Trunking VLANs on interfaces
-
Chris I understand what you're saying. However, on the other hand I have a Network Architect who I've know and worked with for over 15 years saying it's ok to do and it will work.
Also you are correct, I could name it anything, name means nothing, it's the number that is associated with the name that is important.
Take a look at the output from ifconfig below. First are the 3 physical interfaces, em2, 3, & 4. Below that are the virtual interfaces for each VLAN on each interface. Note there is a em2.10, and em3.10 and em4.10. Yes they are all different in name.
Look at the attributes for each of those .10 virtual interfaces, take note of the "vlan:" parameter, the VLAN tag, each is "10".
The way it was explained to me the ARP process will find the destination due to the VLAN being on the interface.
Unless you're saying that vlan number 10 on em2 is different then vlan number 10 on em3 etc. If that is the case then what is the sense of having vlans at all in pfSense if they don't traverse physical interfaces?
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:08
hwaddr 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2 prefixlen 64 scopeid 0x3
inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:09
hwaddr 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3 prefixlen 64 scopeid 0x4
inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:0a
hwaddr 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4 prefixlen 64 scopeid 0x5
inet 192.168.30.1 netmask 0xffffff00 broadcast 192.168.30.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: activeem2.10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2.10 prefixlen 64 scopeid 0xb
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em2
groups: vlan
em2.20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2.20 prefixlen 64 scopeid 0xc
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 20 vlanpcp: 0 parent interface: em2
groups: vlan
em3.10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3.10 prefixlen 64 scopeid 0xd
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em3
groups: vlan
em3.20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3.20 prefixlen 64 scopeid 0xe
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 20 vlanpcp: 0 parent interface: em3
groups: vlan
em4.10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4.10 prefixlen 64 scopeid 0xf
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em4
groups: vlan
em4.30: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4.30 prefixlen 64 scopeid 0x10
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 30 vlanpcp: 0 parent interface: em4
groups: vlan</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast> -
Unless you're saying that vlan number 10 on em2 is different then vlan number 10 on em3 etc. If that is the case then what is the sense of having vlans at all in pfSense if they don't traverse physical interfaces?
You have absolutely no clue what you are talking about.
Those will be different broadcast domains.
Look up that term. Learn something.
This has nothing to do with pfSense. All VLAN tagged interfaces on router ports behave the same way. You might look up the ISO model.
pfSense is NOT a switch. Those interfaces are NOT switch ports. No router interfaces are. That has been the point everyone has been trying to get you to understand this whole time.
-
^ what Derelict said.
Unless you're saying that vlan number 10 on em2 is different then vlan number 10 on em3 etc. If that is the case then what is the sense of having vlans at all in pfSense if they don't traverse physical interfaces?
That's what we're trying to tell you. They ARE different interfaces. John, Paul and George.
I don't care what an old man tells you to be fine in his world. I know that here it's not.And for the use of VLANs in pfSense - you didn't really ask what they are there for except for bridging, did you?
They are there for a good reason and I'm looking forward to your explanation after thinking about it. -
I have no idea to what old man you are refering. You are assuming without facts in evidence.
But,
To quote LT Pete "Maverick" Mitchell: Crash and Burn.
Ya'll can say I told ya so but I ain't giv'n up yet.
Too many times I was told it can't be done only to do it.
But I'm not holding my breath on this one.
I think I see an error in my ways so after I correct that there will be another rodeo…
-
Nobody is saying it can't be done.
People are saying it's a lousy, stupid, inefficient way to design a network.
Like I said way back there. Take ONE interface. Tag it with VLAN 10. Trunk it to a switch. Tag/Trunk VLAN 10 amongst your switches.
And you're done.
-
I have SG300… And yes you can only have 1 untagged vlan on an interface... That is not a cisco thing, that is networking thing ;) WTF does that have to do with management vlan having to be 10?? I have my managment vlan to be 9 on my 2 sg300's... The default managment vlan is 1 out of the box. And you can change it to any vlan you want.
What does that have to do with anything to be honest... you can access that via tagged or untagged.. As long as your on that vlan.. So again WTF does that have to do with anything? Also if your switch is in layer 3 mode, in the case of the sg300's you can manage it from any SVI you setup on any vlan..
