VLANS and Cisco Trunk - Not working together :( PLEASE help

salvationd

With my WAN and LAN setup, everything works fine, Ports on the Cisco switch are left alone (so access). Everything is Koshier.

Then comes the wrench.

I've done LBT with 'Route based on Physical NIC load' for my vm's in other vlans, created a few VLANS (10 and 99) on my Cisco switch and left 1 (for now) as the native VLAN. Then to facilitate this I've made the link to the PFsense LAN NIC a trunk on the Cisco switch. Shit breaks (Can't ping, can't pull DHCP, nothing is works, like it doesn't know how to route). Help. Pictures attached.

Yes - The interfaces are enabled.
Interfaces:

VLans (on pfsense):

VLans (on Cisco):

*Note: Both VLAN 10, and 99 look like this.

Firewall Rules:

*Note: All rules look like this, a Pass any any until I can fix whatever is wrong.

Cisco Port Settings/Trunk:

Which ties into this –
My NIC Topology:

On my topology my pfSense_LAN_trunk is EMPTY because with the pfSense LAN NIC in it, nothing works. I have to move it either in the Management Port Group or the VLAN 1 Port Group to get functionality back.

Edit: vlan dot1q tag native IS enabled in global config on the Cisco switch.

Cisco.PNG_thumb
![FW Rules.PNG](/public/imported_attachments/1/FW Rules.PNG)
![FW Rules.PNG_thumb](/public/imported_attachments/1/FW Rules.PNG_thumb)

Interfaces.PNG_thumb

NIC_Topology.PNG_thumb

VLANs.PNG_thumb

jgraham5481

Why are you using spanning-tree portfast trunk? Why would you make a 0-4094 trunk? I've never had issues with cisco and vlan trunking and pfsense, but I always prune the vlans on my trunk and never use spanning-tree on a trunk. You also have lan set for native vlan 1 on vmx0 and the other two virtual adapters to snag the tagged packets from vmx0. For the "LAN" to work, in the cisco side, you need:
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 10,99

The LAN is set to handle any untagged packets, as it is not set as a vlan interface.

officialh1

To clarify, based of a question of one of the posters here, I am guessing you want one connected virtual trunk (or LAN/untagged, VLAN99/tagged, VLAN10/tagged) to your pfSense VM so all traffic in an out are expected to be tagged/untagged as normal with no adjustments by VMware, is this correct? Typically to do all VLANs and pass tagging to the VM, you would use VLAN 4095 on the host level, I have never tested using the VLAN trucking selection option in the dvSwitch setting. I have done this once a long time ago and had no issues (but tested with just all tagging with Avaya and Cisco gear). However, research shows that you would be better off letting VMware Host accept the tag and process it for you, sending the VM the untagged packet. Is this just an exercise?

I believe by default Cisco sends VLAN 1 as untagged (native) when you create a trunk, so specifying is redundant, otherwise if it was a different value, the show config would have noted the different setting. But these are my recollections if it's IOS.

When you have this setup up on the trunk port, do any of the VLANs ping at all? I guess I am asking for connectivity status for each VLAN from the pfSense perspective. Do you have CDP enabled and confirmed the port/switch connectivity? I know dumb question, but have to get the simple ones out of the way first.

I ask all this, because I found this note:

"Caution: Native VLAN ID on ESXi/ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with the VLAN ID on the outgoing traffic toward the ESXi/ESX host. Therefore, if the ESXi/ESX host is set to VST mode, it drops the packets that are lacking a VLAN tag."

Trying not using the Native VLAN on the Cisco, try create VLAN 2 on the switch (if it doesn't exist) and then set the native VLAN to 2 instead of the default of 1.