VLAN

Started by grant4790, March 22, 2024, 11:30:02 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
March 24, 2024, 08:52:42 PM #15
1,10 on switch to firewall and AP to switch. then access 10 on the end device i am using for testing
March 24, 2024, 08:56:12 PM #16
What do you mean, "1,10"? Show the complete port config, please. Just the relevant one, of course.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 24, 2024, 09:00:09 PM #17
Interface GigabitEthernet1/0/5 (AP)
Switchport allowed vlan 1,10
Switchport mode Trunk
!
Interface GigabitEthernet1/0/38 (end device)
Switchport access vlan 10
Switchport mode access
!
Interface TenGigabitEthernet1/1/3 (firewall)
Switchport allowed vlan 1,10
Switchport mode trunk
!
March 24, 2024, 09:03:20 PM #18
Is VLAN 1 tagged or untagged on the other devices? Also puzzled that it's not "switchport trunk allowed vlan ..."

You might want to try to remove that completely. It's not really necessary if you can trust the connected devices.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 24, 2024, 09:07:54 PM #19
interface TenGigabitEthernet1/1/3 & 1/0/5
switchport trunk allowed vlan 1,10
switchport mode trunk

sorry I was away from my PC when I wrote the last response, this is the direct copy from my switch and 1 is untagged
March 24, 2024, 09:17:23 PM #20
So "switchport trunk native vlan" is not set at all and so has the default value of 1, I guess?

Well, since this is Cisco ... did you create the VLAN in the VLAN database? You can reference non-existing VLANs in the config and the switch will happily accept that but they won't work.

"show vlan brief"
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 24, 2024, 09:24:12 PM #21
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
                                                Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34, Gi1/0/35, Gi1/0/36
                                                Gi1/0/37, Gi1/0/39, Gi1/0/40
                                                Gi1/0/41, Gi1/0/42, Gi1/0/43
                                                Gi1/0/44, Gi1/0/45, Gi1/0/46
                                                Gi1/0/47, Gi1/0/48, Gi1/1/1
                                                Gi1/1/2, Te1/1/4
10   IOT                              active    Gi1/0/38


1 is native and I did give it an ip for ssh purposes. I just removed the trunk 1 on 1/0/5 and 1/1/3 still seems to be fucntion as normal with out trunking 1 on those interfaces but vlan 10 still no dice
March 24, 2024, 09:27:19 PM #22
I guess the AP is next ... I'm out of ideas.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 24, 2024, 09:29:21 PM #23
Yeah, I am on the same page, but I have that port 38 and it is not getting communicate with the firewall either and the AP would not affect that client
March 25, 2024, 01:05:36 AM #24
Quote from: grant4790 on March 24, 2024, 08:48:52 PM
I thought it was AP as well but if I set one of my switch ports to access vlan 10 that end device does not get connection to vlan 10 either.

You should solve this issue first, if your switch doesn't communicate over L2 between two ports in the same VLAN, any uplink towards OPNsense (or the like) isn't going to work either.
Are you sure your AP is bridging the SSID assigned VLAN to the switchport, or is it actually routing (capture switchport traffic, see Cisco docs).

A few other observations:

* Your Trunk ports are missing encap config
Code Select
switchport trunk encapsulation dot1q

* OPNsense is using 802.1Q VLAN tags, don't use untagged VLAN's on Trunks

* If you _do_ need untagged VLAN's on Trunks (hint: you don't) assign any native VLAN to that port except for VLAN 1. Don't use VLAN1 in any VLAN design, just leave it as the DEFAULT which it is by default... (no pun intended)

* So instead of VLAN 1 & VLAN 10, use something like VLAN 10 & VLAN 11 (or any other id's below 4095). Of course both VLAN id's needs to be configured at OPNsense and assigned to your Trunk between switch and OPNsense

* If you're going to use multiple links between your switch and OPNsense configure a LACP Trunk. Otherwise you have to deal with Spanning Tree and other looping fun which introduces unneeded complexity. Test your topology first with a single interface before diving into multiple links (and LACP)
March 25, 2024, 01:21:51 AM #25
Quote from: netnut on March 25, 2024, 01:05:36 AM
* Your Trunk ports are missing encap config
Code Select
switchport trunk encapsulation dot1q

* OPNsense is using 802.1Q VLAN tags, don't use untagged VLAN's on Trunks
OMG! I would definitely apply for the "resident Cisco wizard" role on this forum having run an ISP on Cisco gear for 25 years, but I'd never thought of a current switch with anything but dot1q as the default.

As for the untagged/native VLAN issue - that's for the OP to fix afterwards, IMHO. While OPNsense and the underlying FreeBSD don't always work as expected with an untagged VLAN on a trunk port, that definitely should not keep a new VLAN from working at all.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 25, 2024, 01:38:23 AM #26 Last Edit: March 25, 2024, 01:42:16 AM by Seimus
Quote from: netnut on March 25, 2024, 01:05:36 AM

* Your Trunk ports are missing encap config
Code Select
switchport trunk encapsulation dot1q


This command will not work per Interface on 3650 and other legacy switches. These command is for MLS switches.

3650 already by default supports 802.1Q and its the only encapsulation it supports by default.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/vlan/configuration_guide/b_vlan_3e_3650_cg/b_vlan_3se_3650_cg_chapter_0100.html

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
March 25, 2024, 01:42:41 AM #27
Quote from: Seimus on March 25, 2024, 01:38:23 AM
Quote from: netnut on March 25, 2024, 01:05:36 AM

* Your Trunk ports are missing encap config
Code Select
switchport trunk encapsulation dot1q


This command will not work on 3650 and other legacy switches. These command is for MLS switches.

3650 already by default supports 802.1Q and its the only encapsulation it supports by default.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/vlan/configuration_guide/b_vlan_3e_3650_cg/b_vlan_3se_3650_cg_chapter_0100.html

Regards,
S.


I was about to say this as it indeed does do 802.1q by default and the encapsulation dot1q is an invalid command on my switch. If I untruck vlan 1 I get locked out of Opense managment ssh and webgui. still routes traffic though
March 25, 2024, 01:44:38 AM #28
Alright, @grant4790 - please show the output of `ifconfig` on your OPNsense.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 25, 2024, 01:47:43 AM #29
ifconfig
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
        syncok: 1
        groups: pfsync
hn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
        ether 14:18:77:62:dc:fe
        inet xxx.xxx.xxx.xxx netmask 0xfffffc00 broadcast xxx.xxx.xxx.xxx        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
hn1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
        ether 14:18:77:62:dc:ff
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Vlan10 (opt2)
        options=80000<LINKSTATE>
        ether 14:18:77:62:dc:ff
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        groups: vlan
        vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: hn1
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
wg1: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        description: wireguard (opt1)
        options=80000<LINKSTATE>
        inet 10.10.10.1 netmask 0xffffff00
        groups: wg wireguard
        nd6 options=9<PERFORMNUD,IFDISABLED>
root@OPNsense:~ #
Print
Go Up Pages 1 2 3 4
User actions