Multiple untagged vlans on a interface would be moronic... It amounts to running multiple layer 3 on the same layer 2... Which sure you "can" do it - but nobody with any clue would ever do it. If that is what you want to do save yourself some money and just use dumb switches ;)
If you have your managment vlan set to 10.. And you want to be able to get to 10 from pfsense - then pfsense just has to have a connection to that network. Be it via untagged or tagged into your switching environment. It sure doesn't need multiple connections into it..
-
I have no idea to what old man you are refering. You are assuming without facts in evidence.
Man, you are nitpicking without reason. Make that "what an old colleague tells you" and get on. ::)
This is a networking class where phrasing is not rated.Does "that" guy/gal have any experience with the FreeBSD network stack or is that "switch knowledge" which leads to saying "it's ok to do and it will work" ?
-
Took 3 days. And long nights. But I done did it.
OPT1 Subnet 10 untagged to switch02
OPT2 Subnet 10 tagged Subnet 20 untagged to switch03
OPT3 Subnet 10 tagged Subnet 30 untagged to switch04It's a lousy, stupid, inefficient way in your opinion.
When ports are at a premium and you can do it in 1 port per switch instead of 2, I would say that IS efficient. There's no way I get even close to using up the available bandwidth so trunking is not an issue. And on the high traffic video links I do have I bond just to be on the safe side.
And below is a screen capture showing 3 untagged vlans on one interface (GE2) for those that say it can't be done. What good it does, I have no idea.
I came to this forum to see if this could be done and get help doing it. I just want to say thanks for all the help guys making this happen. Not.
Instead of getting help all I got was flack.
-
in your opinion.
One of the reasons I chose this field is there is not a lot of room for opinion - at least when it comes to design. There is pretty much right and wrong. I'll give you one guess as to which way I think this thread is going - in my opinion.
When ports are at a premium and you can do it in 1 port per switch instead of 2, I would say that IS efficient.
Switch ports are cheap. Router ports are expensive. You appear to be trying to put layer 3 below layer 2 which is nonsensical.
What good it does, I have no idea.
That much is obvious.
Good luck.
-
And below is a screen capture showing 3 untagged vlans on one interface (GE2) for those that say it can't be done.
Who said it can't be done? In the very most cases it just doesn't make sense to do.
Having said that, I actually have a scenario where it is needed in this way and I'm not kidding. It's an IP video distribution (Just Add Power, FWIW) where I even add and remove VLANs from ports on the fly with a Crestron control system via Telnet. This changes the channel shown nearly instantaneously.
-
And below is a screen capture showing 3 untagged vlans on one interface (GE2) for those that say it can't be done.
Who said it can't be done? In the very most cases it just doesn't make sense to do.
You did.
I have SG300… And yes you can only have 1 untagged vlan on an interface...
-
I am not johnpoz, don't mix that up either.
-
that was not him that was me..
You can put as many untagged vlans on a interface as you want.. The point is NO SANE person would do it.. Might as well just use a freaking dumb switch if your going to do such nonsense. Its the same as running multiple layer 3 on the same layer 2 which is just completely borked. The rest of that was stating its not a cisco thing but a networking thing.. So you didn't even grasp what the point of that was…
What exactly do you think you accomplished with this nonsense setup.. What you saved a switch port and tied up multiple router interfaces. And now bridging these interfaces on your firewall... Just utter pointless setup - so yeah WRONG!!!
You can also beer bong up your ass (butt chug).... Doesn't make it the "right" way to bong/drink a beer ;) heheheheh
Google Butt chug ;)Glad your happy with your config - its utter garbage.. Anyone working in networking would look at say WTF was this idiot thinking ;) But sure have fun with it.
-
You can also beer bong up your ass…. Doesn't make it the "right" way to bong a beer ;) heheheheh
Glad your happy with your config - its utter garbage.. Anyone working in networking would look at say WTF was this idiot thinking ;) But sure have fun with it.
Didn't sleep well last night?
…The point is NO SANE person would do it...
... Just utter pointless setup - so yeah WRONG!!!Sorry, no.
That's just your interpretation of something that doesn't make sense to you.
