Pfsense cannot see VLAN 30 traffic
-
I have been running pfsense for quite a while; many thanks for a great product.
I have a pfsense box deployed in a large L2 network with 3 VLANs. The pfsense box is an older Dell desktop with 2 NICs in it. One NIC goes upstream to our ISP router, the other goes to a trunked port on a Cisco 2948g switch, which farms it out to the rest of the VLANs:
- VLAN 10: staff VLAN. Can do just about anything, including go upstream (to our ISP/internet). pfsense is 10.10.0.1/16.
- VLAN 20: public VLAN. Can only go out to the internet. pfsense is 10.20.0.1/16.
- VLAN 30: infrastructure VLAN. For networking gear; effectively isolated from all other networks. pfsense is 10.30.0.1/16.
As implied above, pfsense should be able to see all 3 VLANs – i.e., I have the 3 VLANs defined in pfsense and assigned to the interface that connects down to the Cisco switch. Here's the output from ifconfig on the pfsense box:
[2.0.3-RELEASE][admin@pfsense.coe]/root(12): ifconfig rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:c0:a8:8f:4a:dd inet6 fe80::2c0:a8ff:fe8f:4add%rl0 prefixlen 64 scopeid 0x1 inet 192.168.1.155 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:c7:13:9e inet6 fe80::21b:21ff:fec7:139e%em0 prefixlen 64 scopeid 0x2 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 pflog0: flags=100 <promisc>metric 0 mtu 33200 enc0: flags=0<> metric 0 mtu 1536 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 nd6 options=43 <performnud,accept_rtadv>em0_vlan10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:c7:13:9e inet6 fe80::2c0:a8ff:fe8f:4add%em0_vlan10 prefixlen 64 scopeid 0x8 inet 10.10.0.1 netmask 0xffff0000 broadcast 10.10.255.255 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 10 parent interface: em0 em0_vlan20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:c7:13:9e inet6 fe80::2c0:a8ff:fe8f:4add%em0_vlan20 prefixlen 64 scopeid 0x9 inet 10.20.0.1 netmask 0xffff0000 broadcast 10.20.255.255 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 20 parent interface: em0 em0_vlan30: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:c7:13:9e inet6 fe80::2c0:a8ff:fe8f:4add%em0_vlan30 prefixlen 64 scopeid 0xa inet 10.30.0.1 netmask 0xffff0000 broadcast 10.30.255.255 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 30 parent interface: em0 [2.0.3-RELEASE][admin@pfsense.coe]/root(13):</full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast>
From a machine on the 10 VLAN, I can ssh/https to pfsense (i.e., it works fine).
From the 20 VLAN, I have firewall rules to block ssh/https access to pfsense, but allow all other traffic to/from pfsense (e.g., DHCP).
From the 30 VLAN, I should be able to ssh/https to pfsense, but I can never seem to get through. And if I ssh to pfsense from the 10 VLAN, I should be able to ssh out to the 30 VLAN, but I can't – pfsense does not seem to see any VLAN 30 traffic at all. For example, when I ssh into pfsense in two terminals (from the 10 VLAN), if I type "ssh 10.30.0.8" in one terminal while running "tcpdump -vvv -i em0_vlan30" in the other, here's what I see from the tcpdump:
[2.0.3-RELEASE][admin@pfsense.coe]/root(9): tcpdump -vv -i em0_vlan30 tcpdump: listening on em0_vlan30, link-type EN10MB (Ethernet), capture size 96 bytes 15:47:42.593394 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.30.0.8 tell infrastructure-proxy.example.com, length 28 15:47:45.593049 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.30.0.8 tell infrastructure-proxy.example.com, length 28 ...etc.
Nothing ever replies from the 30 VLAN/10.30.x.x subnet.
If I "ping 10.30.255.255" on pfsense, I get no replies. If I "ping 10.30.255.255" from the 30 VLAN, I get replies back from everything except the pfsense box.
In general, it seems like there is some kind of disconnect between the pfsense 30 VLAN and the actual 30 VLAN: no traffic seems to be flowing between the two.
I'm fairly confident that I have the Cisco 2948g setup right to trunk the port that the pfsense plugs into. Indeed, pfsense works fine on VLAN 10 and 20 on that switchport. It's just VLAN 30 that doesn't seem to work right.
I honestly don't know if this is a pfsense firewall problem or not, but I figured I'd initially ask here. I'll attach my pfsense config for completeness (my domain name changed to example.com for anonymity reasons).
config-pfsense.coe-20130818155052.xml.txt -
Bump.
