Trunking VLANs on interfaces
-
If you need vlan 10 to all the switches then trunk VLAN 10 between the switches, not on pfSense.
-
^ exactly!! You would not put the same vlan tag on multiple interfaces on a router.. If its different layer 2 networks, then use different tag IDs.
-
Derelict: Yeah that was my initial plan but, since pfSense can to trunking I want to do it that way.
johnpoz: What? Why? On switches, on their interfaces, you trunk VLAN10 & VLAN 20 on port 1, trunk VLAN20 & VLAN30 on port 2, trunk VLAN30 & VLAN10 on port 3, etc. As needed. Why do you say you don't do that on a router? Without a bonafide reason why, like it's against 802 dot something just saying you don't do that has no merit, sorry…
-
Derelict: Yeah that was my initial plan but, since pfSense can to trunking I want to do it that way.
OK then good luck.
-
Because when you call a vlan say 10… That means its the same layer 2 across your switching environment. Yeah I trunk that vlan to any port where its an uplink to a switch that expands my layer 2 onto that switch.
Your router interfaces are not the same layer 2.. No mater if you want to call it vlan 10 or 20 or whatever its still a different layer 2. Makes zero sense to tag what is different layer 2 with the same tag that all connect to your layer 3 routing device.
You can put multiple vlans on a physical interface in pfsense.. You just do not put the same ID on different interfaces - its a BORKED config...
-
About ready to try this. Got the three main switches that connect to the routers three interfaces configured and ready to go. With the option of connecting the VLAN10 switch to the the VLAN20 & VLAN30 switches if it doesn't work.
I've been in IT for approaching 40 years, back when Ethernet was a big thigh coaxial cable that you tapped, physically, to branch off of. Got a lot of networking experience. I now work at a very large sprawling University with satellite buildings all around town networked in.
As such I sought the expertise of our Network Architect regarding putting multiple VLANs on router interfaces. What he said was that it's not widely done but there's no reason/restriction not to do it. Like if real estate is tight, i.e. interface ports. He said you typically put "a" VLAN on "a" interface even when those VLANs/interfaces connect to the same switch. For performance. No other reason.
Since my VLAN10 network is used so minimally it's not going to impact the performance on the other VLANs it's piggybacked on. If this works…
So I don't know where the "You would not put the same vlan tag on multiple interfaces on a router" comes from...
-
"You would not put the same vlan tag on multiple interfaces on a router"
Because its a different freaking layer 2… What part do you not get here??
If you use the same ID on different interfaces that are tied to different networks how do you know which one is which? Lets just name all the dogs "dog" when you say dog dig this cool trick today... Which one did you mean?
The vlan ID is nothing more than a label to call out a different layer 2.
I have eth0 and eth1, and I put vlan 10 on both of them.. it makes zero sense to do that... They are not the same layer 2... So what is the point of using 10 on both them.. Why not use something that makes a bit more sense for the ID> Like the 3rd octet in the address space used... This is very common practice..
"GUI on its default/native VLAN which happens to be VLAN10. That's Cisco's restriction not mine."
Huh?? There is no such restriction from cisco.. What switches are these.. Post up link from cisco or the manual from your switch were it says that..
-
I now work at a very large sprawling University with satellite buildings all around town networked in.
Sounds like you should be talking about VLANS over LACP to a stack of switches then, not tagging VLAN 10 on multiple interfaces to multiple isolated switches expecting the same "VLAN10" to be reachable on all of them.
I tapped thicknet too. This is all light-years better than that.
-
johnpoz: Settle down. I did not see your May 2 post. When I posted this morning I did not see this thread had a second page, the last post I saw was Derelict's good luck.
Look at any Cisco SG200 or SG300 manual. Here is Cisco's port definition: https://supportforums.cisco.com/t5/small-business-switches/general-vs-trunk-mode/td-p/2281870
General mode allows multiple untagged vlans and also multiple tagged vlans to exist on the same switch interface.
Trunk mode allows ONE untagged vlan and multiple Tagged vlans to exist on the same switch interface.
Access mode allows only one untagged vlan to exist on a switch interface.So using Trunk mode the ports that the router interfaces will connect to on the switches have VLAN10 on them untagged along with either VLAN20 tagged or VLAN30 tagged. I've been doing this with one untagged and even 2 or 3 tagged VLANs for years.
