PFS & cisco & esxi with vlans
-
Hi,
I've set the Cisco ports a few to tag 7 and some others to tag 5. The port that is connected to the PFS si not one of these ports but a separate one. It is set to trunk but if I set it to general I can only set ti to one VLAN.I haven't restarted the Cisco I can give it a try but I'm reluctant to restart the thing too often because it acts strange for a few minutes after it has been restarted.
I'll give it a try and see what happens. I'll post the result.Thanks & bye
-
Nope no luck.
Same thing, on the LAN i get an IP on the VLANs nothing.
And I did everything justr as I described it a few posts above.
Any other ideas?
Bye
-
On the information you have given me it looks as if the Cisco is not forwarding traffic with VLAN tags to your pfSense LAN interface. Suggest you call Cisco support or read the manual (may be available online) or look for Cisco online VLAN troublshooting or …
If you search the pfSense forums you might some help with the configuration of VLANs. Advanced search for "cisco vlan configuration" might turn up something.
-
Hi,
I consulted a college that has a lot of experience with Ciscos and he told me that I'm on the right track.
So I did everything again. The only thing I changed was that I put the VLANs on a different NIC than LAN and didn't set a non VLAN on that NIC (apparently this way I would not mix tagged and non-tagged traffic). I set the switch up so that the VLAN port was trunk and then tagged all the ports I wanted to one VLAN or another. Rebooted anything that could be rebooted.
Now this is where everything is supposed to fall into place and start working but it didn't same result as last few times I tried. Nothing like no VLANs were configured.
I don't know the only thing my college could think of is maybe something on PFS was restricting the VLANs or Cisco and PFS don't communicate with the same protocol for VLANs.Anyone have any more ideas? (Just as a contingency I ordered another server with a few NICs so that if I can't figure out these VLANs I can still use physical NICs)
Thanks for the help and bye.
-
you need to make sure you have VLANs working in ESX/ESXi first
add a VLAN id/tag to your current vswitches with VLAN 4095 (this VLAN tag will allow any and all VLAN tag to talk to the Virtual Machine located on that vswitch)
-
Hi,
yes I've tried that too. I set the VLAN on the virtual switch to 4095 but no effect. So now I'm trying on a non VM machine.
I just took a PC and put 3 NICs in it and am now trying on that one but it doesn't work either way.I keep setting up VLANs on both the PFS and the Cisco but neither way any VLANs still work.
I don't know I'm a little confused if there is something else that I should be aware off. I read that if there are VLANs configured on an interface that it is automatically set to trunk and that if I've got VLANs on that NIC no physical network should be configured on that NIC. So I've got one NIC only for VLANs.
The switch is configured as far as I know correctly and it still isn't working.Thanks for the help and any input is welcome.
-
I don't use Cisco switches, I have HP ProCurves, but I can tell you how I did it with my network.
In ProCurves, there are two different ways to assign ports to VLANs. One is called "untagged." Basically you create a VLAN and any device that plugs into a port that's assigned untagged to that VLAN will be able to communicate with others on the same port group. The devices themselves don't need to be VLAN aware (i.e. no VLAN IDs sent in the ethernet frame). It just basically carves up certain ports into a mini switch.
The other way is to assign ports to tagged VLANs. This is what you are attempting I believe. As someone mentioned earlier, I think this is called "VLAN trunking" in Cisco terminology, but I have no experience with it so I'm not certain.
Say I have two VLANs that I want one interface on pfSense and one interface on my VMware server to share.
I create two VLANs:
ID: 10 NAME: TEST1
ID: 20 NAME: TEST2On pfSense, I would create a VLAN with the correct ID in Interfaces->Assign->VLANs. Adding the VLAN is self explanatory. I choose the parent interface "bce2" and the ID "10" then I name it "TEST1". It's very important that the parent interface (bce2) isn't assigned to any other networks already by pfSense. The parent interface to any VLAN should remain unassigned. After the VLANs are created, assign the interface in Interfaces->Assign and specify the network information you want like IP/subnet etc.
On the switch, I would assign "Tagged" to ports 1 and 2 for both VLAN IDs 10 and 20. This is where you should look for "trunking" on Cisco.
On VMware, I create a Virtual Machine network bound to the interface that will plug into the switch port 1. This virtual switch I will assign to the correct ID. So I create two virtual switches bound to that interface, one with VLAN ID 10 and one with VLAN ID 20.
So VMware is plugged into switch port 1, and pfSense is plugged into switch port 2. Both ports are assigned on the switch to use VLAN IDs 10 and 20.
That should be pretty much it. Finally, create a VM, attach it to the corresponding switch with the VLAN ID you want in VMware, and assign the VM an IP address in the same subnet as the IP you assigned pfSense for that VLAN.
