No DHCP on pfSense VLAN with Cisco Smart Switch
-
@cannondale ok this would explain why not working..
Port : gi22 Port Mode: Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 20 VL20 Untagged S
Port : gi24 Port Mode: Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 10 VL10 Untagged S
Notice the
Ingress UnTagged VLAN ( NATIVE ): 1This is the PVID.. So your untagged traffic coming into the switch from your device would be on vlan 1, so no it would never go out port 1 tagged for the vlan 10 or 20 on these ports.
And your ports would be egress untagged on 10 and 20 of these ports.. But the answer from pfsense on its lan for dhcp would would be on vlan 1...
You should of been seeing the dhcp from these devices - just on the wrong dhcp server.
Port : gi1 Port Mode: Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 1 1 Untagged V 10 VL10 Tagged S 20 VL20 Tagged S
edit: notice one of my ports that I have a device on vlan 6, which is one that is tagged to pfsense, see the native vlan or pvid for that port is set to 6
sg300-28#show interfaces switchport gi18 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi18 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 6 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 6 W_Guest Untagged S
Also curious why all your ports mode is just blank
Port Mode:
It should be showing trunk or access.. see mine above for gi18, and then on the one that goes to my pfsense
sg300-28#show interfaces switchport gi5 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi5 Port Mode: Trunk Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 2 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 2 Wlan Untagged S 4 W_PSK Tagged S 6 W_Guest Tagged S
So your port 1 looks ok, other then the missing port mode that is odd. But your ports 22 and 24 should have the native vlan (pvid) set to vlan 10 and 20 etc..
-
@johnpoz said in No DHCP on pfSense VLAN with Cisco Smart Switch:
Notice the
Ingress UnTagged VLAN ( NATIVE ): 1
This is the PVIDI do not see where PVID is exposed in the GUI for Access Mode on the membership screen in order to modify.
@johnpoz said in No DHCP on pfSense VLAN with Cisco Smart Switch:
Also curious why all your ports mode is just blank
As marvosa previously mentions, it may be a Cisco firmware thing. The GUI shows "Access" for all ports except port 1, which is "Trunk".
Can the PVID be changed in the CLI?
-
@cannondale said in No DHCP on pfSense VLAN with Cisco Smart Switch:
Can the PVID be changed in the CLI?
I don't think so not for a access port.. On my sg300 if I change the access port vlan it auto changes the pvid..
example here is port 28
sg300-28#sho interfaces switchport gi28 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi28 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 10 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 10 disabled Untagged S
If I then put in say vlan 6.. via the with the little arrows to remove it from 10 and add 6 while picking untagged..
sg300-28#sho interfaces switchport gi28 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi28 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 6 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 6 W_Guest Untagged S
You could try putting it in vlan 10 or 20 from the cli and see if that works..
example - here is me moving it back to 10
sg300-28#sho interfaces switchport gi28 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi28 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 6 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 6 W_Guest Untagged S Forbidden VLANS: Vlan Name ---- -------------------------------- Classification rules: sg300-28#conf t sg300-28(config)#int gi28 sg300-28(config-if)#switchport access vlan 10 sg300-28(config-if)#exit sg300-28(config)#exit sg300-28#sho interfaces switchport gi28 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi28 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 10 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 10 disabled Untagged S Forbidden VLANS: Vlan Name ---- -------------------------------- Classification rules: sg300-28#
I don't really like that your gui doesn't show mode, nor the P that it has in its legends that should mark what the pvid is, etc. Maybe you want to roll back in the firmware.. Maybe there is something wrong with this firmware.. But it for sure is not going to work if untagged traffic coming from your device is going on to vlan 1 vs 10..
maybe you could just put 22 or 24 into trunk mode or general mode.. And be able to set the pvid, and just set vlan 10 or 20 to be untagged..
You might want to ask on the cisco forums.. I doubt you have support from cisco ;)
-
johnpoz, this is the output of sho interfaces switchport gi24 (VLAN10 port):
You are the expert here but it doesn't seem reasonable to not expose the PVID in the GUI for Access Mode ports if it is required for VLAN configuration.
