pfSense to cisco 10gb



  • Hi,
    I just got into the office an intel X550-T1 that i will install to my pfSense this evening instead of/or with a I350-T4
    i was thinking of moving everything that is actually connected behind my switch SG350X

    pfSense+vlan ---- 10GB ----- switch(layer2) ------- 1GB/vlans

    what would be the best solution here,

    should i/can i set MTU to 9000 between the pfsense and the switch(layer 2) and 1500 from the switch to my device/server/pc ?

    would be better to set the switch as layer 3 and manage vlan there? but that would make a double nat i suppose
    pfSense ----10GB(vlan1 untagged only) --- switch (layer3)+vlan ---- 1GB/vlans

    also, it would be interesting if there is a way to test this 10GB from the pfsense to the switch.. ?

    any suggestion?



  • @kiokoman said in pfSense to cisco 10gb:

    should i/can i set MTU to 9000 between the pfsense and the switch(layer 2) and 1500 from the switch to my device/server/pc ?

    It won't do much good to have the 9000 MTU at one end only. Set everything on the network to the same MTU. Also, if you go with 9000, you'll have to connect WiFi through a router, rather than directly on the LAN, as it can't handle 9000 MTU.


  • Galactic Empire

    @JKnott said in pfSense to cisco 10gb:

    @kiokoman said in pfSense to cisco 10gb:

    should i/can i set MTU to 9000 between the pfsense and the switch(layer 2) and 1500 from the switch to my device/server/pc ?

    It won't do much good to have the 9000 MTU at one end only. Set everything on the network to the same MTU. Also, if you go with 9000, you'll have to connect WiFi through a router, rather than directly on the LAN, as it can't handle 9000 MTU.

    +1

    Re the "would be better to set the switch as layer 3 and manage vlan there? but that would make a double nat i suppose
    pfSense ----10GB(vlan1 untagged only) --- switch (layer3)+vlan ---- 1GB/vlans
    "

    Just because your thinking of creating SVI interfaces on the switch doesn't mean it will be doing NAT.

    You'd just need to put static routes on pfSense pointing to the handoff interface.

    How many 10GB interfaces does the switch have ?



  • the switch have 2 x rj45 + 2 sfp+ port 10gb + 24 port 1000
    sg350x-24-k9.jpg

    but for the moment i have only pfSense with a network card able to do 10GB


  • Netgate Administrator

    Is it only 10G between the switch and pfSense then?

    In that case you are probably adding complexity for little or no gain if the the routed traffic is on the 1G switch ports.

    If you use the switch in Layer3 mode the traffic won't ever go across the 10G link.

    Interesting as an experiment only perhaps.

    Steve



  • yes i'm experimenting. you know that i love it 😁
    but i think i will leave the switch as a layer 2 for the moment at least. i love the dhcp server of pfsense and all the static ip i've set. plus it would be a pain to move the ipv6 tunnel from pfsense to the switch..
    i must wait the week end to adjust stuff better



  • @kiokoman said in pfSense to cisco 10gb:

    yes i'm experimenting. you know that i love it

    I just tried experimenting with WiFi MTU. The most I could get is 2304, which is the max specified. Apparently there is some support for jumbo frames at 7935, but my ThinkPad won't do that.


  • Galactic Empire

    If you have loads of VLANs with firewall rules I'd suggest create a trunk between your firewall and the switch, let the router deal with the firewall task.

    ACLs are a pain in the arse to deal with on Cisco switches, if the 350x can even do ACLs.

    The only benefit you'll see would be if you were to connect something like a NAS to the second 10GB port IMO.



  • @JKnott said in pfSense to cisco 10gb:

    @kiokoman said in pfSense to cisco 10gb:

    yes i'm experimenting. you know that i love it

    I just tried experimenting with WiFi MTU. The most I could get is 2304, which is the max specified. Apparently there is some support for jumbo frames at 7935, but my ThinkPad won't do that.

    I did some more research on this. This is from "802.11n A Survival Guide" by Matthew Gast, page 41.

    "Frame Changes
    The 802.11 data frame is only slightly changed by 802.11n. Figure 5-1 shows the format
    of an 802.11 Data frame as modified by 802.11n. The major changes from the tradi-
    tional 802.11n Data frame are the increase in size, the addition of the optional HT
    Control subfield, and the fact that the QoS Control field is utilized extensively in block
    acknowledgment. The payload of the MAC is increased about fourfold, which can be
    used to aggregate higher-layer frames together for efficiency."

    So this, if implemented, would provide better efficiency and could use jumbo frames According to the book, there are 2 types of aggregation to support large frames. There is A-MSDU, which supports about 8 KB and A-MPDU, about 64 KB. I expect the 7935 bytes I mentioned above would be A-MSDU.

    Matthew Gast is one of the IEEE 802.11 engineers.



  • i've installed the card yesterday. all seems to work without problem. MTU still set to 1500. to be honest i saw a not that high .. but noticeable increase of performance on my network like browsing the cisco web interface and browsing the pfsense interface are more responsive. the routing are done from pfsense. i will experiment with MTU tomorrow since i work even on saturday ..



  • well i can't set MTU to 9000. raspberry does not support MTU greater than 1500, and i have one with kodi that i use with my NAS and one configured as ntp server


Log in to reply