Pfsense cannot see VLAN 30 traffic



  • I have been running pfsense for quite a while; many thanks for a great product.

    I have a pfsense box deployed in a large L2 network with 3 VLANs.  The pfsense box is an older Dell desktop with 2 NICs in it.  One NIC goes upstream to our ISP router, the other goes to a trunked port on a Cisco 2948g switch, which farms it out to the rest of the VLANs:

    • VLAN 10: staff VLAN.  Can do just about anything, including go upstream (to our ISP/internet).  pfsense is 10.10.0.1/16.
    • VLAN 20: public VLAN.  Can only go out to the internet.  pfsense is 10.20.0.1/16.
    • VLAN 30: infrastructure VLAN.  For networking gear; effectively isolated from all other networks.  pfsense is 10.30.0.1/16.

    As implied above, pfsense should be able to see all 3 VLANs – i.e., I have the 3 VLANs defined in pfsense and assigned to the interface that connects down to the Cisco switch.  Here's the output from ifconfig on the pfsense box:

    [2.0.3-RELEASE][admin@pfsense.coe]/root(12): ifconfig
    rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=8 <vlan_mtu>ether 00:c0:a8:8f:4a:dd
    	inet6 fe80::2c0:a8ff:fe8f:4add%rl0 prefixlen 64 scopeid 0x1 
    	inet 192.168.1.155 netmask 0xffffff00 broadcast 192.168.1.255
    	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
    	status: active
    em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:c7:13:9e
    	inet6 fe80::21b:21ff:fec7:139e%em0 prefixlen 64 scopeid 0x2 
    	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    pfsync0: flags=0<> metric 0 mtu 1460
    	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    pflog0: flags=100 <promisc>metric 0 mtu 33200
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
    	nd6 options=43 <performnud,accept_rtadv>em0_vlan10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=3 <rxcsum,txcsum>ether 00:1b:21:c7:13:9e
    	inet6 fe80::2c0:a8ff:fe8f:4add%em0_vlan10 prefixlen 64 scopeid 0x8 
    	inet 10.10.0.1 netmask 0xffff0000 broadcast 10.10.255.255
    	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    	vlan: 10 parent interface: em0
    em0_vlan20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=3 <rxcsum,txcsum>ether 00:1b:21:c7:13:9e
    	inet6 fe80::2c0:a8ff:fe8f:4add%em0_vlan20 prefixlen 64 scopeid 0x9 
    	inet 10.20.0.1 netmask 0xffff0000 broadcast 10.20.255.255
    	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    	vlan: 20 parent interface: em0
    em0_vlan30: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    	options=3 <rxcsum,txcsum>ether 00:1b:21:c7:13:9e
    	inet6 fe80::2c0:a8ff:fe8f:4add%em0_vlan30 prefixlen 64 scopeid 0xa 
    	inet 10.30.0.1 netmask 0xffff0000 broadcast 10.30.255.255
    	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    	vlan: 30 parent interface: em0
    [2.0.3-RELEASE][admin@pfsense.coe]/root(13):</full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast> 
    

    From a machine on the 10 VLAN, I can ssh/https to pfsense (i.e., it works fine).

    From the 20 VLAN, I have firewall rules to block ssh/https access to pfsense, but allow all other traffic to/from pfsense (e.g., DHCP).

    From the 30 VLAN, I should be able to ssh/https to pfsense, but I can never seem to get through.  And if I ssh to pfsense from the 10 VLAN, I should be able to ssh out to the 30 VLAN, but I can't – pfsense does not seem to see any VLAN 30 traffic at all.  For example, when I ssh into pfsense in two terminals (from the 10 VLAN), if I type "ssh 10.30.0.8" in one terminal while running "tcpdump -vvv -i em0_vlan30" in the other, here's what I see from the tcpdump:

    [2.0.3-RELEASE][admin@pfsense.coe]/root(9): tcpdump -vv -i em0_vlan30
    tcpdump: listening on em0_vlan30, link-type EN10MB (Ethernet), capture size 96 bytes
    15:47:42.593394 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.30.0.8 tell infrastructure-proxy.example.com, length 28
    15:47:45.593049 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.30.0.8 tell infrastructure-proxy.example.com, length 28
    ...etc.
    

    Nothing ever replies from the 30 VLAN/10.30.x.x subnet.

    If I "ping 10.30.255.255" on pfsense, I get no replies.  If I "ping 10.30.255.255" from the 30 VLAN, I get replies back from everything except the pfsense box.

    In general, it seems like there is some kind of disconnect between the pfsense 30 VLAN and the actual 30 VLAN: no traffic seems to be flowing between the two.

    I'm fairly confident that I have the Cisco 2948g setup right to trunk the port that the pfsense plugs into.  Indeed, pfsense works fine on VLAN 10 and 20 on that switchport.  It's just VLAN 30 that doesn't seem to work right.