Basically every Trunk mode interface I use has VLAN10 untagged and the rest on it tagged so as to be able to manage the switches down-line. The switches are configured, for uniformity, that they can only be managed from the default VLAN which is VLAN10.
In Cisco's world using General mode you can put as many VLANs as you want on the interface along with a mixture of them being tagged and untagged. Although I don't know why you would want to do that but if I'm understanding you correctly you think that cannot be done at all.
Not wanting a borked configuration, I sketched out what I'm doing, actually what I have been doing for years with VLANs between switches minus the router and showed it to our Network Architect. He said there is nothing wrong with what I am doing now with the router. Along with the caveat it isn't normally done, separate ports would be used. But when ports are at a premium it's perfectly acceptable to do.
He also said it may not be best practices but did not say it was borked. I don't put much weight in best practices. Someone does something and writes a paper and calls it best practices. It may be for some, but not necessarily for all.
Derelict: I do have some bonded interfaces were I am using LACP but VLAN10 once again is low traffic. It can go days or weeks not even used if what is on it is not used or even powered up. And here again if I had the real estate to bind then the argument could be made to give the VLAN it's own interface…
If this doesn't work with pfSense then I won't have a choice, but until that is known this is Plan A. You can bet I'll let ya'll know... :-) Failure is how one learns...
-
You can lead a horse to water.
-
… VLAN10 ... low traffic ... days or weeks not even used ... or even powered up.
Didn't you say that your VLAN10 always is the management interface of your switches? Do you power down switches when there's no traffic?
Problem with the interfaces and VLANs in FreeBSD is the naming convention.
You have, say, eth0, eth1 and eth2. When you create a VLAN10 on each of them they are NOT all the same VLAN10. They will be eth0_vlan10, eth1_vlan10 and eth2_vlan10. You could as well name them vlan_10, vlan_0A and vlan_X (John, Paul and George would make Ringo jealous).
Now that you have created separate interfaces you have to bridge them somewhere, right?
A software router is the worst place for that.
Now imagine doing that with 10G/40G/100G switches - bridging those in software isn't even doable yet (will be with TNSR and SCLR, though) but doing it on the switch is a piece of cake.Got the picture and why some of the hero users here really dislike the idea?
-
Chris I understand what you're saying. However, on the other hand I have a Network Architect who I've know and worked with for over 15 years saying it's ok to do and it will work.
Also you are correct, I could name it anything, name means nothing, it's the number that is associated with the name that is important.
Take a look at the output from ifconfig below. First are the 3 physical interfaces, em2, 3, & 4. Below that are the virtual interfaces for each VLAN on each interface. Note there is a em2.10, and em3.10 and em4.10. Yes they are all different in name.
Look at the attributes for each of those .10 virtual interfaces, take note of the "vlan:" parameter, the VLAN tag, each is "10".
The way it was explained to me the ARP process will find the destination due to the VLAN being on the interface.
Unless you're saying that vlan number 10 on em2 is different then vlan number 10 on em3 etc. If that is the case then what is the sense of having vlans at all in pfSense if they don't traverse physical interfaces?
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:08
hwaddr 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2 prefixlen 64 scopeid 0x3
inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:09
hwaddr 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3 prefixlen 64 scopeid 0x4
inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:0a
hwaddr 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4 prefixlen 64 scopeid 0x5
inet 192.168.30.1 netmask 0xffffff00 broadcast 192.168.30.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: activeem2.10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2.10 prefixlen 64 scopeid 0xb
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em2
groups: vlan
em2.20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2.20 prefixlen 64 scopeid 0xc
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 20 vlanpcp: 0 parent interface: em2
groups: vlan
em3.10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3.10 prefixlen 64 scopeid 0xd
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em3
groups: vlan
em3.20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3.20 prefixlen 64 scopeid 0xe
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 20 vlanpcp: 0 parent interface: em3
groups: vlan
em4.10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4.10 prefixlen 64 scopeid 0xf
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em4
groups: vlan
em4.30: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4.30 prefixlen 64 scopeid 0x10
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 30 vlanpcp: 0 parent interface: em4
groups: vlan</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast> -
Unless you're saying that vlan number 10 on em2 is different then vlan number 10 on em3 etc. If that is the case then what is the sense of having vlans at all in pfSense if they don't traverse physical interfaces?