-
Could you post your Cisco configuration as well?
-
Yes, here's the config for my Cisco 2948g switch. The pfsense is on port 2/6:
coe-2948g-eh> (enable) show running-config all begin ! # ***** ALL (DEFAULT and NON-DEFAULT) CONFIGURATION ***** ! ! #time: Sun Aug 18 2013, 20:51:14 EDT ! #version 8.4(2)GLX ! ! #system web interface version(s) set password scrubbed set enablepass scrubbed set prompt Console> set length 24 default set logout 20 set config mode binary set banner motd ^C scrubbed ^C ! #test set test diaglevel complete ! #dot1x set dot1x system-auth-control enable set dot1x quiet-period 60 set dot1x tx-period 30 set dot1x shutdown-timeout 300 set dot1x supp-timeout 30 set dot1x server-timeout 30 set dot1x max-req 2 set dot1x re-authperiod 3600 set feature dot1x-radius-keepalive disable ! #errordetection set errordetection inband disable set errordetection memory disable ! #system set system baud 9600 set system modem disable set system name coe-2948g-eh set system location scrubbed set system contact scrubbed set system countrycode US set traffic monitor 100 set feature log-command enable set feature loop-detect enable ! #power set power budget 1 ! #Inlinepower set inlinepower defaultallocation 15400 ! #frame distribution method set port channel all distribution mac both ! #mac address reduction set spantree macreduction enable ! #default portcost mode set spantree defaultcostmode short ! #snmp set snmp community read-only public set snmp community read-write private set snmp community read-write-all secret set snmp rmon disable set snmp rmonmemory 85 set snmp disable set snmp trap disable module set snmp trap disable chassis set snmp trap disable bridge set snmp trap disable vtp set snmp trap disable vlancreate set snmp trap disable vlandelete set snmp trap disable auth set snmp trap disable entityfru set snmp trap disable ippermit set snmp chassis-alias set snmp buffer 40 set snmp trap disable vmps set snmp trap disable entity set snmp trap disable config set snmp trap disable stpx set snmp trap disable syslog set snmp trap disable system set snmp trap disable envfan set snmp trap disable envpower set snmp trap disable envtemp set snmp trap disable envstate set snmp trap disable macnotification ! #tacacs+ set tacacs attempts 3 set tacacs directedrequest disable set tacacs timeout 5 ! #radius set radius deadtime 0 set radius timeout 5 set radius retransmit 2 set radius attribute framed-ip-address include-in-access-req disable ! #kerberos ! #authentication set authentication login tacacs disable console set authentication login tacacs disable telnet set authentication login tacacs disable http set authentication enable tacacs disable console set authentication enable tacacs disable telnet set authentication enable tacacs disable http set authentication login radius disable console set authentication login radius disable telnet set authentication login radius disable http set authentication enable radius disable console set authentication enable radius disable telnet set authentication enable radius disable http set authentication login local enable console set authentication login local enable telnet set authentication login local enable http set authentication enable local enable console set authentication enable local enable telnet set authentication enable local enable http set authentication login kerberos disable console set authentication login kerberos disable telnet set authentication login kerberos disable http set authentication enable kerberos disable console set authentication enable kerberos disable telnet set authentication enable kerberos disable http set authentication login attempt 3 console set authentication login attempt 3 telnet set authentication login lockout 0 console set authentication login lockout 0 telnet set authentication enable attempt 3 console set authentication enable attempt 3 telnet set authentication enable lockout 