Automatic vMotion of pfSense with 3750g?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Spiffy

New Member
Jan 12, 2019
8
0
1
I'm putting together my home lab, which includes (but isn't limited to) two r610s (Hosts A & B), each with 8 NICs, vSphere 6.7 and one 3750g. I've got both vCenter and pfSense VMs running, but have done only minimal configuration to each.

At the moment, there is a cable running from my Pace 5268AC modem to a nic on Host A, and this is assigned to pfSense for WAN/DMZ access.
There is no direct link from the modem to Host B. Both hosts are patched into the 3750g.
I haven't yet configured vLANs anywhere, nor firewall rules on pfSense.
I'd like to be able to have pfSense vMotion from Host A to B if necessary (e.g. if Host A goes offline, not just for load balancing). In order for that to happen today, I'd have to manually remove the modem link from Host A to an open nic on Host B.

Is there a way to handle this automatically without having to run a second cable from the modem to Host B?
My modem is upstairs, the lab is in the basement. It's not a huge deal if I have to run another cable, but I'd like to know if there is an alternative before i decide to do that.

Could i create a 3-port vLAN to be shared by the modem and two hosts, and have this do just layer 2 switching, while permitting layer 3 on all of the other ports, and enable pfSense to automatically migrate between the two hosts while continuing to operate as desired? Or is there some other or better way to do this?

Thanks
 

fishtacos

New Member
Jun 8, 2017
23
13
3
If you're setting up VLANs, I don't see the need to dedicate an entire physical NIC to the WAN VLAN, but yes you could do that.

This is what I do, and others as well, according to similar posts here and on other forums.

My setup is as follows. I'm using an HP switch, so the VLAN terminology might be slightly different from Cisco:

Port 1 on switch - untagged VLAN 2 access port connected to modem.

All other ports untagged VLAN 1, trunking VLAN 2 (and other VLANs as needed).

ESXi hosts - vSwitch with a port group set to VLAN 2 that's dedicated to the pfSense WAN vNIC. No matter what host pfSense is vmotioned to, it will find an identically configured port group that is on VLAN 2 exclusively for WAN access.

Distributed vSwitches are great for this purpose, configure once for all hosts.


Another option is to trunk all VLANs in every port (or whatever port you connect your ESXi hosts to) and configure the ESXi port group to trunk the VLANs into pfSense. Then configure VLAN access within pfSense: Virtual LANs (VLANs) — pfSense VLAN Configuration

I was more familiar with esxi's networking setup than I was with pfSense's when I set my system up like this, so I opted for the first option. I'm sure some smarter people can give you better info.

With vMotion, I only get a single dropped packet in connectivity from pfSense - worst case scenario, with the HA feature, you'll be up and running in a few minutes even if the host running the pfSense VM dies.
 

Dreece

Active Member
Jan 22, 2019
503
160
43
Food for thought but if physical VLAN was not an easy option then one could just as easily deploy a VPN mesh. I did this a few years back using Tinc, but of course this would require the ability to be able to customise and upload a bespoke firmware build to the public router. It works a treat and less of a headache when a large distributed tiered network is in the equation. With internet traffic, software stacks give unlimited options, whence pfSense being as popular as it has been. Though I personally rely on a custom linux build (simply out of curiosity and the desire to learn how it all really works) for internet gateway router.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Define a VLAN on your switch for the Modem. Connect the modem to a port with that new VLAN as the default/untagged VLAN. Then connect that VLAN to each pfSense instance - now they both see the modem.

There are security risks...but probably minor.
 
  • Like
Reactions: gigatexal

Spiffy

New Member
Jan 12, 2019
8
0
1
Port 1 on switch - untagged VLAN 2 access port connected to modem.

All other ports untagged VLAN 1, trunking VLAN 2 (and other VLANs as needed).

ESXi hosts - vSwitch with a port group set to VLAN 2 that's dedicated to the pfSense WAN vNIC. No matter what host pfSense is vmotioned to, it will find an identically configured port group that is on VLAN 2 exclusively for WAN access.

Distributed vSwitches are great for this purpose, configure once for all hosts.
I'm new to this vlan stuff, so I just want to make sure I have this right.

The modem would connect to port 1. Port 1 would be assigned VLAN2, but not tagged. Does that mean untagged inbound & outbound? Or just untagged in one direction?

Then all other ports are untagged VLAN1, trunking VLAN2.
By "all other ports," do you mean ALL other ports, or just the two ports that would be used by the hosts for handling internet traffic?
I'm not clear on what you mean by "trunking VLAN2." I'm not sure my limited understanding of trunking applies to single switch traffic. Does this mean that if traffic on the port goes looking for something outside its own VLAN, it heads to VLAN2 to find it? So the WAN vNIC for pfSense would go looking to VLAN2 when they need to head out to the internet. But if I want pfSense to handle routing/firewall for my SAN host and VMs, then I would not want their VLANs to trunk VLAN2, would I?
Do I have that right?