As I just wrote, there are scenarios where something like this is actually used very successfully.In BlankMan's scenario it can work with severe limitations but is way better solved otherwise.
No need to rage about it, it's BlankMan's install and BlankMan's routing speed which goes to hell. -
that was not him that was me..
You can put as many untagged vlans on a interface as you want.. The point is NO SANE person would do it.. Might as well just use a freaking dumb switch if your going to do such nonsense. Its the same as running multiple layer 3 on the same layer 2 which is just completely borked. The rest of that was stating its not a cisco thing but a networking thing.. So you didn't even grasp what the point of that was…
What exactly do you think you accomplished with this nonsense setup.. What you saved a switch port and tied up multiple router interfaces. And now bridging these interfaces on your firewall... Just utter pointless setup - so yeah WRONG!!!
You can also beer bong up your ass (butt chug).... Doesn't make it the "right" way to bong/drink a beer ;) heheheheh
Google Butt chug ;)Glad your happy with your config - its utter garbage.. Anyone working in networking would look at say WTF was this idiot thinking ;) But sure have fun with it.
Yeah sorry for the mix up. I was up till 4am getting this done as such I'm extremely tired.
johnpoz, you disagree with what I did. Fine. Your posts like these are of no value. If you cannot be helpful, courteous, encouraging, i.e. nice, then I would prefer you not post on my threads.
Just move on please…
-
I must say, our Network Architect here has been very supportive and provided encouragement for what I was trying to do. He rises to guru level.
Quite the opposite of the negativity and flack I received here. Not one of you provided any suggestions config wise on how to set this up in pfSense. So called all knowledgeable Hero Members here could not put aside their personal preferences, their opinions, and address the question at hand, how to do this in pfSense on the router.
Trunking multiple vlans on a single interface from switch to switch is done ad nauseum all over and seems to be acceptable to Hero Members. But my God, trunking multiple vlans on a single interface from a router to switch is verboten to Hero Members, we dare not talk about that…
My NA explained to me that not doing layer 2 on routers is old school because routers are designed and are more efficient at layer 3. But doing layer 2 on routers is perfectly fine. Yes routers are not as efficient and if you need to extract every minute bit of performance you would not do layer 2 on routers.
But I'm not there. My 6 Intel 82583V interface i3 2.4GHz 16GB DDR4-2133 250G mSata router will never be taxed by the additional layer 2 work it has to do.
He also mentioned that if cost was no object you would never do layer 2 on routers. But being a public University and answerable to the tax payers compromises have to be made. When interfaces are needed on routers and money in not available you may have to do layer 2 vlans on routers. He personally wouldn't being a perfectionist but in our environment may have to.
Put aside your personal preferences, your opinions, think outside your old school ways, think outside of the box and help people do what they ask.
Not what you would do. What they ask.
He also did mention that the Juniper routers that we currently use and make up our backbone are also built on FreeBSD. Just like pfSense. That was encouraging information and furthered my belief that I should be able to do this.
And guess what? I was right. Can I be a Hero Member now too? I'll put on a better front here, especially to new members, by being more helpful and courteous.
-
I must say that I usually don't feed the trolls but… If you know what and how to do it, why the hell are you asking for help?
-
But my God, trunking multiple vlans on a single interface from a router to switch is verboten to Hero Members, we dare not talk about that…
Nope. We all do exactly that. All over the place. Everywhere. Every day. No days off.
If that is what you are trying to do, your descriptions do not match the project requirements.
-
Yes tagging your vlans to isolate them when they have to run over the same wire is exactly the correct way to do it… The whole point of 802.1q or any of the other older protocols VTP, ISL, DTP... MVRP, GRVP etc. etc.. etc..
There are whole standards and protocols on how to keep your layer 2 isolated from other layer 2 when they run over the same wire..
Thought you said you been doing this for 40 years?
-
See. We all use VLAN tags to our Layer 2. That is what they are for.
What you do NOT see here is VLAN 10 on three different interfaces because that is just, well, horrible design, and, in that case, everything on VLAN10 will not be in the same broadcast domain so the stated goals I have (possibly incorrectly) deciphered will not work.
Tag VLAN 10 to your switching infrastructure ONCE. Use the switching infrastructure to create/propagate that broadcast domain to the switches that require it.