0 console set authentication enable lockout 0 telnet ! #Local User set localuser authentication disable ! #stp mode set spantree mode rapid-pvst ! #vtp set vtp domain coe-vtp-domain set vtp mode transparent unknown set vtp mode off vlan set vtp version 1 set vtp pruneeligible 2-1000 clear vtp pruneeligible 1001-1005 set vlan 10 name staff type ethernet mtu 1500 said 10010 state active set vlan 20 name public type ethernet mtu 1500 said 10020 state active set vlan 30 name coe-infrastructure type ethernet mtu 1500 said 100030 state active set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active stp ieee set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active stp ibm set vlan 1 set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active mode srb aremaxhop 7 stemaxhop 7 backupcrf off ! #dot1q-all-tagged set dot1q-all-tagged disable ! #ip set feature mdg enable set feature psync-recovery no-powerdown set interface sc0 30 10.30.0.8/255.255.0.0 10.30.255.255 set interface sc0 up set interface trap sc0 disable set interface sl0 0.0.0.0 0.0.0.0 set interface sl0 down set interface trap sl0 disable set interface me1 0.0.0.0 0.0.0.0 0.0.0.0 set interface me1 down set interface trap me1 disable set arp agingtime 1200 set ip redirect enable set ip unreachable enable set ip fragmentation enable set ip alias default 0.0.0.0 ! #command alias ! #vmps set vmps server retry 3 set vmps server reconfirminterval 60 set vmps downloadmethod tftp set vmps downloadserver 0.0.0.0 vmps-config-database.1 set vmps state disable ! #rcp set rcp username ! #dns set ip dns server 10.30.0.1 primary set ip dns disable ! #spantree #spantree global defaults set spantree global-default portfast disable set spantree global-default loop-guard disable #portfast set spantree global-default bpdu-guard disable set spantree global-default bpdu-filter disable #bpdu-skewing set spantree bpdu-skewing disable #MST (IEEE 802.1s) set spantree fwddelay 15 mst set spantree hello 2 mst set spantree maxage 20 mst set spantree mst maxhops 20 set spantree priority 32768 mst set spantree priority 32768 mst 1 set spantree priority 32768 mst 2 set spantree priority 32768 mst 3 set spantree priority 32768 mst 4 set spantree priority 32768 mst 5 set spantree priority 32768 mst 6 set spantree priority 32768 mst 7 set spantree priority 32768 mst 8 set spantree priority 32768 mst 9 set spantree priority 32768 mst 10 set spantree priority 32768 mst 11 set spantree priority 32768 mst 12 set spantree priority 32768 mst 13 set spantree priority 32768 mst 14 set spantree priority 32768 mst 15 #MST Configuration set spantree mst config rollback force set spantree mst config name revision 0 set spantree mst 0 vlan 1-4094 set spantree mst config commit #uplinkfast groups set spantree uplinkfast disable #backbonefast set spantree backbonefast disable #vlan <vlanid>#vlan(defaults) set spantree enable 1,10,20,30 set spantree fwddelay 15 1,10,20,30 set spantree hello 2 1,10,20,30 set spantree maxage 20 1,10,20,30 set spantree priority 32768 1,10,20,30 ! #cgmp set cgmp disable set cgmp leave disable set cgmp fastleave disable ! #syslog set logging console enable set logging telnet enable set logging server disable set logging level cdp 4 default set logging level mcast 2 default set logging level dtp 5 default set logging level dvlan 2 default set logging level earl 2 default set logging level ip 3 default set logging level pruning 2 default set logging level snmp 2 default set logging level spantree 2 default set logging level sys 5 default set logging level tac 2 default set logging level tcp 2 default set logging level telnet 2 default set logging level tftp 2 default set logging level vtp 2 default set logging level vmps 2 default set logging level kernel 2 default set logging level filesys 2 default set logging level mgmt 5 default set logging level mls 5 default set logging level protfilt 2 default set logging level