And when you say "and other VLANs as needed," did you mean making other VLANs into trunks in addition to VLAN2? Or making more VLANs other than VLAN1 looking to VLAN2 as a trunk?

Do I need to utilize the VLAN settings in esxi for the dvSwitch or the dvPort groups?
 

Spiffy

New Member
Jan 12, 2019
8
0
1
Also, if I may, let me throw another factor into this...

Right now my lab network is configured with class A addresses, and the internet modem is configured for class C (it can only do B & C).
I have a PC & smart TV connected to the modem, and the PC is hosting Plex. I've also got a couple wifi users who access Plex. The modem is currently my only WAP.
I'm going to migrate Plex to the lab hosts, but I'm not sure how my TV & wifi users would still be able to access this on the LAN. I'm guessing I'd have to connect the TV to the lab switch instead, and get some WAP setup also on the lab switch. This would mean running a couple more cables down the basement where the lab is, and buying a WAP. That's OK I guess, but it's a bit of a hassle.

Is there another good way I could get my TV & my wifi users able to access Plex in the lab over the LAN, without running more cables and buying a WAP, and without allowing access to anything else in the lab?
 

Spiffy

New Member
Jan 12, 2019
8
0
1
Sorry if I'm being obtuse with these questions. If they don't really belong here, please let me know. I've been reading what I can to learn more about this, to make sure I fully understand how this works, but much of what I find seem like partial explanations.

Let me try again to see if I have this right:
Port 1 on switch - untagged VLAN 2 access port connected to modem.
Port 1 on switch. Set to vlan 2. Untagged, so it won't add tags, and if it receives any tagged packets, it removes the tag. Packets tagged for vlan 2 can get broadcast to Port 1 and any other port on vlan 2.

All other ports untagged VLAN 1, trunking VLAN 2 (and other VLANs as needed).
This is throwing me off. Maybe that makes sense for an HP switch, but nothing I can find about cisco switches discusses this type of setup. A port is either an access port (untagged) or a trunk port (tagged). A port that is untagged vlan 1 is just that and nothing else. There's no "trunking" another vlan from an access port, because those things are mutually exclusive.

Maybe the quoted section was incorrectly worded?

ESXi hosts - vSwitch with a port group set to VLAN 2 that's dedicated to the pfSense WAN vNIC.
There are two vlan-related settings I see.
On the Distributed Port Group, I can set the vlan type: none, vlan, vlan trunking, private vlan.
On the dswitch uplinks, the vlan type is permanently set to vlan trunking (greyed-out, can't change it), and there's an option to specify which vlans.

So I would set the Distributed Port Group to "VLAN trunking," then set the dswitch uplinks vlan to 2?


Define a VLAN on your switch for the Modem. Connect the modem to a port with that new VLAN as the default/untagged VLAN. Then connect that VLAN to each pfSense instance - now they both see the modem.
This is confusing to me, as it seems like it says the previous stuff is wrong, and that I should just pick three ports, put them all in one vlan, and connect the modem and two hosts to those ports.
I'm fuzzy on what is meant by, "then connect that VLAN to each pfSense instance." Does that mean set the vlan for pfsense in esxi, or set it at the port that is carrying the pfsense wan traffic?

There are security risks...but probably minor.
Does this involve the native vlan being vlan 1 by default? Or something else?


Getting back to my post from four days ago...

I think I could avoid running more cables & buying a new WAP. The modem doesn't do vlans, nor allow different subnets except for the guest wifi.
A firewall rule in pfSense should work to route between devices connected to the modem and devices behind the lab switch. I could set the firewall to allow only the TV and specific wifi devices to be able to access the Plex server in the lab.
Still not sure about making it so Plex sees such traffic as local rather than from an outside network.
Plex has a few settings that seem to pertain to this.
The first is "LAN Networks," which is a "comma separated list of IP addresses or IP/netmask entries for networks that will be considered to be on the local network when enforcing bandwidth restrictions. If set, all other IP addresses will be considered to be on the external network and and will be subject to external network bandwidth restrictions. If left blank, only the server's subnet is considered to be on the local network."
The second is a checkbox for "Treat WAN IP As LAN Bandwidth," which means "treat incoming requests from this network's WAN IP address as LAN requests in terms of bandwidth. This often occurs when DNS rebinding protection is in place and clients on the LAN cannot contact the server directly but instead have to go through the WAN IP address."
And the third is, "List of IP addresses and networks that are allowed without auth," for a "comma separated list of IP addresses or IP/netmask entries for networks that are allowed to access Plex Media Server without logging in. When the server is signed out and this value is set, only localhost and addresses on this list will be allowed."