-
@cannondale it doesn't need to be expose really since access port can only ever be in 1 vlan, and the pvid should be switched to the vlan you put the access port in.
But seems yours is not doing that..
Try toggle the vlan via cli and see if it switches the native (pvid) if it doesn't then its borked for sure. Not just gui, and I would try rolling back to previous firmware.
A work around would be to put it in general mode where the pvid should be able to be changed.. or set to trunk with just using untagged for egress of vlan and native you can set..
Mine exposes in that it shows what the pvid is in the gui..
-
I would say that those differences what the switches are showing are caused by the different way that the firmwares show stuff.
My CBS250 switch shows config more or less the same way as Cannondale's and my network is working fine VLANs and all.Also these so called business/small business switches don't have the full IOS and different generations seem to behave differently from each other...
-
Thanks for all your help johnpoz! You get the gold star for hanging in there on this issue!
I think I'll try to roll back the firmware as a first step.
When I acquired the switch, it had fw v2.4.0.94, which I upgrade to the latest (v2.5.9.16).
It's possible that it was not upgraded for a reason! -
@mvikman said in No DHCP on pfSense VLAN with Cisco Smart Switch:
business switches don't have the full IOS
Very true - but its close enough that if you are cisco guy in the enterprise, its damn close ;)
The basics all pretty much the same.. When I first got mine I didn't even use the gui, but figured what the hell lt has it - lets give it a look see.
I do recall having impossible time trying to get the gui to load a ssl for https, had to do that from the cli.
-
@cannondale said in No DHCP on pfSense VLAN with Cisco Smart Switch:
I think I'll try to roll back the firmware as a first step.
Did you try just changing the vlan from the cli, maybe its just a bug in the gui, and if you change the vlan at the client it correctly sets the pvid.
Also prob look in the cisco forums - I will do a quick little gui now that we know its not changing the native vlan for access ports.
-
interface GigabitEthernet1 switchport mode trunk switchport trunk allowed vlan 1,10,20
I'd remove vlan 1 from the allowed line on your trunk (Gi1).
Too many odd things that aren't adding up. Rolling back the firmware may work, but if it doesn't, I'd still recommend rebuilding the config from scratch from the cli. You'll likely save yourself countless hours of more troubleshooting.
-
Thanks for the suggestions guys! You both have given me some additional options to try.
-
@marvosa said in No DHCP on pfSense VLAN with Cisco Smart Switch:
I'd remove vlan 1 from the allowed line on your trunk (Gi1).
He is using that, as the native vlan.. Its just untagged so he wouldn't remove it.
-
Just an update. Successfully rolled the firmware back to v2.4.0.94.
This scrambled many of the previously configured settings in the switch so had to reconfirm everything to get back to where I was before the roll back. Unfortunately, the roll back did not change the PVID issue.Changed port 24 (VLAN10) and port 22 (VLAN20) from Access to Trunk. Note that those are to only two options!
Ran show tech-support again (output of port 22 and 24 below). Both still show
Ingress UnTagged VLAN ( NATIVE ): 1Classification rules: Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi22 Port Mode: Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 20 VL20 Untagged S Forbidden VLANS: Vlan Name ---- -------------------------------- Classification rules: Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi24 Port Mode: Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 10 VL10 Untagged S Forbidden VLANS: Vlan Name ---- --------------------------------
The output above is still not showing port mode so here is the output of "sho interfaces switchport gi24 and g122:
Roth-SG250-50P-1#sho interfaces switchport gi24 Gathering information... Name: gi24 Switchport: enable Administrative Mode: trunk Operational Mode: up Access Mode VLAN: 10 Trunking Native Mode VLAN: 10 Trunking VLANs: 10 2-9,11-19,21-4094 (Inactive) General PVID: 1 General VLANs: none General Egress Tagged VLANs: none General Forbidden VLANs: none General Ingress Filtering: enabled General Acceptable Frame Type: all General GVRP status: disabled Customer Mode VLAN: none Classification rules: Roth-SG250-50P-1#sho interfaces switchport gi22 Gathering information... Name: gi22 Switchport: enable Administrative Mode: trunk Operational Mode: down Access Mode VLAN: 20 Trunking Native Mode VLAN: 20 Trunking VLANs: 20 2-9,11-19,21-4094 (Inactive) General PVID: 1 General VLANs: none General Egress Tagged VLANs: none General Forbidden VLANs: none General Ingress Filtering: enabled General Acceptable Frame Type: all General GVRP status: disabled Customer Mode VLAN: none
Next step is to rebuilding the config from scratch from the cli as marvosa suggested.