security 2 default set logging level radius 2 default set logging level udld 4 default set logging level gvrp 2 default set logging level qos 3 default set logging level ethc 5 default set logging level inlinepower 2 default set logging server facility LOCAL7 set logging server severity 4 set logging timestamp enable set logging buffer 500 set logging history 1 set logging history severity 4 ! #ntp set ntp broadcastclient disable set ntp broadcastdelay 3000 set ntp client disable set ntp authentication disable set ntp server 10.30.0.1 set timezone EDT 0 0 set summertime enable EDT set summertime recurring ! #set boot command set boot config-register 0x2 set boot system flash bootflash:cat4000-k9.8-4-2-GLX.bin ! #permit list set ip permit disable telnet set ip permit disable ssh set ip permit disable snmp ! #permanent arp entries ! #protocolfilter set protocolfilter disable ! #standby ports set standbyports disable ! #vlan mapping ! #gmrp set gmrp disable ! #garp set garp timer all 200 600 10000 ! #cdp set cdp interval 60 set cdp holdtime 180 set cdp enable set cdp version v2 set cdp format device-id other ! #qos set qos disable set qos defaultcos 0 set qos map 2q1t 1 1 cos 0-1 set qos map 2q1t 1 1 cos 2-3 set qos map 2q1t 1 1 cos 4-5 set qos map 2q1t 1 1 cos 6-7 ! #udld set udld disable set udld interval 15 ! #LACP channel set lacp-channel system-priority 32768 ! #channelprotocol set channelprotocol pagp 2 ! #port channel set port channel 2/18 67 set port channel 2/1-4 159 set port channel 2/5-8 160 set port channel 2/9-12 161 set port channel 2/13-16 162 set port channel 2/17,2/19-20 163 set port channel 2/21-24 164 set port channel 2/25-28 165 set port channel 2/29-32 166 set port channel 2/33-36 167 set port channel 2/37-40 168 set port channel 2/41-44 169 set port channel 2/45-48 170 set port channel 2/49-52 171 ! #accounting set accounting exec disable set accounting connect disable set accounting system disable set accounting commands disable set accounting suppress null-username disable set accounting update new-info ! #errdisable timeout set errdisable-timeout disable other set errdisable-timeout disable udld set errdisable-timeout disable bpdu-guard set errdisable-timeout disable channel-misconfig set errdisable-timeout disable nostatic-power set errdisable-timeout interval 300 ! #http configuration set ip http server disable set ip http port 80 ! #crypto key set crypto key rsa 2048 ! #multicast filter set igmp filter disable ! #module 1 : 0-port Switching Supervisor set module name 1 ! #module 2 : 52-port 10/100/1000 Ethernet set module name 2 set module enable 2 set vlan 1 2/49-52 set vlan 10 2/1,2/5,2/7,2/9,2/11,2/13,2/15,2/17-48 set vlan 20 2/2 set vlan 30 2/3-4,2/6,2/8,2/10,2/12,2/14,2/16 set port auxiliaryvlan 2/1-52 none set port enable 2/1-17,2/29-52 set port disable 2/18-28 set port level 2/1-52 normal set port speed 2/1-15,2/17-48 auto set port speed 2/16 100 set port clock 2/1-48 auto set port duplex 2/16 half set port trap 2/1-52 disable set port name 2/1 VLAN 10 set port name 2/2 VLAN 20 set port name 2/3 VLAN 30 set port name 2/4 Cisco 2950 set port name 2/5 server set port name 2/6 pfsense firewall set port name 2/7 Printer set port name 2/8 Wifi shot set port name 2/9 printer set port name 2/10 Aironet set port name 2/11 copier set port name 2/12 Aironet set port name 2/13 server set port name 2/14 Aironet set port name 2/15 server set port name 2/16 Aironet set port name 2/17 Server set port name 2/29 Available set port name 2/30 Available set port name 2/31 Available set port name 2/32 Desktop set port name 2/33 Available set port name 2/18-28,2/34-52 set port security 2/1-52 disable age 0 maximum 1 shutdown 0 unicast-flood enable violation shutdown set port dot1x 2/1-52 port-control force-authorized set port dot1x 2/1-52 multiple-host disable set port dot1x 2/1-52 shutdown-timeout disable set port dot1x 2/1-52 re-authentication disable