    I honestly don't know if this is a pfsense firewall problem or not, but I figured I'd initially ask here.  I'll attach my pfsense config for completeness (my domain name changed to example.com for anonymity reasons).
    config-pfsense.coe-20130818155052.xml.txt



  • Bump.



  • Could you post your Cisco configuration as well?



  • Yes, here's the config for my Cisco 2948g switch.  The pfsense is on port 2/6:

    coe-2948g-eh> (enable) show running-config all
    
    begin
    !
    # ***** ALL (DEFAULT and NON-DEFAULT) CONFIGURATION *****
    !
    !
    #time: Sun Aug 18 2013, 20:51:14 EDT
    !
    #version 8.4(2)GLX
    !
    !
    #system web interface version(s)
    set password scrubbed
    set enablepass scrubbed
    set prompt Console>
    set length 24 default
    set logout 20
    set config mode binary
    set banner motd ^C
    scrubbed
    ^C
    !
    #test
    set test diaglevel complete
    !
    #dot1x
    set dot1x system-auth-control enable
    set dot1x quiet-period 60
    set dot1x tx-period 30
    set dot1x shutdown-timeout 300
    set dot1x supp-timeout 30
    set dot1x server-timeout 30
    set dot1x max-req 2
    set dot1x re-authperiod 3600
    set feature dot1x-radius-keepalive disable
    !
    #errordetection
    set errordetection inband disable
    set errordetection memory disable
    !
    #system
    set system baud  9600
    set system modem disable
    set system name  coe-2948g-eh
    set system location scrubbed
    set system contact  scrubbed
    set system countrycode US
    set traffic monitor 100
    set feature log-command enable
    set feature loop-detect enable
    !
    #power
    set power budget 1
    !
    #Inlinepower
    set inlinepower defaultallocation 15400
    !
    #frame distribution method
    set port channel all distribution mac both
    !
    #mac address reduction
    set spantree macreduction enable
    !
    #default portcost mode
    set spantree defaultcostmode short
    !
    #snmp
    set snmp community read-only      public
    set snmp community read-write     private
    set snmp community read-write-all secret
    set snmp rmon disable
    set snmp rmonmemory 85
    set snmp disable 
    set snmp trap disable module
    set snmp trap disable chassis
    set snmp trap disable bridge
    set snmp trap disable vtp
    set snmp trap disable vlancreate
    set snmp trap disable vlandelete
    set snmp trap disable auth
    set snmp trap disable entityfru
    set snmp trap disable ippermit
    set snmp chassis-alias 
    set snmp buffer 40
    set snmp trap disable vmps
    set snmp trap disable entity
    set snmp trap disable config
    set snmp trap disable stpx
    set snmp trap disable syslog
    set snmp trap disable system
    set snmp trap disable envfan
    set snmp trap disable envpower
    set snmp trap disable envtemp
    set snmp trap disable envstate
    set snmp trap disable macnotification
    !
    #tacacs+
    set tacacs attempts 3
    set tacacs directedrequest disable
    set tacacs timeout 5
    !
    #radius
    set radius deadtime 0
    set radius timeout 5
    set radius retransmit 2
    set radius attribute framed-ip-address include-in-access-req disable
    !       
    #kerberos
    !
    #authentication
    set authentication login tacacs disable console 
    set authentication login tacacs disable telnet 
    set authentication login tacacs disable http 
    set authentication enable tacacs disable console 
    set authentication enable tacacs disable telnet 
    set authentication enable tacacs disable http 
    set authentication login radius disable console 
    set authentication login radius disable telnet 
    set authentication login radius disable http 
    set authentication enable radius disable console 
    set authentication enable radius disable telnet 
    set authentication enable radius disable http 
    set authentication login local enable console 
    set authentication login local enable telnet 
    set authentication login local enable http 
    set authentication enable local enable console 
    set authentication enable local enable telnet 
    set authentication enable local enable http 
    set authentication login kerberos disable console 
    set authentication login kerberos disable telnet 
    set authentication login kerberos disable http 
    set authentication enable kerberos disable console 
    set authentication enable kerberos disable telnet 
    set authentication enable kerberos disable http 
    set authentication login attempt 3 console
    set authentication login attempt 3 telnet
    set authentication login lockout 0 console
    set authentication login lockout 0 telnet
    set authentication enable attempt 3 console
    set authentication enable attempt 3 telnet
    set authentication enable lockout 0 console
    set authentication enable lockout 0 telnet
    !
    #Local User
    set localuser authentication disable
    !
    #stp mode
    set spantree mode rapid-pvst
    !
    #vtp
    set vtp domain coe-vtp-domain
    set vtp mode transparent unknown
    set vtp mode off vlan
    set vtp version 1
    set vtp pruneeligible 2-1000
    clear vtp pruneeligible 1001-1005
    set vlan 10 name staff type ethernet mtu 1500 said 10010 state active 
    set vlan 20 name public type ethernet mtu 1500 said 10020 state active 
    set vlan 30 name coe-infrastructure type ethernet mtu 1500 said 100030 state active 
    set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active 
    set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active stp ieee 
    set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active stp ibm 
    set vlan 1
    set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active mode srb aremaxhop 7 stemaxhop 7 backupcrf off 
    !
    #dot1q-all-tagged
    set dot1q-all-tagged disable 
    !
    #ip
    set feature mdg enable
    set feature psync-recovery no-powerdown
    set interface sc0 30 10.30.0.8/255.255.0.0 10.30.255.255
    
