VLAN

[Patrick M. Hausen]

And hn1 is the proper interface connected to your trunk port on the Cisco side?

[Seimus]

Code Select Expand

interface TenGigabitEthernet1/1/3 & 1/0/5
switchport trunk allowed vlan 1,10
switchport mode trunk

I dont like this. You have Port set towards your AP as TRUNK. But does your AP know how to TAG?

In simple words >

access (switchport) port
a port that can be assigned to a single VLAN. The frames that arrive on an access port are assumed to be part of the access VLAN. This port type is configured on switch ports that are connected to devices with a normal network card, for example a host on a network.

trunk port
a port that is connected to another switch. This port type can carry traffic of multiple VLANs, thus allowing you to extend VLANs across your entire network. Frames are tagged by assigning a VLAN ID to each frame as they traverse between switches.

In simple term what this does mean is, that when on a switch you set the port in access, the Switches assume the ingress traffic that is coming is not TAGGed, so it will TAG it for you on and remove the TAG once again if the traffic within the same device comes back to that specific port or any other access port within the VLAN.

If its a Trunk port the Switch assumes the ingress traffic is already TAGGed with the specific VLAN allowed on the TRUNK.

VLANs are basically about logical segmentation and who strips/assigns the TAG. If its ACCESS Switch/GW will do it if its TRUNK its on the HOST/GW.

Regards,
S.

[grant4790]

yes I have 2 10G ports the other is shut down so this is for sure it

[grant4790]

yes my AP can tag it is a U7 pro with multiple SSIDs 3 for vlan 1 (just the different GHz) and 1 for vlan 10 IOT devices

[Seimus]

As advised do not use VLAN1 for anything on CISCO switches. That VLAN is exclusive used by Cisco for their control plane on their Switches. It may still work but its advised not to use VLAN1.

If your host connected to YOUR AP over VLAN10 have issues to reach the GW. I would suspect misconfiguration on the Switch or AP side.

Try to set the switch port side do access vlan 10, and configure the AP without VLAN Encapsulation to see if it passes traffic thru VLAN 10 on switch towards the OPN.

Regards,
S.

[grant4790]

okay I will work on taking VLAN 1 off, I have my phone and the switchport mode access on port 38 which is a windows machine they could ping each other from switch to AP

Laptop     Switch                  AP
Vlan10     vlan10/P38       IOT network Port 5

[grant4790]

As a few more people have jumped on this thread I want to summarize what we know so far. I have a VM running OpnSense on a Dell R730 native OS is windows server 19 with a 10g SFP+ connection to a Cisco 3650 SFP+ 10g connection that is set to trunk vlan 1 and 10, 1 is set to native and if I remove vlan 1 from the trunk I lose the opnsense gui and ssh for some reason. I have a windows end device connected to port 38 on that same switch configured as an access port for vlan 10, I have a u7 pro AP on port 5 of that switch configed as a trunk port for 1 and 10 as well on unifi controller I have two networks 1 for vlan 1 and one for vlan 10, 3 SSIDs for vlan 1 and 1 for vlan 10. I have connected my phone to vlan 10 and can ping said phone from the windows machine also on vlan 10. I do have the vlan set up in OPNsense but i can not get an IP from DHCP on either the wireless or wired devices.

Thank you all for the help so far I hope this summary helps clarify

[Seimus]

Can you do,

While the current config the one with trunk on the ports >

Code Select Expand

show int Te[port towards OPN] trunk
show int Te[port towards PC] trunk
show int Te[port towards AP] trunk

And as well while a device is connected to your AP, do on teh switch

Code Select Expand

sh mac address-table interface Te[port towards AP]

Regards,
S.

[grant4790]

Can you do,

While the current config the one with trunk on the ports >

Code Select Expand

show int Te[port towards OPN] trunk
show int Te[port towards PC] trunk
show int Te[port towards AP] trunk

And as well while a device is connected to your AP, do on teh switch

Code Select Expand

sh mac address-table interface Te[port towards AP]

Regards,
S.

show interfaces tenGigabitEthernet1/1/3 trunk

Port        Mode             Encapsulation  Status        Native vlan
Te1/1/3     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/1/3     1,10

Port        Vlans allowed and active in management domain
Te1/1/3     1,10

Port        Vlans in spanning tree forwarding state and not pruned
Te1/1/3     1,10




show interfaces GigabitEthernet1/0/5 trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/5     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/5     1,10

Port        Vlans allowed and active in management domain
Gi1/0/5     1,10

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/5     1,10


show interfaces GigabitEthernet1/0/38 trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/38    off              802.1q         not-trunking  1

Port        Vlans allowed on trunk
Gi1/0/38    10

Port        Vlans allowed and active in management domain
Gi1/0/38    10

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/38    10



sh mac address-table interface gigabitEthernet1/0/5
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    4abd.fb3e.9eac    DYNAMIC     Gi1/0/5
   1    9c05.d643.c1b9    DYNAMIC     Gi1/0/5
   1    a64a.6488.9532    DYNAMIC     Gi1/0/5
   1    ae5a.8867.163d    DYNAMIC     Gi1/0/5
   1    bad2.b99c.0125    DYNAMIC     Gi1/0/5
  10    ba41.46ea.f647    DYNAMIC     Gi1/0/5
Total Mac Addresses for this criterion: 6

[Seimus]

Thanks.

So looks like the switch allows the proper VLANs on the TRUNKs

Also if >
10    ba41.46ea.f647    DYNAMIC     Gi1/0/5

Is your phone, that means switch sees this MAC being announced in VLAN10 thus the AP is Encapsulating it correctly.

DHCP server, is configured on OPN?
Can you show the configuration?

Regards,
S.

[grant4790]

Here is an SS of the DHCP page for vlan10 on opnsense

[Seimus]

Looks as well good to me.

One thing, so you can ping across same broadcast domain VLAN10 PC to VLAN10 AP Phone. When you statically assign the IPs to your devices correct?

Can you ping as well the GW on VLAN 10 from a device on VLAN10?

Regards,
S.

[grant4790]

no that was over the auto back up assigned IPs APIPA i think is the protocol.

No ping of gate way from laptop with static and APIPA IPs

[Seimus]

Well from APIPA I would not even expect to be able to ping.
But if you assigned static IPs from the VLAN10 pool and still can not ping this smells fishy.

Can you set that PC to static IP with IP from the Pool of VLAN 10 and perform continuous ping?

Set all your Rules on OPN, even the default deny to be logged. And have a look at live view. I know you mentioned capture didn't show any traffic, but try to have a look like this if you see something.

And as well if you can do >

Code Select Expand

sh mac address-table interface Te[port towards OPN]


Regards,
S.

[grant4790]

show mac address-table interface tenGigabitEthernet1/1/3
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    1418.7762.dcff    DYNAMIC     Te1/1/3



Here is the mac address table table for the interface facing opnsense, I have the windows machine ip to 192.168.10.101 and pinging 10.1 continuously.