set port dot1x 2/1-52 guest-vlan none set port membership 2/1-52 static set port protocol 2/1-52 ip on set port protocol 2/1-52 ipx auto set port protocol 2/1-52 group auto set port negotiation 2/49-52 enable set port flowcontrol 2/1-52 send desired set port flowcontrol 2/1-52 receive off set port vtp enable 2/1-52 set cdp enable 2/1-52 set udld disable 2/1-48 set udld aggressive-mode disable 2/1-52 set trunk 2/1 off dot1q 1-1005,1025-4094 set trunk 2/2 off dot1q 1-1005,1025-4094 set trunk 2/3 off dot1q 1-1005,1025-4094 set trunk 2/4 on dot1q 1-1005,1025-4094 set trunk 2/5 off dot1q 1-1005,1025-4094 set trunk 2/6 on dot1q 1-1005,1025-4094 set trunk 2/7 off dot1q 1-1005,1025-4094 set trunk 2/8 on dot1q 1-1005,1025-4094 set trunk 2/9 off dot1q 1-1005,1025-4094 set trunk 2/10 on dot1q 1-1005,1025-4094 set trunk 2/11 off dot1q 1-1005,1025-4094 set trunk 2/12 on dot1q 1-1005,1025-4094 set trunk 2/13 off dot1q 1-1005,1025-4094 set trunk 2/14 on dot1q 1-1005,1025-4094 set trunk 2/15 off dot1q 1-1005,1025-4094 set trunk 2/16 on dot1q 1-1005,1025-4094 set trunk 2/17 off dot1q 1-1005,1025-4094 set trunk 2/18 off dot1q 1-1005,1025-4094 set trunk 2/19 off dot1q 1-1005,1025-4094 set trunk 2/20 off dot1q 1-1005,1025-4094 set trunk 2/21 off dot1q 1-1005,1025-4094 set trunk 2/22 off dot1q 1-1005,1025-4094 set trunk 2/23 off dot1q 1-1005,1025-4094 set trunk 2/24 off dot1q 1-1005,1025-4094 set trunk 2/25 off dot1q 1-1005,1025-4094 set trunk 2/26 off dot1q 1-1005,1025-4094 set trunk 2/27 off dot1q 1-1005,1025-4094 set trunk 2/28 off dot1q 1-1005,1025-4094 set trunk 2/29 off dot1q 1-1005,1025-4094 set trunk 2/30 off dot1q 1-1005,1025-4094 set trunk 2/31 off dot1q 1-1005,1025-4094 set trunk 2/32 off dot1q 1-1005,1025-4094 set trunk 2/33 off dot1q 1-1005,1025-4094 set trunk 2/34 off dot1q 1-1005,1025-4094 set trunk 2/35 off dot1q 1-1005,1025-4094 set trunk 2/36 off dot1q 1-1005,1025-4094 set trunk 2/37 off dot1q 1-1005,1025-4094 set trunk 2/38 off dot1q 1-1005,1025-4094 set trunk 2/39 off dot1q 1-1005,1025-4094 set trunk 2/40 off dot1q 1-1005,1025-4094 set trunk 2/41 off dot1q 1-1005,1025-4094 set trunk 2/42 off dot1q 1-1005,1025-4094 set trunk 2/43 off dot1q 1-1005,1025-4094 set trunk 2/44 off dot1q 1-1005,1025-4094 set trunk 2/45 off dot1q 1-1005,1025-4094 set trunk 2/46 off dot1q 1-1005,1025-4094 set trunk 2/47 off dot1q 1-1005,1025-4094 set trunk 2/48 off dot1q 1-1005,1025-4094 set trunk 2/49 auto dot1q 1-1005,1025-4094 set trunk 2/50 auto dot1q 1-1005,1025-4094 set trunk 2/51 auto dot1q 1-1005,1025-4094 set trunk 2/52 auto dot1q 1-1005,1025-4094 set spantree portfast 2/1-52 default set spantree bpdu-filter 2/1-52 default set spantree bpdu-guard 2/1-52 default set spantree link-type 2/1-52 auto set spantree portpri 2/1-52 32 mst set spantree portinstancepri 2/1 0 mst set spantree portinstancepri 2/2 0 mst set spantree portinstancepri 2/3 0 mst set spantree portinstancepri 2/4 0 mst set spantree portinstancepri 2/5 0 mst set spantree portinstancepri 2/6 0 mst set spantree portinstancepri 2/7 0 mst set spantree portinstancepri 2/8 0 mst set spantree portinstancepri 2/9 0 mst set spantree portinstancepri 2/10 0 mst set spantree portinstancepri 2/11 0 mst set spantree portinstancepri 2/12 0 mst set spantree portinstancepri 2/13 0 mst set spantree portinstancepri 2/14 0 mst set spantree portinstancepri 2/15 0 mst set spantree portinstancepri 2/16 0 mst set spantree portinstancepri 2/17 0 mst set spantree portinstancepri 2/18 0 mst set spantree portinstancepri 2/19 0 mst set spantree portinstancepri 2/20 0 mst set spantree portinstancepri 2/21 0 mst set spantree portinstancepri 2/22 0 mst set spantree portinstancepri 2/23 0 mst set spantree portinstancepri 2/24 0 mst set spantree portinstancepri 2/25 0 mst set spantree portinstancepri 2/26 0 mst set spantree portinstancepri 2/27 0 mst set spantree portinstancepri 2/28 0 mst set spantree portinstancepri 2/29 0 mst set spantree portinstancepri 