    set interface sc0 up
    set interface trap sc0 disable
    set interface sl0 0.0.0.0 0.0.0.0
    set interface sl0 down
    set interface trap sl0 disable
    set interface me1 0.0.0.0 0.0.0.0 0.0.0.0
    
    set interface me1 down
    set interface trap me1 disable
    set arp agingtime 1200
    set ip redirect   enable
    set ip unreachable   enable
    set ip fragmentation enable
    set ip alias default         0.0.0.0
    !
    #command alias
    !
    #vmps
    set vmps server retry 3
    set vmps server reconfirminterval 60
    set vmps downloadmethod tftp
    set vmps downloadserver 0.0.0.0 vmps-config-database.1 
    set vmps state disable
    
    !
    #rcp    
    set rcp username 
    !
    #dns
    set ip dns server 10.30.0.1 primary
    set ip dns disable
    !
    #spantree
    #spantree global defaults
    set spantree global-default portfast disable
    set spantree global-default loop-guard disable
    #portfast
    set spantree global-default bpdu-guard disable
    set spantree global-default bpdu-filter disable
    #bpdu-skewing
    set spantree bpdu-skewing disable
    
    #MST (IEEE 802.1s)
    set spantree fwddelay 15 mst
    set spantree hello 2  mst
    set spantree maxage 20 mst
    set spantree mst maxhops 20
    set spantree priority 32768 mst
    set spantree priority 32768 mst 1
    set spantree priority 32768 mst 2
    set spantree priority 32768 mst 3
    set spantree priority 32768 mst 4
    set spantree priority 32768 mst 5
    set spantree priority 32768 mst 6
    set spantree priority 32768 mst 7
    set spantree priority 32768 mst 8
    set spantree priority 32768 mst 9
    set spantree priority 32768 mst 10
    set spantree priority 32768 mst 11
    set spantree priority 32768 mst 12
    set spantree priority 32768 mst 13
    set spantree priority 32768 mst 14
    set spantree priority 32768 mst 15
    
    #MST Configuration
    set spantree mst config rollback force
    set spantree mst config name  revision 0
    set spantree mst 0 vlan 1-4094
    set spantree mst config commit 
    
