Trunking VLANs on interfaces
-
Not sure exactly where to post this so please bear with.
Is this all I have to in Interfaces -> Assignments -> VLANs to trunk multiple VLANs on an interface? See included image.
Each interface will connect to a different Cisco SG200 series switch. I'm already using trunking on the Cisco switches but I'll see 10U 20T 99T on the interface meaning VLAN10 untagged, 20 and 99 tagged.
So in my case as to how this is set up in pfSense will this setup work going to Cisco switches that have their interfaces set up as 10U 20T and 10U 30T respectively?
 -
IMO your you'd be better off numbering the vlans starting with your em0x interface first, it will get confusing.
I'd do it something like this :-
em02
vlan10vlan210
em02vlan20vlan220em03
vlan10vlan310
em03vlan20vlan320em04
vlan10vlan410
em04vlan30vlan430How many vlans do you actually require, you'll have 3 untagged & 6 tagged vlans with the setup your trying to do.
em02 vlan10 != em03 vlan10 != em04 vlan10 they are all different network segments.
I'd be tempted to create a LAG of em02 & em03, have all your vlans hanging off there and connect cisco switch to cisco switch carrying all the vlans across the interlinks, unless there is a specific reason why you don't / cant do this.
-
em02 vlan10 != em03 vlan10 != em04 vlan10 they are all different network segments.
I was told (but haven't checked myself) that these V10s are in fact the same VLANs bridged.
But I would always want to do bridging/switching at the switches and routing (mostly) in pfSense, so yes, one upstream interface (or a LAGG, Etherchannel, …) with all VLANs and switching at the switches.
-
em02 vlan10 != em03 vlan10 != em04 vlan10 they are all different network segments.
I was told (but haven't checked myself) that these V10s are in fact the same VLANs bridged.
But I would always want to do bridging/switching at the switches and routing (mostly) in pfSense, so yes, one upstream interface (or a LAGG, Etherchannel, …) with all VLANs and switching at the switches.
I assumed that they’d all be different network segments as they used different parent interfaces, I’ll have to give it a go on two unused interfaces.
-
Two separate interfaces with the same VLAN ID
-
Thanks for testing and reporting back! (so I'll scratch that from memory)
Thinking about it this makes sense.
igb4_vlan20 and igb5_vlan20 have different names and thus are not the same interface. -
Trunk your vlans between the switches with switch ports, not router interfaces.
Using the router will require you to bridge those interfaces which will make for a lousy router and an even lousier switch.
-
How come I'm not seeing the image I included in my OP? I refreshed the page a number of times but I don't see it….
I appreciate the idea of naming the VLANs differently and will consider doing that in the future but this is being added to an extensive existing network and don't want to rename them everywhere at this time.
I'm getting away from trunking VLANs on interfaces, that's what I had.
VLAN10, 20, & 30 correspond to subnets 192,168.10.0 192,168.20.0 & 192,168.30.0 respectively which correspond to em2, 3, & 4 respectively.
Interfaces em2, 3, & 4 will each connect to their own Cisco switch and fan out from there. The only reason for having VLAN10 on em3 & 4 is that the Cisco switches IP addresses are on VLAN10 subnet 10 which is the switches default VLAN and is needed to be able to manage the switches. VLAN20 is on em2 temporarily, once I get this all reconfig'd it will be removed.
Right now em2, 3, & 4 are all connected to the same switch and trunk to other switches, as I stated that will be going away when each interface, VLAN, subnet is connected to it's own switch.
I attempted to turn the 3 interfaces on the switch into trunks with 10/20, 10/20, 10/30 but thing went south. I could not connect out the WAN so I set the interfaces on the switch back to Access each on it's corresponding VLAN.
But, it turned out pfSense's named had stopped running and since it is set up as a DNS server not forwarder or resolver that was my connection problem. And, it turned out that named stopped running because I added a config to OpenVPN and that Save kills named. I have verified it does that and is reproducible. I have a weird issue with named i.e. two named daemons running that I mentioned in another post (haven't checked back yet) that needs to be resolved and may have something to do with the named daemon going away.
So I will try this again but it occurred to me that having all 3 VLANs going to the same switch at the moment i.e. VLAN10 showing up on 3 of the switches interfaces may not be kosher. So I may not be able to test this until it's completely rewired.
-
Now my image in the OP is back. Weird…
-
I have no idea what you are trying to accomplish. I would not use the same VLAN tag to multiple switches that were not the same layer 2 network but that's probably just me.
-
Derelict: The pfSense router has 3 wired LAN subnets 192.168,10.0, 192.168, 20.0, & 192.168,30.0, on em2, 3, & 4, those 3 subnets coincide with VLAN10, 20, & 30.
Each router interface em2, 3, & 4 goes to a its own switch and each of those 3 switches fan out to other switches and those switches have devices connected/wired to them.
What I'm trying to do is very simple, kept each subnet/VLAN physically isolated from the others, i.e. no trunking.
Except as I stated I have to provide VLAN10 to all the switches because each switch IP address is on the 192.168.10.0 subnet and I need this so that I can get to the switch to use its GUI to manage it. You can only use/manage the switch using its GUI on its default/native VLAN which happens to be VLAN10. That's Cisco's restriction not mine.
-
If you need vlan 10 to all the switches then trunk VLAN 10 between the switches, not on pfSense.