You have absolutely no clue what you are talking about.
Those will be different broadcast domains.
Look up that term. Learn something.
This has nothing to do with pfSense. All VLAN tagged interfaces on router ports behave the same way. You might look up the ISO model.
pfSense is NOT a switch. Those interfaces are NOT switch ports. No router interfaces are. That has been the point everyone has been trying to get you to understand this whole time.
-
^ what Derelict said.
Unless you're saying that vlan number 10 on em2 is different then vlan number 10 on em3 etc. If that is the case then what is the sense of having vlans at all in pfSense if they don't traverse physical interfaces?
That's what we're trying to tell you. They ARE different interfaces. John, Paul and George.
I don't care what an old man tells you to be fine in his world. I know that here it's not.And for the use of VLANs in pfSense - you didn't really ask what they are there for except for bridging, did you?
They are there for a good reason and I'm looking forward to your explanation after thinking about it. -
I have no idea to what old man you are refering. You are assuming without facts in evidence.
But,
To quote LT Pete "Maverick" Mitchell: Crash and Burn.
Ya'll can say I told ya so but I ain't giv'n up yet.
Too many times I was told it can't be done only to do it.
But I'm not holding my breath on this one.
I think I see an error in my ways so after I correct that there will be another rodeo…
-
Nobody is saying it can't be done.
People are saying it's a lousy, stupid, inefficient way to design a network.
Like I said way back there. Take ONE interface. Tag it with VLAN 10. Trunk it to a switch. Tag/Trunk VLAN 10 amongst your switches.
And you're done.
-
I have SG300… And yes you can only have 1 untagged vlan on an interface... That is not a cisco thing, that is networking thing ;) WTF does that have to do with management vlan having to be 10?? I have my managment vlan to be 9 on my 2 sg300's... The default managment vlan is 1 out of the box. And you can change it to any vlan you want.
What does that have to do with anything to be honest... you can access that via tagged or untagged.. As long as your on that vlan.. So again WTF does that have to do with anything? Also if your switch is in layer 3 mode, in the case of the sg300's you can manage it from any SVI you setup on any vlan..
Multiple untagged vlans on a interface would be moronic... It amounts to running multiple layer 3 on the same layer 2... Which sure you "can" do it - but nobody with any clue would ever do it. If that is what you want to do save yourself some money and just use dumb switches ;)
If you have your managment vlan set to 10.. And you want to be able to get to 10 from pfsense - then pfsense just has to have a connection to that network. Be it via untagged or tagged into your switching environment. It sure doesn't need multiple connections into it..
-
I have no idea to what old man you are refering. You are assuming without facts in evidence.
Man, you are nitpicking without reason. Make that "what an old colleague tells you" and get on. ::)
This is a networking class where phrasing is not rated.Does "that" guy/gal have any experience with the FreeBSD network stack or is that "switch knowledge" which leads to saying "it's ok to do and it will work" ?
-
Took 3 days. And long nights. But I done did it.
OPT1 Subnet 10 untagged to switch02
OPT2 Subnet 10 tagged Subnet 20 untagged to switch03
OPT3 Subnet 10 tagged Subnet 30 untagged to switch04It's a lousy, stupid, inefficient way in your opinion.
When ports are at a premium and you can do it in 1 port per switch instead of 2, I would say that IS efficient. There's no way I get even close to using up the available bandwidth so trunking is not an issue. And on the high traffic video links I do have I bond just to be on the safe side.
And below is a screen capture showing 3 untagged vlans on one interface (GE2) for those that say it can't be done. What good it does, I have no idea.
I came to this forum to see if this could be done and get help doing it. I just want to say thanks for all the help guys making this happen. Not.
Instead of getting help all I got was flack.
-
in your opinion.
One of the reasons I chose this field is there is not a lot of room for opinion - at least when it comes to design. There is pretty much right and wrong. I'll give you one guess as to which way I think this thread is going - in my opinion.
When ports are at a premium and you can do it in 1 port per switch instead of 2, I would say that IS efficient.
Switch ports are cheap. Router ports are expensive. You appear to be trying to put layer 3 below layer 2 which is nonsensical.
What good it does, I have no idea.
That much is obvious.
Good luck.