    #uplinkfast groups
    set spantree uplinkfast disable
    #backbonefast
    set spantree backbonefast disable
    #vlan                         <vlanid>#vlan(defaults)
    set spantree enable  1,10,20,30
    set spantree fwddelay 15     1,10,20,30
    set spantree hello    2      1,10,20,30
    set spantree maxage   20     1,10,20,30
    set spantree priority 32768  1,10,20,30
    !
    #cgmp
    set cgmp disable
    set cgmp leave disable
    set cgmp fastleave disable
    !
    #syslog
    set logging console enable
    set logging telnet enable
    set logging server disable
    set logging level cdp 4 default
    set logging level mcast 2 default
    set logging level dtp 5 default
    set logging level dvlan 2 default
    set logging level earl 2 default
    set logging level ip 3 default
    set logging level pruning 2 default
    set logging level snmp 2 default
    set logging level spantree 2 default
    set logging level sys 5 default
    set logging level tac 2 default
    set logging level tcp 2 default
    set logging level telnet 2 default
    set logging level tftp 2 default
    set logging level vtp 2 default
    set logging level vmps 2 default
    set logging level kernel 2 default
    set logging level filesys 2 default
    set logging level mgmt 5 default
    set logging level mls 5 default
    set logging level protfilt 2 default
    set logging level security 2 default
    set logging level radius 2 default
    set logging level udld 4 default
    set logging level gvrp 2 default
    set logging level qos 3 default
    set logging level ethc 5 default
    set logging level inlinepower 2 default
    set logging server facility LOCAL7
    set logging server severity 4
    set logging timestamp enable
    set logging buffer 500
    set logging history 1
    set logging history severity 4
    !
    #ntp
    set ntp broadcastclient disable
    set ntp broadcastdelay 3000
    set ntp client disable
    set ntp authentication disable
    set ntp server 10.30.0.1
    set timezone EDT 0 0
    set summertime enable EDT
    set summertime recurring
    !
    #set boot command
    set boot config-register 0x2
    set boot system flash bootflash:cat4000-k9.8-4-2-GLX.bin
    !
    #permit list
    set ip permit disable telnet
    set ip permit disable ssh
    set ip permit disable snmp
    !
    #permanent arp entries
    !
    #protocolfilter
    set protocolfilter disable
    !
    #standby ports
    set standbyports disable
    !
    #vlan mapping
    !
    #gmrp
    set gmrp disable
    !
    #garp
    set garp timer all 200 600 10000
    !
    #cdp
    set cdp interval 60
    set cdp holdtime 180
    set cdp enable
    set cdp version v2
    set cdp format device-id other
    !
    #qos
    set qos disable
    set qos defaultcos 0
    set qos map 2q1t 1 1 cos 0-1
    set qos map 2q1t 1 1 cos 2-3
    set qos map 2q1t 1 1 cos 4-5
    set qos map 2q1t 1 1 cos 6-7
    !
    #udld
    set udld disable
    set udld interval 15
    !
    #LACP channel
    set lacp-channel system-priority 32768
    !
    #channelprotocol
    set channelprotocol pagp 2
    !
    #port channel
    set port channel 2/18 67
    set port channel 2/1-4 159
    set port channel 2/5-8 160
    set port channel 2/9-12 161
    set port channel 2/13-16 162
    set port channel 2/17,2/19-20 163
    set port channel 2/21-24 164
    set port channel 2/25-28 165
    set port channel 2/29-32 166
    set port channel 2/33-36 167
    set port channel 2/37-40 168
    set port channel 2/41-44 169
    set port channel 2/45-48 170
    set port channel 2/49-52 171
    !
    #accounting
    set accounting exec disable
    set accounting connect disable
    set accounting system disable
    set accounting commands disable
    set accounting suppress null-username disable
    set accounting update new-info 
    !       
    #errdisable timeout
    set errdisable-timeout disable other
    set errdisable-timeout disable udld
    set errdisable-timeout disable bpdu-guard
    set errdisable-timeout disable channel-misconfig
    set errdisable-timeout disable nostatic-power
    set errdisable-timeout interval 300
    !
    #http configuration
    set ip http server disable
    set ip http port 80
    !
    #crypto key
    set crypto key rsa 2048
    !
    #multicast filter
    set igmp filter disable
    !
    #module 1 : 0-port Switching Supervisor
    set module name    1    
    !
    #module 2 : 52-port 10/100/1000 Ethernet
    set module name    2    
    set module enable  2
    set vlan 1    2/49-52
    set vlan 10   2/1,2/5,2/7,2/9,2/11,2/13,2/15,2/17-48
    set vlan 20   2/2
    set vlan 30   2/3-4,2/6,2/8,2/10,2/12,2/14,2/16
    set port auxiliaryvlan 2/1-52 none
    set port enable     2/1-17,2/29-52
    set port disable    2/18-28
    
