VLAN tagging: pfSense vs. managed switch
-
I'm messing around with VLANs in pfSense and an HP ProCurve managed switch. I've been searching for an answer to this since I started learning about VLAN setup but I can't find the answer..
Is it necessary to configure pfsense, the managed switch, and the server plugged into the switch with the proper VLAN tag or is one only necessary depending on the situation?
For example…
In pfSense, I created VLAN10 (10 tag) and assigned it to interface em1.
em1 is plugged into port 1 on the ProCurve managed switch.
On port 2 of the same switch I have a VMware ESXi server.VLAN10 is set in pfSense. The switch ports and ESXi can also be set for VLAN10.
What is the configuration for each device so that the VLAN works properly? I'm wondering if all have to be set to tag VLAN10 or a specific combination.
1. If traffic is set to route through the pfSense VLAN10 interface, does port 1 have to be set as tagged or untagged for VLAN10?
2. Does port 2 have to be set as tagged or untagged?
3. Does ESXi have to be told it's on VLAN10 or is tagging port 2 as VLAN10 all that is needed?
-
This is made more complex by the fact that you are using an ESXi server in your example. I'll come back to that in a minute.
Let's say instead you have client machine attached to the switch. Normally the client machine would not by expected to talk VLAN tagged packets. Whilst most NICs can send and receive tagged packets the facility to configure it in a desktop OS is not easily available. Packets travelling to the pfsense machine from the client would be sent untagged. When they arrive at the switch they will be tagged with the vlan ID, VLAN10 in your example, and sent to the pfsense machine via a trunk port still tagged. When they arrive at the pfSense machine it is setup to read the VLAN tags and internally route the packet to it's corresponding interface.
Similarly returning packets are sent tagged from pfSense to the switch. The switch sends them out of the corresponding port and strips the tags so that they arrive at the client untagged.So the VLAN must be correctly configured on the pfSense box and the switch but not the client.
This would also be the case for, say, a web sever attached to the switch.
With an ESXi server attached you may want to send VLAN tagged traffic to it (perhaps from several VLANs) and use an internal virtual switch to strip/apply the tags for traffic for your VMs. More complex!Steve
-
Best case is to configure all three to avoid any VLAN mismatches.
If you were using native/default VLAN that would be a different story, but I would take the time to configure everything and trunk the correct VLAN's to your equipment. It's going to make it so much easier in the future.
I'm a Cisco and Juniper guy myself.. but it probably isn't too hard to set up a VLAN on your HP switch. You want to make it a Layer 2 VLAN only as pfsense is your router.
As long as everything support 802.1Q which ESXi and pfsense definitely do… you'll be fine.
Don't be afraid to play around with the configuration!
-
With an ESXi server attached you may want to send VLAN tagged traffic to it (perhaps from several VLANs) and use an internal virtual switch to strip/apply the tags for traffic for your VMs. More complex!
Steve
That's one thing I've been thinking about– at the ESXi console (where you can't really change much other than some network settings) is where you tell it to use DHCP or a static IP and what VLAN it's on. I'm wondering if that VLAN setting is just for the management interface NIC or if that restricts the VMs to that VLAN. I guess I'll find out soon.
Don't be afraid to play around with the configuration!
I'm definitely not afraid to play around. But once I find what works I want to know why it's working and if it's setup the way it should be, not just because I was trying different combinations and got lucky.
-
ESXi uses vswitch.. so you can tell it what VLAN's it has trunked to it. No need to set trunking mode as it does this natively. You just need to set up additional external networks that use the bond/interface you have set as your external NIC. VLAN settings can be modified on the additional network.
-
ESXi uses vswitch.. so you can tell it what VLAN's it has trunked to it. No need to set trunking mode as it does this natively. You just need to set up additional external networks that use the bond/interface you have set as your external NIC. VLAN settings can be modified on the additional network.
The terminology is "Port Groups" that have a network label attached to them and a VLAN assigned.
-
Understanding the different terminology is half the battle when it comes to VLANs. Unfortunately there seem to be number of different terms used by various companies which refer to the same things. ::)
Steve
-
If you plan on having virtual servers on the ESXI box each on different VLANs then it creates an interesting setup. You have to think about each direction of traffic separately from one another to make sure traffic gets tagged. You could even by hand write a quick flow chart.
PFsense (tags data vlan10) > switch port 01 (keep tag) > switch port 02 (keep tag) > ESXI (set to Trunk)
To trunk in ESXI, I think you set the VLAN-ID to number to 4098, I can check when I get home. This will allow you to have multiple machines on the vswitch to set their own VLANID. If you want to separate them…. create a new vswitch.
The "keep tag" is going to be called so many different things depending on your switch. Usually you have three options, use default VLAN (1), Keep tag (whatever the device says it is), and drop tag (means no vlan).