2/30 0 mst set spantree portinstancepri 2/31 0 mst set spantree portinstancepri 2/32 0 mst set spantree portinstancepri 2/33 0 mst set spantree portinstancepri 2/34 0 mst set spantree portinstancepri 2/35 0 mst set spantree portinstancepri 2/36 0 mst set spantree portinstancepri 2/37 0 mst set spantree portinstancepri 2/38 0 mst set spantree portinstancepri 2/39 0 mst set spantree portinstancepri 2/40 0 mst set spantree portinstancepri 2/41 0 mst set spantree portinstancepri 2/42 0 mst set spantree portinstancepri 2/43 0 mst set spantree portinstancepri 2/44 0 mst set spantree portinstancepri 2/45 0 mst set spantree portinstancepri 2/46 0 mst set spantree portinstancepri 2/47 0 mst set spantree portinstancepri 2/48 0 mst set spantree portinstancepri 2/49 0 mst set spantree portinstancepri 2/50 0 mst set spantree portinstancepri 2/51 0 mst set spantree portinstancepri 2/52 0 mst set spantree portcost 2/1-52 20000 mst set spantree portinstancecost 2/1 cost 19999 mst set spantree portinstancecost 2/2 cost 19999 mst set spantree portinstancecost 2/3 cost 19999 mst set spantree portinstancecost 2/4 cost 19999 mst set spantree portinstancecost 2/5 cost 19999 mst set spantree portinstancecost 2/6 cost 19999 mst set spantree portinstancecost 2/7 cost 19999 mst set spantree portinstancecost 2/8 cost 19999 mst set spantree portinstancecost 2/9 cost 19999 mst set spantree portinstancecost 2/10 cost 19999 mst set spantree portinstancecost 2/11 cost 19999 mst set spantree portinstancecost 2/12 cost 19999 mst set spantree portinstancecost 2/13 cost 19999 mst set spantree portinstancecost 2/14 cost 19999 mst set spantree portinstancecost 2/15 cost 19999 mst set spantree portinstancecost 2/16 cost 19999 mst set spantree portinstancecost 2/17 cost 19999 mst set spantree portinstancecost 2/18 cost 19999 mst set spantree portinstancecost 2/19 cost 19999 mst set spantree portinstancecost 2/20 cost 19999 mst set spantree portinstancecost 2/21 cost 19999 mst set spantree portinstancecost 2/22 cost 19999 mst set spantree portinstancecost 2/23 cost 19999 mst set spantree portinstancecost 2/24 cost 19999 mst set spantree portinstancecost 2/25 cost 19999 mst set spantree portinstancecost 2/26 cost 19999 mst set spantree portinstancecost 2/27 cost 19999 mst set spantree portinstancecost 2/28 cost 19999 mst set spantree portinstancecost 2/29 cost 19999 mst set spantree portinstancecost 2/30 cost 19999 mst set spantree portinstancecost 2/31 cost 19999 mst set spantree portinstancecost 2/32 cost 19999 mst set spantree portinstancecost 2/33 cost 19999 mst set spantree portinstancecost 2/34 cost 19999 mst set spantree portinstancecost 2/35 cost 19999 mst set spantree portinstancecost 2/36 cost 19999 mst set spantree portinstancecost 2/37 cost 19999 mst set spantree portinstancecost 2/38 cost 19999 mst set spantree portinstancecost 2/39 cost 19999 mst set spantree portinstancecost 2/40 cost 19999 mst set spantree portinstancecost 2/41 cost 19999 mst set spantree portinstancecost 2/42 cost 19999 mst set spantree portinstancecost 2/43 cost 19999 mst set spantree portinstancecost 2/44 cost 19999 mst set spantree portinstancecost 2/45 cost 19999 mst set spantree portinstancecost 2/46 cost 19999 mst set spantree portinstancecost 2/47 cost 19999 mst set spantree portinstancecost 2/48 cost 19999 mst set spantree portinstancecost 2/49 cost -1 mst set spantree portinstancecost 2/50 cost -1 mst set spantree portinstancecost 2/51 cost -1 mst set spantree portinstancecost 2/52 cost -1 mst set spantree portcost 2/4-5,2/8,2/10,2/12,2/14-16 19 set spantree portcost 2/1-2,2/7,2/9,2/17-31,2/33-37,2/39,2/41-45,2/47 100 set spantree portcost 2/3,2/6,2/11,2/13,2/32,2/38,2/40,2/46,2/48-52 4 set spantree portpri 2/1-52 32 set spantree portvlanpri 2/1 0 set spantree portvlanpri 2/2 0 set spantree portvlanpri 2/3 0 set spantree portvlanpri 2/4 0 set spantree portvlanpri 2/5 0 set spantree portvlanpri 2/6 0 set