    set port level      2/1-52  normal
    set port speed      2/1-15,2/17-48  auto
    set port speed      2/16  100
    set port clock 2/1-48 auto
    set port duplex     2/16  half
    set port trap       2/1-52  disable
    set port name       2/1  VLAN 10
    set port name       2/2  VLAN 20
    set port name       2/3  VLAN 30
    set port name       2/4  Cisco 2950
    set port name       2/5  server
    set port name       2/6  pfsense firewall
    set port name       2/7  Printer
    set port name       2/8  Wifi shot
    set port name       2/9  printer
    set port name       2/10 Aironet
    set port name       2/11 copier
    set port name       2/12 Aironet
    set port name       2/13 server
    set port name       2/14 Aironet
    set port name       2/15 server
    set port name       2/16 Aironet
    set port name       2/17 Server
    set port name       2/29 Available
    set port name       2/30 Available
    set port name       2/31 Available
    set port name       2/32 Desktop
    set port name       2/33 Available
    set port name       2/18-28,2/34-52
    set port security 2/1-52 disable age 0 maximum 1 shutdown 0 unicast-flood enable violation shutdown
    set port dot1x 2/1-52 port-control force-authorized
    set port dot1x 2/1-52 multiple-host disable
    set port dot1x 2/1-52 shutdown-timeout disable
    set port dot1x 2/1-52 re-authentication disable
    set port dot1x 2/1-52 guest-vlan none
    set port membership 2/1-52  static
    set port protocol 2/1-52 ip on
    set port protocol 2/1-52 ipx auto
    set port protocol 2/1-52 group auto
    set port negotiation 2/49-52 enable
    set port flowcontrol    2/1-52 send desired
    set port flowcontrol    2/1-52 receive off
    set port vtp enable   2/1-52
    set cdp enable   2/1-52
    set udld disable 2/1-48 
    set udld aggressive-mode disable 2/1-52 
    set trunk 2/1  off dot1q 1-1005,1025-4094
    set trunk 2/2  off dot1q 1-1005,1025-4094
    set trunk 2/3  off dot1q 1-1005,1025-4094
    set trunk 2/4  on dot1q 1-1005,1025-4094
    set trunk 2/5  off dot1q 1-1005,1025-4094
    set trunk 2/6  on dot1q 1-1005,1025-4094
    set trunk 2/7  off dot1q 1-1005,1025-4094
    set trunk 2/8  on dot1q 1-1005,1025-4094
    set trunk 2/9  off dot1q 1-1005,1025-4094
    set trunk 2/10 on dot1q 1-1005,1025-4094
    set trunk 2/11 off dot1q 1-1005,1025-4094
    set trunk 2/12 on dot1q 1-1005,1025-4094
    set trunk 2/13 off dot1q 1-1005,1025-4094
    set trunk 2/14 on dot1q 1-1005,1025-4094
    set trunk 2/15 off dot1q 1-1005,1025-4094
    set trunk 2/16 on dot1q 1-1005,1025-4094
    set trunk 2/17 off dot1q 1-1005,1025-4094
    set trunk 2/18 off dot1q 1-1005,1025-4094
    set trunk 2/19 off dot1q 1-1005,1025-4094
    set trunk 2/20 off dot1q 1-1005,1025-4094
    set trunk 2/21 off dot1q 1-1005,1025-4094
    set trunk 2/22 off dot1q 1-1005,1025-4094
    set trunk 2/23 off dot1q 1-1005,1025-4094
    set trunk 2/24 off dot1q 1-1005,1025-4094
    set trunk 2/25 off dot1q 1-1005,1025-4094
    set trunk 2/26 off dot1q 1-1005,1025-4094
    set trunk 2/27 off dot1q 1-1005,1025-4094
    set trunk 2/28 off dot1q 1-1005,1025-4094
    set trunk 2/29 off dot1q 1-1005,1025-4094
    set trunk 2/30 off dot1q 1-1005,1025-4094
    set trunk 2/31 off dot1q 1-1005,1025-4094
    set trunk 2/32 off dot1q 1-1005,1025-4094
    set trunk 2/33 off dot1q 1-1005,1025-4094
    set trunk 2/34 off dot1q 1-1005,1025-4094
    set trunk 2/35 off dot1q 1-1005,1025-4094
    set trunk 2/36 off dot1q 1-1005,1025-4094
    set trunk 2/37 off dot1q 1-1005,1025-4094
    set trunk 2/38 off dot1q 1-1005,1025-4094
    set trunk 2/39 off dot1q 1-1005,1025-4094
    set trunk 2/40 off dot1q 1-1005,1025-4094
    set trunk 2/41 off dot1q 1-1005,1025-4094
    set trunk 2/42 off dot1q 1-1005,1025-4094
    set trunk 2/43 off dot1q 1-1005,1025-4094
    set trunk 2/44 off dot1q 1-1005,1025-4094
    set trunk 2/45 off dot1q 1-1005,1025-4094
    set trunk 2/46 off dot1q 1-1005,1025-4094
    set trunk 2/47 off dot1q 1-1005,1025-4094
    set trunk 2/48 off dot1q 1-1005,1025-4094
    set trunk 2/49 auto dot1q 1-1005,1025-4094
    set trunk 2/50 auto dot1q 1-1005,1025-4094
    set trunk 2/51 auto dot1q 1-1005,1025-4094
    set trunk 2/52 auto dot1q 1-1005,1025-4094
    set spantree portfast    2/1-52 default
    set spantree bpdu-filter 2/1-52 default
    set spantree bpdu-guard 2/1-52 default
    set spantree link-type 2/1-52 auto
    set spantree portpri     2/1-52  32 mst
    set spantree portinstancepri 2/1  0 mst 
    set spantree portinstancepri 2/2  0 mst 
    set spantree portinstancepri 2/3  0 mst 
    set spantree portinstancepri 2/4  0 mst 
    set spantree portinstancepri 2/5  0 mst 
    set spantree portinstancepri 2/6  0 mst 
    set spantree portinstancepri 2/7  0 mst 
    set spantree portinstancepri 2/8  0 mst 
    set spantree portinstancepri 2/9  0 mst 
    set spantree portinstancepri 2/10 0 mst 
    set spantree portinstancepri 2/11 0 mst 
    set spantree portinstancepri 2/12 0 mst 
    set spantree portinstancepri 2/13 0 mst 
    set spantree portinstancepri 2/14 0 mst 
    set spantree portinstancepri 2/15 0 mst 
    set spantree portinstancepri 2/16 0 mst 
    set spantree portinstancepri 2/17 0 mst 
    set spantree portinstancepri 2/18 0 mst 
    set spantree portinstancepri 2/19 0 mst 
    set spantree portinstancepri 2/20 0 mst 
    set spantree portinstancepri 2/21 0 mst 
    set spantree portinstancepri 2/22 0 mst 
    set spantree portinstancepri 2/23 0 mst 
    set spantree portinstancepri 2/24 0 mst 
    set spantree portinstancepri 2/25 0 mst 
    set spantree portinstancepri 2/26 0 mst 
    set spantree portinstancepri 2/27 0 mst 
