VLAN question for noob moving from Cisco ASA
-
@xyzzyz said in VLAN question for noob moving from Cisco ASA:
Or am I missing something here?
Yeah why and the hell are you bridging interfaces??
-
@johnpoz said in VLAN question for noob moving from Cisco ASA:
@xyzzyz said in VLAN question for noob moving from Cisco ASA:
Or am I missing something here?
Yeah why and the hell are you bridging interfaces??
To be honest, I wasn't really looking to bridge the interfaces but it seems like I might need to to accomplish what I'm trying to accomplish.
Or I guess I could go buy an extra switch or two but I'd rather not waste the empty ports on the PF box and have more power draw in the already toasty equipment closet.
-
They are not wasted, use them as uplinks for you vlans...
Looks like you have 7 vlans there.. I don't get the bridging of those interfaces...
-
@xyzzyz
Hi, you're mixing something up here.The bridge runs on top of A SINGLE VLAN. That's it. That has nothing to do with how many VLANs you can assign to a network interface. It's, from the bottom up: NIC -> VLAN -> Bridge.
What is still not clear here is the ASA configuration.
Let's go with one VLAN:
The 802.1q VLAN is on multiple interfaces. Are those interfaces connected to the same layer 2 network that is then managed through STP to not produce loops?
Are the ports tagged on the outside or untagged?
Does the ASA have an IP-Address per member in the same VLAN?
Does the ASA bridge the same VLAN together and have the IP on the bridge?
Once we know this, we can talk about LAGG and similar things.
Cu
-
@johnpoz Sorry, that was just a fictitious example to show how I cannot mix-and-match VLANs on different interfaces like I currently do my Cisco ASA. I was trying to avoid boring everyone with the gory details of the full setup. But just in case, here it is:
VLANs:
VLAN 2 - WAN
VLAN 10 - Work
VLAN 11 - Personal
VLAN 12 - Printers
VLAN 15 - Guest Wi-Fi (SSID #1)
VLAN 16 - Guest Wi-Fi (SSID #2)
VLAN 99 - Management (ie, for IPMI ports on servers, management interfaces on WAPs, etc)VLAN 10 can talk to 2, 11 and 12. My main workstation on VLAN 10 can also talk to 99.
VLAN 11 can talk to 2 and 12.
VLAN 12 can't talk to anything.
VLAN 15 can talk to 2.
VLAN 16 can talk to 2.
VLAN 99 can't talk to anything.Interfaces:
Int 1 (VLANs: 2) - This is the WAN connection.
Int 2 (VLANs: 10-12, 15, 16, 99) - Trunk to a 24-port switch which connects to another one. The vast majority of my network traffic stays on these 2 switches. Of the subset that goes through the ASA, this interface is the busiest.
Int 3 (VLANs: 99) - If I have problems with the switches, I an temporarily connect a laptop here.
Int 4 (VLANs: 15-16, 99) - WAP #1. I direct connected both WAPs to the ASA because (a) it has PoE, (b) I had open ports and didn't want to tie up the trunk. Wireless devices get assigned to IPs on VLANs 15 and 16. The management interface is on VLAN 99.
Int 5 (VLANs: 15-16, 99) - WAP #2. Same as above.I'm open to any suggestions!
-
So your not bridging interfaces... Good! ;)
Why would you put vlan on multiple physical interfaces? If you did that - that would be done on a lagg, not a bridge.
edit:
Wait you do have same vlans on multiple physical interfaces from what you show... WTF??? You don't have those all bridged do you? What box are you running pfsense on, does it have switch ports? Are those switch ports, or interfaces? -
@johnpoz said in VLAN question for noob moving from Cisco ASA:
So your not bridging interfaces... Good! ;)
Why would you put vlan on multiple physical interfaces? If you did that - that would be done on a lagg, not a bridge.
edit:
Wait you do have same vlans on multiple physical interfaces from what you show... WTF??? You don't have those all bridged do you? What box are you running pfsense on, does it have switch ports? Are those switch ports, or interfaces?The example I provided is the current setup on my Cisco ASA. While I didn't explicitly setup bridges, I suspect there's some sort of bridge happening automatically at the VLAN level. For example, if I connect a laptop to ASA Interface 3 using VLAN 99, it can talk to VLAN 99 devices connected to switches connected to ASA Interface 2 as if my laptop was connected to the same switch.