FWIW this took me about a week to work out on my network since I had little experience with VLANs, but ultimately it seems to work quite well. Good luck.
-
Hi,
after some playing around I finally got the thing working but not on the VMWare but on a standalone pc.
Here's how I did it.
I set the VLANs up on PFS(vlan2,vlan3,vlan4,vlan5) on a separate adapter(sis2) from LAN(sis1) and didn't set any network on sis2 accept for the VLANs.
I connected the sis2 port to a port on the switch and set the port to trunk and tagged the port in every VLAN I wanted to configure to switch ports. Then I set all the ports I wanted in one VLAN on the switch to access mode and untagged on a specific VLAN for example vlan2 ports 1-5 and vlan3 ports 6-10, vlan4 ports 11-15.
Then connected the other two switches via trunk port with the VLANs tagged on the mutual ports setup the same VLANs as on the first switch and configured some ports to one VLAN or another as on the first switch.
When I plugged my PC into ports on any switch that were configured for example on vlan2 I got an IP address from the vlan2 DHCP server. If I plugged it into a vlan5 port I got the corresponding IP address.
So everything seems to be working as i should accept for one thing.The moment I enabled the VLAN interfaces on the PFS I set them an IP address and DHCP server in the appropriate ranges (vlan2-192.168.2.0/24,vlan3-192.168.3.0/24,vlan4-192.168.4.0/24,ect) and went to the Rules menu and duplicated the LAN rule for all the other interfaces. So everything is setup just as on LAN.
But I can't seem to connect to the internet on any other network either than LAN. I get the DHCP IP and I can see all the other devices on my network but I can't access the internet.
I can't ping an address or IP in both cases I get a time out.Any ideas on this wired problem?
Thanks all for the help and jwbrown77 thanks you got me thinking in the right direction and connecting the VMWare comes next.
Bye
-
pfSense is a firewall. It doesn't know what access you want enabled for the OPTx networks so it blocks everything until you tell it otherwise. What LAN rule did you duplicate? Did you need to change some addresses in the LAN rules to make them appropriate to the OPTx networks?
-
Hi,
yes I changed the interface on witch it was residing from LAN to Tel(the vlan5 interface) and source from LAN Subnet to Tel Subnet. But it didn't work for a while. I tried rebooting and now it's working fine.
So thanks again for the clarification.Now the only thing I've got to tackle is how to connect the other WAN connections but I'll leave that for tomorrow and think about it a little more.
Oh before I forget if I set the VLAN ID on the ESXi switch to 4095 that means it's set to trunk. Right?
Thanks for the help.
-
I have this setup in my lab. Can you please post a network diagram (visio, etc) of what you are trying to accomplish so I can compare your configuration with mine? I am using Cisco 3750E switches connected to a pair of ESX servers and a pair of pfSense firewalls.
Thanks…
-
I haven't restarted the Cisco I can give it a try but I'm reluctant to restart the thing too often
-
Hi,
well I finally got everything working (regarding the VLANs) and I was also able to determine what went wrong.
I'm now running a dedicated machine for PFS and ESX is on its own.My first mistake was that I wasn't sure what access or general port was on the switch and my second was that first I didn't set the port that contained the VLANs as trunk. So after I created VLANs on PFS and attached them to the OPT1 interface (interface is used only for vlans) and set the port this cable was connected to on the switch as trunk. I precoded to tag this port on every VLAN I needed on the switch and added access ports to the appropriate VLAN. It started working right away without any restarts or reboots of PFS or the switches.
Now the ESX is a bit of a different story. For the VMs on the ESX I created a virtual switch, each with corresponding VLAN tags and connected it via trunk to the switch. Then I added the VMs to the appropriate virtual switch and changed the IPs on them and everything started to work as it should. I'm still not sure if I could have set the virtual switch to 4095 and setup VLANs on each VM separately, but since it's working it doesn't make much sense to start medaling with it now. :)
Anyway thank you all for your help and I hope that anyone with similar problems might benefit from this information here. I'm also attaching a diagram of my network topology for reference (sorry but it's not very good, but I think it illustrates the network).
By the way for example if I have setup OPT2 as a second LAN and it is working what happens if I attach a few VLANs to the same interface as OPT2 and then set the port on the switch as trunk. Will OPT2 still work and fall into the default vlan on the switch 1 and all other VLANs to tagged the appropriate VLANs. Would this work? It works the ESX any non tagged traffic falls into vlan1 on the switch. Or is it a better idea to leave only VLANs on the PFS nic without the non VLAN traffic? And when you attach VLANs to a nic in PFS is that nic automatically marked as trunk?
Bye