    set spantree portinstancepri 2/28 0 mst 
    set spantree portinstancepri 2/29 0 mst 
    set spantree portinstancepri 2/30 0 mst 
    set spantree portinstancepri 2/31 0 mst 
    set spantree portinstancepri 2/32 0 mst 
    set spantree portinstancepri 2/33 0 mst 
    set spantree portinstancepri 2/34 0 mst 
    set spantree portinstancepri 2/35 0 mst 
    set spantree portinstancepri 2/36 0 mst 
    set spantree portinstancepri 2/37 0 mst 
    set spantree portinstancepri 2/38 0 mst 
    set spantree portinstancepri 2/39 0 mst 
    set spantree portinstancepri 2/40 0 mst 
    set spantree portinstancepri 2/41 0 mst 
    set spantree portinstancepri 2/42 0 mst 
    set spantree portinstancepri 2/43 0 mst 
    set spantree portinstancepri 2/44 0 mst 
    set spantree portinstancepri 2/45 0 mst 
    set spantree portinstancepri 2/46 0 mst 
    set spantree portinstancepri 2/47 0 mst 
    set spantree portinstancepri 2/48 0 mst 
    set spantree portinstancepri 2/49 0 mst 
    set spantree portinstancepri 2/50 0 mst 
    set spantree portinstancepri 2/51 0 mst 
    set spantree portinstancepri 2/52 0 mst 
    set spantree portcost    2/1-52  20000 mst
    set spantree portinstancecost 2/1  cost 19999 mst 
    set spantree portinstancecost 2/2  cost 19999 mst 
    set spantree portinstancecost 2/3  cost 19999 mst 
    set spantree portinstancecost 2/4  cost 19999 mst 
    set spantree portinstancecost 2/5  cost 19999 mst 
    set spantree portinstancecost 2/6  cost 19999 mst 
    set spantree portinstancecost 2/7  cost 19999 mst 
    set spantree portinstancecost 2/8  cost 19999 mst 
    set spantree portinstancecost 2/9  cost 19999 mst 
    set spantree portinstancecost 2/10 cost 19999 mst 
    set spantree portinstancecost 2/11 cost 19999 mst 
    set spantree portinstancecost 2/12 cost 19999 mst 
    set spantree portinstancecost 2/13 cost 19999 mst 
    set spantree portinstancecost 2/14 cost 19999 mst 
    set spantree portinstancecost 2/15 cost 19999 mst 
    set spantree portinstancecost 2/16 cost 19999 mst 
    set spantree portinstancecost 2/17 cost 19999 mst 
    set spantree portinstancecost 2/18 cost 19999 mst 
    set spantree portinstancecost 2/19 cost 19999 mst 
    set spantree portinstancecost 2/20 cost 19999 mst 
    set spantree portinstancecost 2/21 cost 19999 mst 
    set spantree portinstancecost 2/22 cost 19999 mst 
    set spantree portinstancecost 2/23 cost 19999 mst 
    set spantree portinstancecost 2/24 cost 19999 mst 
    set spantree portinstancecost 2/25 cost 19999 mst 
    set spantree portinstancecost 2/26 cost 19999 mst 
    set spantree portinstancecost 2/27 cost 19999 mst 
    set spantree portinstancecost 2/28 cost 19999 mst 
    set spantree portinstancecost 2/29 cost 19999 mst 
    set spantree portinstancecost 2/30 cost 19999 mst 
    set spantree portinstancecost 2/31 cost 19999 mst 
    set spantree portinstancecost 2/32 cost 19999 mst 
    set spantree portinstancecost 2/33 cost 19999 mst 
    set spantree portinstancecost 2/34 cost 19999 mst 
    set spantree portinstancecost 2/35 cost 19999 mst 
    set spantree portinstancecost 2/36 cost 19999 mst 
    set spantree portinstancecost 2/37 cost 19999 mst 
    set spantree portinstancecost 2/38 cost 19999 mst 
    set spantree portinstancecost 2/39 cost 19999 mst 
    set spantree portinstancecost 2/40 cost 19999 mst 
    set spantree portinstancecost 2/41 cost 19999 mst 
    set spantree portinstancecost 2/42 cost 19999 mst 
    set spantree portinstancecost 2/43 cost 19999 mst 
    set spantree portinstancecost 2/44 cost 19999 mst 
    set spantree portinstancecost 2/45 cost 19999 mst 
    set spantree portinstancecost 2/46 cost 19999 mst 
    set spantree portinstancecost 2/47 cost 19999 mst 
    set spantree portinstancecost 2/48 cost 19999 mst 
    set spantree portinstancecost 2/49 cost -1 mst 
    set spantree portinstancecost 2/50 cost -1 mst 
    set spantree portinstancecost 2/51 cost -1 mst 
    set spantree portinstancecost 2/52 cost -1 mst 
    set spantree portcost    2/4-5,2/8,2/10,2/12,2/14-16  19
    set spantree portcost    2/1-2,2/7,2/9,2/17-31,2/33-37,2/39,2/41-45,2/47  100
    set spantree portcost    2/3,2/6,2/11,2/13,2/32,2/38,2/40,2/46,2/48-52  4
    set spantree portpri     2/1-52  32
    set spantree portvlanpri 2/1  0
    set spantree portvlanpri 2/2  0
    set spantree portvlanpri 2/3  0
    set spantree portvlanpri 2/4  0
    set spantree portvlanpri 2/5  0
    set spantree portvlanpri 2/6  0
    set spantree portvlanpri 2/7  0
    set spantree portvlanpri 2/8  0
    set spantree portvlanpri 2/9  0
    set spantree portvlanpri 2/10 0
    set spantree portvlanpri 2/11 0
    set spantree portvlanpri 2/12 0
    set spantree portvlanpri 2/13 0
    set spantree portvlanpri 2/14 0
    set spantree portvlanpri 2/15 0
    set spantree portvlanpri 2/16 0
    set spantree portvlanpri 2/17 0
    set spantree portvlanpri 2/18 0
    set spantree portvlanpri 2/19 0
    set spantree portvlanpri 2/20 0
    set spantree portvlanpri 2/21 0
    set spantree portvlanpri 2/22 0
    set spantree portvlanpri 2/23 0
    set spantree portvlanpri 2/24 0
    set spantree portvlanpri 2/25 0
    set spantree portvlanpri 2/26 0
    set spantree portvlanpri 2/27 0
    set spantree portvlanpri 2/28 0
    set spantree portvlanpri 2/29 0
    set spantree portvlanpri 2/30 0
    set spantree portvlanpri 2/31 0
    set spantree portvlanpri 2/32 0
    set spantree portvlanpri 2/33 0
    set spantree portvlanpri 2/34 0
    set spantree portvlanpri 2/35 0
    set spantree portvlanpri 2/36 0
    set spantree portvlanpri 2/37 0
    set spantree portvlanpri 2/38 0
    set spantree portvlanpri 2/39 0
    set spantree portvlanpri 2/40 0