The second setting, a checkbox, is checked already, so I guess that's the default and can probably be left as-is.
For the other two settings, I believe that means I could put in the IP addresses of the permitted non-lab devices, and wouldn't need to put the modem and lab in the same subnets. That's what the router (pfsense) makes possible, right?
 

fishtacos

New Member
Jun 8, 2017
23
13
3
Port 1 on switch. Set to vlan 2. Untagged, so it won't add tags, and if it receives any tagged packets, it removes the tag. Packets tagged for vlan 2 can get broadcast to Port 1 and any other port on vlan 2.
Correct - there should not be any untagged packets coming into the denominated WAN access port, and if there are, they will be removed, necessarily.

This is throwing me off. Maybe that makes sense for an HP switch, but nothing I can find about cisco switches discusses this type of setup. A port is either an access port (untagged) or a trunk port (tagged). A port that is untagged vlan 1 is just that and nothing else. There's no "trunking" another vlan from an access port, because those things are mutually exclusive.

Maybe the quoted section was incorrectly worded?
This is probably better left to someone who is familiar with Cisco switches, but the functionality must exist in Cisco switches, since they pretty much created modern networking. A port having a default VLAN (VLAN 1) while simultaneously trunking other VLANs has to be part of the basic functionality...

In my googling I found the that Cisco refers to what I called "default VLAN" as "native VLAN".

See here Is the "default VLAN" simply the default native (untagged) VLAN on all interfaces that have no configuration? for a point of reference.

You don't have to have a native VLAN at all if you don't want. You can trunk all your traffic, but you'll need VLAN aware devices connected downstream for each of the ports you configure as trunks only.

From the post linked above:
802.1q however, provided for a way to not only receive this traffic, but also associate it to a VLAN of your choosing. This method is known as setting a Native VLAN. Effectively, you configure your trunk port with a Native VLAN, and whatever traffic arrives on that port without an existing VLAN tag, gets associated to your Native VLAN.

As with all configuration items, if you do not explicitly configure something, usually some sort of default behavior exists. In the case of Cisco (and most vendors), the Default Native VLAN is VLAN 1. Which is to say, if you do not set a Native VLAN explicitly, any untagged traffic received on a trunk port is automatically placed in VLAN 1.

There are two vlan-related settings I see.
On the Distributed Port Group, I can set the vlan type: none, vlan, vlan trunking, private vlan.
On the dswitch uplinks, the vlan type is permanently set to vlan trunking (greyed-out, can't change it), and there's an option to specify which vlans.

So I would set the Distributed Port Group to "VLAN trunking," then set the dswitch uplinks vlan to 2?
Forget the uplink settings. Those are set by default to trunk everything. It's merely illustrative.

You want to check and configure the port group settings. On the WAN portgroup, you want the VLAN to be 2 (or whatever you have your access port VLAN to be for that physical port, since this is merely my config)

This is confusing to me, as it seems like it says the previous stuff is wrong, and that I should just pick three ports, put them all in one vlan, and connect the modem and two hosts to those ports.
I'm fuzzy on what is meant by, "then connect that VLAN to each pfSense instance." Does that mean set the vlan for pfsense in esxi, or set it at the port that is carrying the pfsense wan traffic?
Piglover basically wrote what I wrote in fewer words. You misunderstood what he wrote, however.

Let me give it a shot with fewer words:

Switch:

1. define VLAN you want for WAN access,and connect the modem to that port. It will be the native VLAN for that access port, no tagged packets going in or out.

2. In the switch ports where you will connect your ESXi hosts, trunk the WAN VLAN you defined above. To keep things simple, you can keep the native VLAN untagged on it - you could use this for LAN access on every port on the switch (except for the previously defined WAN access port)

ESXi hosts:

1. Create a port group with VLAN you set up for WAN access.
2. Create a port group for basic LAN access - if you followed my example above, the VLAN type should be set to "None"
3. Connect your pfSense VM vNIC for the WAN to the port group from (1) above. (if using dvswitch, this should propagate on each host - if not, set up the same config on each esxi host standard vswitch manually)
4. Connect your pfSense VM LAN vNIC to the LAN port group from (2).
5. Configure pfSense from VM console.

Basically you'll have

1. Modem -> to WAN VLAN port -> esxi hosts -> WAN port group -> pfSense WAN vNIC (this provides the Internet to your pfsense instance)
2. pfSense -> LAN portgroup -> switch (this provides the Internet to the rest of your VMs connected to that port group, as well as any devices connected to the physical switch directly)
 
Last edited:

fishtacos

New Member
Jun 8, 2017
23
13
3
I'm new to this vlan stuff, so I just want to make sure I have this right.