-
^ exactly!! You would not put the same vlan tag on multiple interfaces on a router.. If its different layer 2 networks, then use different tag IDs.
-
Derelict: Yeah that was my initial plan but, since pfSense can to trunking I want to do it that way.
johnpoz: What? Why? On switches, on their interfaces, you trunk VLAN10 & VLAN 20 on port 1, trunk VLAN20 & VLAN30 on port 2, trunk VLAN30 & VLAN10 on port 3, etc. As needed. Why do you say you don't do that on a router? Without a bonafide reason why, like it's against 802 dot something just saying you don't do that has no merit, sorry…
-
Derelict: Yeah that was my initial plan but, since pfSense can to trunking I want to do it that way.
OK then good luck.
-
Because when you call a vlan say 10… That means its the same layer 2 across your switching environment. Yeah I trunk that vlan to any port where its an uplink to a switch that expands my layer 2 onto that switch.
Your router interfaces are not the same layer 2.. No mater if you want to call it vlan 10 or 20 or whatever its still a different layer 2. Makes zero sense to tag what is different layer 2 with the same tag that all connect to your layer 3 routing device.
You can put multiple vlans on a physical interface in pfsense.. You just do not put the same ID on different interfaces - its a BORKED config...
-
About ready to try this. Got the three main switches that connect to the routers three interfaces configured and ready to go. With the option of connecting the VLAN10 switch to the the VLAN20 & VLAN30 switches if it doesn't work.
I've been in IT for approaching 40 years, back when Ethernet was a big thigh coaxial cable that you tapped, physically, to branch off of. Got a lot of networking experience. I now work at a very large sprawling University with satellite buildings all around town networked in.
As such I sought the expertise of our Network Architect regarding putting multiple VLANs on router interfaces. What he said was that it's not widely done but there's no reason/restriction not to do it. Like if real estate is tight, i.e. interface ports. He said you typically put "a" VLAN on "a" interface even when those VLANs/interfaces connect to the same switch. For performance. No other reason.
Since my VLAN10 network is used so minimally it's not going to impact the performance on the other VLANs it's piggybacked on. If this works…
So I don't know where the "You would not put the same vlan tag on multiple interfaces on a router" comes from...
-
"You would not put the same vlan tag on multiple interfaces on a router"
Because its a different freaking layer 2… What part do you not get here??
If you use the same ID on different interfaces that are tied to different networks how do you know which one is which? Lets just name all the dogs "dog" when you say dog dig this cool trick today... Which one did you mean?
The vlan ID is nothing more than a label to call out a different layer 2.
I have eth0 and eth1, and I put vlan 10 on both of them.. it makes zero sense to do that... They are not the same layer 2... So what is the point of using 10 on both them.. Why not use something that makes a bit more sense for the ID> Like the 3rd octet in the address space used... This is very common practice..
"GUI on its default/native VLAN which happens to be VLAN10. That's Cisco's restriction not mine."
Huh?? There is no such restriction from cisco.. What switches are these.. Post up link from cisco or the manual from your switch were it says that..
-
I now work at a very large sprawling University with satellite buildings all around town networked in.
Sounds like you should be talking about VLANS over LACP to a stack of switches then, not tagging VLAN 10 on multiple interfaces to multiple isolated switches expecting the same "VLAN10" to be reachable on all of them.
I tapped thicknet too. This is all light-years better than that.
-
johnpoz: Settle down. I did not see your May 2 post. When I posted this morning I did not see this thread had a second page, the last post I saw was Derelict's good luck.
Look at any Cisco SG200 or SG300 manual. Here is Cisco's port definition: https://supportforums.cisco.com/t5/small-business-switches/general-vs-trunk-mode/td-p/2281870
General mode allows multiple untagged vlans and also multiple tagged vlans to exist on the same switch interface.
Trunk mode allows ONE untagged vlan and multiple Tagged vlans to exist on the same switch interface.
Access mode allows only one untagged vlan to exist on a switch interface.So using Trunk mode the ports that the router interfaces will connect to on the switches have VLAN10 on them untagged along with either VLAN20 tagged or VLAN30 tagged. I've been doing this with one untagged and even 2 or 3 tagged VLANs for years.
Basically every Trunk mode interface I use has VLAN10 untagged and the rest on it tagged so as to be able to manage the switches down-line. The switches are configured, for uniformity, that they can only be managed from the default VLAN which is VLAN10.
In Cisco's world using General mode you can put as many VLANs as you want on the interface along with a mixture of them being tagged and untagged. Although I don't know why you would want to do that but if I'm understanding you correctly you think that cannot be done at all.
Not wanting a borked configuration, I sketched out what I'm doing, actually what I have been doing for years with VLANs between switches minus the router and showed it to our Network Architect. He said there is nothing wrong with what I am doing now with the router. Along with the caveat it isn't normally done, separate ports would be used. But when ports are at a premium it's perfectly acceptable to do.
He also said it may not be best practices but did not say it was borked. I don't put much weight in best practices. Someone does something and writes a paper and calls it best practices. It may be for some, but not necessarily for all.
Derelict: I do have some bonded interfaces were I am using LACP but VLAN10 once again is low traffic. It can go days or weeks not even used if what is on it is not used or even powered up. And here again if I had the real estate to bind then the argument could be made to give the VLAN it's own interface…
If this doesn't work with pfSense then I won't have a choice, but until that is known this is Plan A. You can bet I'll let ya'll know... :-) Failure is how one learns...