    set spantree portvlanpri 2/41 0
    set spantree portvlanpri 2/42 0
    set spantree portvlanpri 2/43 0
    set spantree portvlanpri 2/44 0
    set spantree portvlanpri 2/45 0
    set spantree portvlanpri 2/46 0
    set spantree portvlanpri 2/47 0
    set spantree portvlanpri 2/48 0
    set spantree portvlanpri 2/49 0
    set spantree portvlanpri 2/50 0
    set spantree portvlanpri 2/51 0
    set spantree portvlanpri 2/52 0
    set spantree portvlancost 2/1  cost 99
    set spantree portvlancost 2/2  cost 99
    set spantree portvlancost 2/3  cost 3
    set spantree portvlancost 2/4  cost 18
    set spantree portvlancost 2/5  cost 18
    set spantree portvlancost 2/6  cost 3
    set spantree portvlancost 2/7  cost 99
    set spantree portvlancost 2/8  cost 18
    set spantree portvlancost 2/9  cost 99
    set spantree portvlancost 2/10 cost 18
    set spantree portvlancost 2/11 cost 3
    set spantree portvlancost 2/12 cost 18
    set spantree portvlancost 2/13 cost 3
    set spantree portvlancost 2/14 cost 18
    set spantree portvlancost 2/15 cost 18
    set spantree portvlancost 2/16 cost 18
    set spantree portvlancost 2/17 cost 99
    set spantree portvlancost 2/18 cost 99
    set spantree portvlancost 2/19 cost 99
    set spantree portvlancost 2/20 cost 99
    set spantree portvlancost 2/21 cost 99
    set spantree portvlancost 2/22 cost 99
    set spantree portvlancost 2/23 cost 99
    set spantree portvlancost 2/24 cost 99
    set spantree portvlancost 2/25 cost 99
    set spantree portvlancost 2/26 cost 99
    set spantree portvlancost 2/27 cost 99
    set spantree portvlancost 2/28 cost 99
    set spantree portvlancost 2/29 cost 99
    set spantree portvlancost 2/30 cost 99
    set spantree portvlancost 2/31 cost 99
    set spantree portvlancost 2/32 cost 3
    set spantree portvlancost 2/33 cost 99
    set spantree portvlancost 2/34 cost 99
    set spantree portvlancost 2/35 cost 99
    set spantree portvlancost 2/36 cost 99
    set spantree portvlancost 2/37 cost 99
    set spantree portvlancost 2/38 cost 3
    set spantree portvlancost 2/39 cost 99
    set spantree portvlancost 2/40 cost 3
    set spantree portvlancost 2/41 cost 99
    set spantree portvlancost 2/42 cost 99
    set spantree portvlancost 2/43 cost 99
    set spantree portvlancost 2/44 cost 99
    set spantree portvlancost 2/45 cost 99
    set spantree portvlancost 2/46 cost 3
    set spantree portvlancost 2/47 cost 99
    set spantree portvlancost 2/48 cost 3
    set spantree portvlancost 2/49 cost 3
    set spantree portvlancost 2/50 cost 3
    set spantree portvlancost 2/51 cost 3
    set spantree portvlancost 2/52 cost 3
    set spantree guard default 2/1-52
    set port gvrp     2/1-52  disable
    set gvrp registration normal   2/1-52
    set gvrp applicant normal   2/1-52
    set port gmrp   2/1-52  enable
    set gmrp registration normal   2/1-52
    set gmrp fwdall disable    2/1-52
    set port debounce 2/1 disable
    set port debounce 2/2 disable
    set port debounce 2/3 disable
    set port debounce 2/4 disable
    set port debounce 2/5 disable
    set port debounce 2/6 disable
    set port debounce 2/7 disable
    set port debounce 2/8 disable
    set port debounce 2/9 disable
    set port debounce 2/10 disable
    set port debounce 2/11 disable
    set port debounce 2/12 disable
    set port debounce 2/13 disable
    set port debounce 2/14 disable
    set port debounce 2/15 disable
    set port debounce 2/16 disable
    set port debounce 2/17 disable
    set port debounce 2/18 disable
    set port debounce 2/19 disable
    set port debounce 2/20 disable
    set port debounce 2/21 disable
    set port debounce 2/22 disable
    set port debounce 2/23 disable
    set port debounce 2/24 disable
    set port debounce 2/25 disable
    set port debounce 2/26 disable
    set port debounce 2/27 disable
    set port debounce 2/28 disable
    set port debounce 2/29 disable
    set port debounce 2/30 disable
    set port debounce 2/31 disable
    set port debounce 2/32 disable
    set port debounce 2/33 disable
    set port debounce 2/34 disable
    set port debounce 2/35 disable
    set port debounce 2/36 disable
    set port debounce 2/37 disable
    set port debounce 2/38 disable
    set port debounce 2/39 disable
    set port debounce 2/40 disable
    set port debounce 2/41 disable
    set port debounce 2/42 disable
    set port debounce 2/43 disable
    set port debounce 2/44 disable
    set port debounce 2/45 disable
    set port debounce 2/46 disable
    set port debounce 2/47 disable
    set port debounce 2/48 disable
    set port debounce 2/49 disable
    set port debounce 2/49 delay 0
    set port debounce 2/50 disable
    set port debounce 2/50 delay 0
    set port debounce 2/51 disable
    set port debounce 2/51 delay 0
    set port debounce 2/52 disable
    set port debounce 2/52 delay 0
    set port unicast-flood 2/1-52 enable
    set port errdisable-timeout 2/1-52 enable
    set cam notification added disable 2/1-52
    set cam notification removed disable 2/1-52
    set port channel 2/1-52 mode auto silent
    !
    #switch port analyzer
    !
    #cam
    set cam agingtime 1,10,20,30 300
    set cam notification disable
    set cam notification interval 1
    set cam notification historysize 1
    !
    #gvrp
    set gvrp dynamic-vlan-creation disable
    set gvrp disable
    !
    #authorization
    set authorization exec disable console
    set authorization exec disable telnet
    set authorization enable disable console
    set authorization enable disable telnet
    set authorization commands disable console
    set authorization commands disable telnet
    end     
    