spantree portvlanpri 2/7 0 set spantree portvlanpri 2/8 0 set spantree portvlanpri 2/9 0 set spantree portvlanpri 2/10 0 set spantree portvlanpri 2/11 0 set spantree portvlanpri 2/12 0 set spantree portvlanpri 2/13 0 set spantree portvlanpri 2/14 0 set spantree portvlanpri 2/15 0 set spantree portvlanpri 2/16 0 set spantree portvlanpri 2/17 0 set spantree portvlanpri 2/18 0 set spantree portvlanpri 2/19 0 set spantree portvlanpri 2/20 0 set spantree portvlanpri 2/21 0 set spantree portvlanpri 2/22 0 set spantree portvlanpri 2/23 0 set spantree portvlanpri 2/24 0 set spantree portvlanpri 2/25 0 set spantree portvlanpri 2/26 0 set spantree portvlanpri 2/27 0 set spantree portvlanpri 2/28 0 set spantree portvlanpri 2/29 0 set spantree portvlanpri 2/30 0 set spantree portvlanpri 2/31 0 set spantree portvlanpri 2/32 0 set spantree portvlanpri 2/33 0 set spantree portvlanpri 2/34 0 set spantree portvlanpri 2/35 0 set spantree portvlanpri 2/36 0 set spantree portvlanpri 2/37 0 set spantree portvlanpri 2/38 0 set spantree portvlanpri 2/39 0 set spantree portvlanpri 2/40 0 set spantree portvlanpri 2/41 0 set spantree portvlanpri 2/42 0 set spantree portvlanpri 2/43 0 set spantree portvlanpri 2/44 0 set spantree portvlanpri 2/45 0 set spantree portvlanpri 2/46 0 set spantree portvlanpri 2/47 0 set spantree portvlanpri 2/48 0 set spantree portvlanpri 2/49 0 set spantree portvlanpri 2/50 0 set spantree portvlanpri 2/51 0 set spantree portvlanpri 2/52 0 set spantree portvlancost 2/1 cost 99 set spantree portvlancost 2/2 cost 99 set spantree portvlancost 2/3 cost 3 set spantree portvlancost 2/4 cost 18 set spantree portvlancost 2/5 cost 18 set spantree portvlancost 2/6 cost 3 set spantree portvlancost 2/7 cost 99 set spantree portvlancost 2/8 cost 18 set spantree portvlancost 2/9 cost 99 set spantree portvlancost 2/10 cost 18 set spantree portvlancost 2/11 cost 3 set spantree portvlancost 2/12 cost 18 set spantree portvlancost 2/13 cost 3 set spantree portvlancost 2/14 cost 18 set spantree portvlancost 2/15 cost 18 set spantree portvlancost 2/16 cost 18 set spantree portvlancost 2/17 cost 99 set spantree portvlancost 2/18 cost 99 set spantree portvlancost 2/19 cost 99 set spantree portvlancost 2/20 cost 99 set spantree portvlancost 2/21 cost 99 set spantree portvlancost 2/22 cost 99 set spantree portvlancost 2/23 cost 99 set spantree portvlancost 2/24 cost 99 set spantree portvlancost 2/25 cost 99 set spantree portvlancost 2/26 cost 99 set spantree portvlancost 2/27 cost 99 set spantree portvlancost 2/28 cost 99 set spantree portvlancost 2/29 cost 99 set spantree portvlancost 2/30 cost 99 set spantree portvlancost 2/31 cost 99 set spantree portvlancost 2/32 cost 3 set spantree portvlancost 2/33 cost 99 set spantree portvlancost 2/34 cost 99 set spantree portvlancost 2/35 cost 99 set spantree portvlancost 2/36 cost 99 set spantree portvlancost 2/37 cost 99 set spantree portvlancost 2/38 cost 3 set spantree portvlancost 2/39 cost 99 set spantree portvlancost 2/40 cost 3 set spantree portvlancost 2/41 cost 99 set spantree portvlancost 2/42 cost 99 set spantree portvlancost 2/43 cost 99 set spantree portvlancost 2/44 cost 99 set spantree portvlancost 2/45 cost 99 set spantree portvlancost 2/46 cost 3 set spantree portvlancost 2/47 cost 99 set spantree portvlancost 2/48 cost 3 set spantree portvlancost 2/49 cost 3 set spantree portvlancost 2/50 cost 3 set spantree portvlancost 2/51 cost 3 set spantree portvlancost 2/52 cost 3 set spantree guard default 2/1-52 set port gvrp 2/1-52 disable set gvrp registration normal 2/1-52 set gvrp applicant normal 2/1-52 set port gmrp 2/1-52 enable set gmrp registration normal 2/1-52 set gmrp fwdall disable 2/1-52 set port debounce 2/1 disable set port debounce 2/2 disable set port debounce 2/3 disable set port debounce 2/4 disable set port debounce 2/5 disable set port debounce 2/6 disable set port debounce 2/7 disable set port debounce 2/8 disable