. Having multiple subnets, that are all excisting individually in ports IXL0, IXL1, IX0, IX1.

Previously what I have done with other fw hardware, I've used IP subnets, VLANs, tags, untags, laggs and trunks in FW hardware where ever logical, physical interface they are located at, had IP subnet per VLAN, for each subnet a fw rules. Can I do this same in XG7100 or not?

So using same VLAN in XG7100 eg in interfaces IXL0, Eth3 and IX1 seems to be a bridging, swithcing, lagging here and there type of task, with uncertainty of hw capacity or some other issues. Clear, but not clear at all.

So back to original question, to achieve 2x 10G VLAN trunk or similar type of connection to two different targets with XG7100 2x 10G option enabled through IXL0 and IXL1

1. need to buy a switch with 3 or 4 x10G interfaces. One IXL0 trunk, or both IXLs with lagg, connect to switch's 10G ports and from other 10G switch ports to targets?

2. do a VLAN bridge between IXLs in XG7100 and connect those directly to targets' 10G interfaces?

3. create bridge interface between IXL0, IXL1, create there all IP subnets without VLANs?

I appreciate your comments and insights. I really want to get the most out of Pfsense, this requires some learning and rethinking.

stephenw10

The problem here is you're trying to use router interfaces as switch ports. The only way you can do that is to re-create most of the switch functionality using bridging. But a bridge is not a switch and you can only do so much with them.
You should have one VLAN trunk between the router and a core switch and other switches connected to that. That trunk could be a lagg of both 10G ports. It could be a cross-chassis lagg at the other end to two stacked switches.

The only real reason to bridge interfaces like that is to filter traffic between two segments of the same subnet. But I don't think you're doing that?

Steve

12022804

@stephenw10 I'd like to traffic flow within same subnet between interfaces, no need to filter same subnet in different segments. Just like VLANs works. Filter only when traffic leaves/enters to/from different subnet, as firewalls routers do.

I thought that just bridging between eg IXL0/1 interfaces acts like L2 LAN segment, a broadcast domain. But doing this eats resources of the device, it's not recommended?

So XG7100 device is not for switching.

I need to rethink and replan my IP/VLAN to suit for this device and buy some hw switches.

stephenw10

@12022804 said in How to tag interface SFP+ ix0 on an XG-7100:

I'd like to traffic flow within same subnet between interfaces, no need to filter same subnet in different segments. Just like VLANs works. Filter only when traffic leaves/enters to/from different subnet, as firewalls routers do.

That's what switches do not routers.

The only way to do that in pfSense is to bridge the interfaces with everything that brings in.

The situation is more complex in the 7100 that other pfSense installs because it does in fact contain a switch. If you wanted to do that with two of the Eth ports you can do so entirely within the switch config. But the SFP ports are not part of the switch, they are discrete router interfaces.

You don't necessarily need any additional switches. Just designate one the core and attached the other switches to it. You may have a physical install restriction that comes into play of course. And that also introduces an additional single point of failure if they are not stacked switches.

Steve

12022804

@stephenw10 said in How to tag interface SFP+ ix0 on an XG-7100:

The situation is more complex in the 7100 that other pfSense installs because it does in fact contain a switch.

Yes, leaving out the most capable interfaces! I'm not sure how good idea partial switch is, but maybe there is a very good hardware based reason to do that. At the customer point of view, feels like I'm fooled with VLAN capabilities of XG-7100.

Need to rethink and replan network to fit for this device and there are multiple ways to do it, won't be that big problem.

Thank you for your answers and insights.

stephenw10

I'm sorry if the info was confusing. Just for clarification if others are reading this; it's a 1G switch. The 10G ports on the 7100 are discrete router ports and not part of the switch.

Steve

thomas_br

Hi everyone, I have a working configuration in my 7100 using ix0 as trunk to a unifi switch. But now we have added a new unifi switch connected to port ETH4.

My current vlans are:

ix0 (opt13) 4084
ix0 (opt13) 4083
ix0 (opt13) 4082
ix0 (opt13) 4081
ix0 (opt13) 4080

We need the same vlans on our new unifi switch. If I change ix0 to lagg, switch #2 works as expected, but #1 not. And vice-versa. Does anyone know what i'm missing here ?

stephenw10

You can add those VLANs to ix0 but they will not be the same layer2 segment as VLANs on the other switch.

To do that in the 7100 you would need to bridge the VLAN interfaces on each NIC. That is not recommended though.
It would be better to trunk the VLANs between the two switches directly with only one trunk connection to the 7100.

Steve

thomas_br

@stephenw10 Thanks Steve. ix0/lagg Bridge is working as expected, but I'll follow what you said regarding the recommended practices. Thanks

stephenw10

You just bridged ix0 and lagg0 directly? And that passes VLANs between them? I would not expect that to work.

Engmatecadmin

Hallo @stephenw10

I have similar problem with our XG-7100 that the SPF port just doesn't work.
I'm trying to connect 2 XG-7100s together.
I've already tried all the configuration.
VLAN with and without LAGG
both side IP assigned to OPT interface
ping doesn't get through and the interface time is always "no carrier".
SFP ordered directly from Netgate with XG-7100 10Gtek ASF85-24-x2-D
What is the reason, what am I doing wrong?

Best Regards
Szabo

stephenw10

What do you see from: ifconfig -vvm ix0 on each side? Assuming you're using ix0 that is.