Thanks again! -
@johnpoz I don't have access to a Cisco SG-series switch.
-
@derelict NP - thanks for chiming in.. It was a shot, you and Steve normally have all kinds of stuff ;)
-
Thanks for trying to shake the trees johnpoz!
Started vlan config from scratch. Cleared all vlan config using GUI and only worked in the cli.
Clearing the vlan config using the GUI appears to leave remnant config information when doing the config via cli. Is there a way in cli to clear all vlan config for a particular vlan?This is what I have so far:
Roth-SG250-50P-1(config)#do sho vlan Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN Vlan Name gged Ports UnTagged Ports Created by ---- ----------------- ------------------ ------------------ ---------------- 1 1 gi2-23,gi25-50, DV Po1-4 10 AP-vl10 gi24 S Roth-SG250-50P-1#do sho run int gi1 interface GigabitEthernet1 switchport mode trunk switchport access vlan 10 switchport trunk allowed vlan 10 ! Roth-SG250-50P-1#do sho run int gi24 interface GigabitEthernet24 switchport access vlan 10 ! Roth-SG250-50P-1#sho interfaces switchport gi1 Name: gi1 Switchport: enable Administrative Mode: trunk Operational Mode: up Access Mode VLAN: 10 Trunking Native Mode VLAN: 1 (Inactive) Trunking VLANs: 10 General PVID: 1 General VLANs: none General Egress Tagged VLANs: none General Forbidden VLANs: none General Ingress Filtering: enabled General Acceptable Frame Type: all General GVRP status: disabled Customer Mode VLAN: none Roth-SG250-50P-1#sho interfaces switchport gi24 Name: gi24 Switchport: enable Administrative Mode: access Operational Mode: up Access Mode VLAN: 10 Trunking Native Mode VLAN: 1 Trunking VLANs: 1,10 2-9,11-4094 (Inactive) General PVID: 1 General VLANs: none General Egress Tagged VLANs: none General Forbidden VLANs: none General Ingress Filtering: enabled General Acceptable Frame Type: all General GVRP status: disabled Customer Mode VLAN: none
The one thing that looks odd to me is:
do sho run int gi1 shows: Trunking Native Mode VLAN: 1 (Inactive)Does this output look correct?
-
@cannondale said in No DHCP on pfSense VLAN with Cisco Smart Switch:
Does this output look correct?
no not really..
What does your sho tech show for port gi24?
Name: gi24 Switchport: enable Administrative Mode: access Operational Mode: up Access Mode VLAN: 10 Trunking Native Mode VLAN: 1 Trunking VLANs: 1,10 2-9,11-4094 (Inactive) General PVID: 1
For an access port - the native vlan should be the same as the vlan.
It is never going to work if inbound traffic into the port that is not tagged does not get put into vlan 10.
-
@johnpoz said in No DHCP on pfSense VLAN with Cisco Smart Switch:
What does your sho tech show for port gi24?
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi24 Port Mode: Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 10 AP-vl10 Untagged S
Not good!
-
@cannondale said in No DHCP on pfSense VLAN with Cisco Smart Switch:
Not good!
Nope - this switch seems worse then the shit tplink when they wouldn't let you remove vlan 1..
Well time to start moving up the firmware releases from the one your on now - maybe they had one that wasn't broken..
-
@johnpoz said in No DHCP on pfSense VLAN with Cisco Smart Switch:
this switch seems worse then the shit tplink when they wouldn't let you remove vlan 1
LOL
I flashed the firmware back to the latest version before starting the cli-based config.
I’m thinking it time to move on from this switch. Not worth the many hours invested for such a simple task!
I always thought highly of Cisco switches but this one has caused me to sour on the brand a bit!
Is there another bland / model smart poe switch that you would suggest I research?