    coe-2948g-eh> (enable)</vlanid> 
    

    Any insight you can provide would be great; thanks.



  • I won't pretend to know much about configuring a 2948, as I've never touched one - but I'm a little confused on why you're configuring your VLANs as such:

    set vlan 10   2/1,2/5,2/7,2/9,2/11,2/13,2/15,2/17-48
    set vlan 20   2/2
    set vlan 30   2/3-4,2/6,2/8,2/10,2/12,2/14,2/16
    

    Does this not set those as access ports? If I understand CatOS correctly, this would be setting the PVID of 2/6 to VLAN 30, when I assume you want that traffic tagged. Check your em0 interface (no VLAN, untagged traffic) to see if your intended traffic is heading in untagged.

    Again, I have never messed with CatOS and this is just speculation. If it works differently than I think, feel free to correct me.

    PS: I do see that you're setting it as a trunk port at…

    set trunk 2/6  on dot1q 1-1005,1025-4094
    

    …but it seems to me you're inadvertently setting the PVID by using```
    set vlan 30 2/6

    
    PPS: I'm pretty sure that your fix here would be just set vlan 1 2/6.


  • As I understand it, that setting only affects untagged/native traffic.  I.e., if any untagged traffic is seen on the port, the switch will tag it with VLAN 30.

    I unfortunately can't try removing this setting until I'm on-site (since I can't reach the Cisco gear from the pfsense, I can't do anything remotely).  I'll try removing this setting in about 2 weeks when I'm on-site.  Thanks for the suggestion.



  • @timthetortoise: you were totally right.  This Cisco switch is different than my other switches; it was tagging all traffic on that port.  Removing it from VLAN 30 (i.e., putting it in VLAN 1) solved the issue.

    Thanks for the suggestion!



  • Glad to hear it, I know that CatOS has some things that don't really make sense compared to IOS.


Log in to reply