set port debounce 2/9 disable set port debounce 2/10 disable set port debounce 2/11 disable set port debounce 2/12 disable set port debounce 2/13 disable set port debounce 2/14 disable set port debounce 2/15 disable set port debounce 2/16 disable set port debounce 2/17 disable set port debounce 2/18 disable set port debounce 2/19 disable set port debounce 2/20 disable set port debounce 2/21 disable set port debounce 2/22 disable set port debounce 2/23 disable set port debounce 2/24 disable set port debounce 2/25 disable set port debounce 2/26 disable set port debounce 2/27 disable set port debounce 2/28 disable set port debounce 2/29 disable set port debounce 2/30 disable set port debounce 2/31 disable set port debounce 2/32 disable set port debounce 2/33 disable set port debounce 2/34 disable set port debounce 2/35 disable set port debounce 2/36 disable set port debounce 2/37 disable set port debounce 2/38 disable set port debounce 2/39 disable set port debounce 2/40 disable set port debounce 2/41 disable set port debounce 2/42 disable set port debounce 2/43 disable set port debounce 2/44 disable set port debounce 2/45 disable set port debounce 2/46 disable set port debounce 2/47 disable set port debounce 2/48 disable set port debounce 2/49 disable set port debounce 2/49 delay 0 set port debounce 2/50 disable set port debounce 2/50 delay 0 set port debounce 2/51 disable set port debounce 2/51 delay 0 set port debounce 2/52 disable set port debounce 2/52 delay 0 set port unicast-flood 2/1-52 enable set port errdisable-timeout 2/1-52 enable set cam notification added disable 2/1-52 set cam notification removed disable 2/1-52 set port channel 2/1-52 mode auto silent ! #switch port analyzer ! #cam set cam agingtime 1,10,20,30 300 set cam notification disable set cam notification interval 1 set cam notification historysize 1 ! #gvrp set gvrp dynamic-vlan-creation disable set gvrp disable ! #authorization set authorization exec disable console set authorization exec disable telnet set authorization enable disable console set authorization enable disable telnet set authorization commands disable console set authorization commands disable telnet end coe-2948g-eh> (enable)</vlanid>
Any insight you can provide would be great; thanks.
-
I won't pretend to know much about configuring a 2948, as I've never touched one - but I'm a little confused on why you're configuring your VLANs as such:
set vlan 10 2/1,2/5,2/7,2/9,2/11,2/13,2/15,2/17-48 set vlan 20 2/2 set vlan 30 2/3-4,2/6,2/8,2/10,2/12,2/14,2/16
Does this not set those as access ports? If I understand CatOS correctly, this would be setting the PVID of 2/6 to VLAN 30, when I assume you want that traffic tagged. Check your em0 interface (no VLAN, untagged traffic) to see if your intended traffic is heading in untagged.
Again, I have never messed with CatOS and this is just speculation. If it works differently than I think, feel free to correct me.
PS: I do see that you're setting it as a trunk port at…
set trunk 2/6 on dot1q 1-1005,1025-4094
…but it seems to me you're inadvertently setting the PVID by using```
set vlan 30 2/6PPS: I'm pretty sure that your fix here would be just set vlan 1 2/6.
-
As I understand it, that setting only affects untagged/native traffic. I.e., if any untagged traffic is seen on the port, the switch will tag it with VLAN 30.
I unfortunately can't try removing this setting until I'm on-site (since I can't reach the Cisco gear from the pfsense, I can't do anything remotely). I'll try removing this setting in about 2 weeks when I'm on-site. Thanks for the suggestion.
-
@timthetortoise: you were totally right. This Cisco switch is different than my other switches; it was tagging all traffic on that port. Removing it from VLAN 30 (i.e., putting it in VLAN 1) solved the issue.
Thanks for the suggestion!
-
Glad to hear it, I know that CatOS has some things that don't really make sense compared to IOS.