As for why the same VLAN would show up in different ports, the VLAN 99 for management is a good example why I would want that. I have dedicated IPMI ports for my servers connected to the switches downstream of ASA Interface 2. I also have management interfaces on the two WAPs, which each directly connect to ASA Interfaces 4 and 5. It's really nice having all of my management things on a single VLAN so I can lock it down.
Another good example would be the two WAPs. They both support the same two SSIDs (one is for 2.4 GHz, the other is for 5 GHz). The SSIDs use VLANs 15 and 16. So, I have both VLAN 15 and 16 on the two WAP ports.
I hope this makes sense. Thank for your help!
-
Hi,
sorry for my late reply. One has to sleep every now and then ;-P
As I thought those interfaces are bridged. That's usually something you should leave to the switches. As the ASA is both that's something that is ok in the current setup but should be avoided later on.
So what you should do is configure the VLANs on the other switches and interconnect them and then just connect your future firewall to those switches or to one switch with the VLANs all on one interface or distributed over multiple interfaces.
If you need link aggregation, try to keep it away from the firewall itself and use it on the switches. It's basically a math game that you have to play.
I got gigabit interwebtubez coming in on the firewall, so I don't need 2gbit/s out or even more. There's just no reason for it, as the slowest part here is the interwebz and it will never get faster than that.
If you want to have routing between the VLANs, then you can do that via the firewall and use multiple interfaces for it, Like one VLAN per interface. If you DO NOT NEED traffic shaping later on, e.g. for VoIP, then it's fine to use LAGGs.
Cisco switches are able to distribute the 802.1q VLANs via their own protocol. Same goes with trunks, where I'd use LACP.
I'd also setup some [R|V]STP on the switches/vlans so that loops are prevented. In bigger environments, e.g. going over multiple buildings, I usually create rings that are stopped at some point via [R|V]STP. But I do not know the whole setup you got there, so it's a bit hard to actually help you. It would also help to know how much traffic you actually got going on on each VLAN so that you could either distribute it via multiple GBit/s NICs or just get one or more 10GBit/s NICs to help you out.
I always prefer one 10GBit/s connection over a trunk of GBit/s connections, but again it's a math game you have to play.
In times where you get systems like this one [1] for a fair price, there's always a solution on the hardware side...
Cu
[1] - https://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm
-
@Grimeton, thank you VERY much for taking the time to provide very detailed and helpful information.
If it wasn't for the two cases where I connect the WAPs to the ASA, my setup would basically the classic "router on a stick". My trunk feeds switch #1, which feeds switch #2. Pretty simple.
The current ASA has 100 mbit ports so putting the WAPs on one of the switches would be painful. Specifically, that trunk between the ASA and the 1st switch would be carrying the WAP-to-WAN traffic plus the local traffic routing between VLANs.
However, the pfSense box I'm building will have at least 2 SFP+ ports. As a result, I'll have plenty of bandwidth to put everything on the switches. So I think I'll take your advice and steer clear of bridges on pfSense.
With regards to [R|V]STP and its variants, I have a basic understanding of what they do. But if I have a relatively simple router -> switch -> switch setup, do you think I need to implement STP (beyond whatever might be automatically enabled)?
Thanks again!
-
I think the ASA does do some sort of bridging called BVI interface.
https://www.petenetlive.com/KB/Article/0001422
I used to have a ASA 5506 and used the "same-security-traffic permit inter-interface" command. Googling it I found the Kb article above.
So If you are using BVI interfaces with VLANs you'll be able to talk across the physical interfaces...
i just re-read 100Mbit + PoE , so you must have a 5505. However BVI is available on the 5505, too.
-
@xyzzyz You will only need some kind of STP if you create a ring.
It can be used to recognize topology change so that the switches can bridge packets over a different interface once one "route" (it's not an L3 route), goes down.
So you primarily need it to avoid loops.
If you have a simple setup, there's not really a need for it, especially as STP is rather slow and without RSTP you won't have a lot of fun.
Cu
-
@gcu_greyarea, @Grimeton - Thanks for both of your responses!
One (hopefully last) question...
On the ASA, the WAN port used VLAN 2. I think this was required on the ASA because the IPv4 info is set up at the VLAN level. Also keeping in mind the ASA's bridging model, I think this was needed to keep WAN traffic off the other ports. There definitely was not any ISP requirement that I use a specific VLAN.
My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?
-
@xyzzyz No. Only if your ISP is using tagged vlans for different services like VoiP or IPTV, etc.
-
@xyzzyz said in VLAN question for noob moving from Cisco ASA:
My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?
No.