The modem would connect to port 1. Port 1 would be assigned VLAN2, but not tagged. Does that mean untagged inbound & outbound? Or just untagged in one direction?

Then all other ports are untagged VLAN1, trunking VLAN2.
By "all other ports," do you mean ALL other ports, or just the two ports that would be used by the hosts for handling internet traffic?
I'm not clear on what you mean by "trunking VLAN2." I'm not sure my limited understanding of trunking applies to single switch traffic. Does this mean that if traffic on the port goes looking for something outside its own VLAN, it heads to VLAN2 to find it? So the WAN vNIC for pfSense would go looking to VLAN2 when they need to head out to the internet. But if I want pfSense to handle routing/firewall for my SAN host and VMs, then I would not want their VLANs to trunk VLAN2, would I?
Do I have that right?

And when you say "and other VLANs as needed," did you mean making other VLANs into trunks in addition to VLAN2? Or making more VLANs other than VLAN1 looking to VLAN2 as a trunk?

Do I need to utilize the VLAN settings in esxi for the dvSwitch or the dvPort groups?
1. Modem port on switch would be VLAN2, untagged inbound and outbound.
2. While my switch is set up with all ports (except for the WAN access port) trunking all VLANs, which I do so I don't have to remember which port to plug into from the ESXi hosts, the minimum would be only those ports that you have your own hosts plugged into.
3. Trunking means passing tagged VLAN traffic which would then be recognized and stripped of the VLAN tag as needed, or continue being trunked into other VMs if necessary (this is a port group setting).
4. If the device connected to a trunk port can recognize 802.1Q tags, it will work with them as configured. If it doesn't, it will only see the native VLAN, thus only send and receive untagged packets. There is no default behavior on any device that I know of that traverses VLANs unless specifically configured so.
5. The WAN vNIC for pfsense, if configured as I mentioned, will only receive untagged packets, and send untagged packets. pfSense, when connected to the dvswitch port group for the WAN, which is set to VLAN 2 in its properties, has no idea VLANs exist. The tagging and untagging happens at the dvswitch port group. In this scenario, you don't set up VLANs in pfsense at all.
6. You only need to trunk the WAN VLAN into the host pNIC(s) so you can save from having to use a dedicated WAN pNIC on it. In this manner, it carries both untagged and tagged traffic. As far as routing/firewalling, I would stick to not using VLANs at all, just leave the portgroup VLAN setting as "None" for any LAN/OPT1/OPT1 etc, which uses the native VLAN (VLAN1 by default) to pass untagged packets. This basically works like a dumb switch, only one VLAN - so technically, no VLAN at all.
7. What I meant by VLANs as needed is that in the future, if you need additional VLANs to further isolate traffic, you can simply define them on the switch, trunk them them on the switch ports you are using for your hosts, and use them easily in ESXi.

One scenario for point 7 that I use would be to isolate additional traffic coming in from pfSense for a separate subnet (say for labs), or one that you could use would be to isolate SAN traffic. (Don't route SAN traffic through pfSense - you'll get high CPU usage and low speed)
 
  • Like
Reactions: Spiffy

fishtacos

New Member
Jun 8, 2017
23
13
3
Also, if I may, let me throw another factor into this...

Right now my lab network is configured with class A addresses, and the internet modem is configured for class C (it can only do B & C).
I have a PC & smart TV connected to the modem, and the PC is hosting Plex. I've also got a couple wifi users who access Plex. The modem is currently my only WAP.
I'm going to migrate Plex to the lab hosts, but I'm not sure how my TV & wifi users would still be able to access this on the LAN. I'm guessing I'd have to connect the TV to the lab switch instead, and get some WAP setup also on the lab switch. This would mean running a couple more cables down the basement where the lab is, and buying a WAP. That's OK I guess, but it's a bit of a hassle.

Is there another good way I could get my TV & my wifi users able to access Plex in the lab over the LAN, without running more cables and buying a WAP, and without allowing access to anything else in the lab?
A few things here:

1. It sounds like you want to keep your ISP modem as a firewall+router+AP (i.e. existing functionality) but want to have your pfSense instance routing something in your lab setup. This will work, just keep in mind that to have anything Internet facing that needs open ports (like Plex server, for example) you are going to have headaches configuring port forwarding in pfSense since this is a double NAT scenario.

2. Going off the above scenario, it would work fine for a lab setting that only needs basic routing and segregation, or just to have some hands on experience with pfSense.

3. If you want pfSense to handle ALL routing and firewall duties, you need to set your modem/router/ap combo device in "bridge" mode, thus serving only as a modem. This would necessitate a separate WAP.

4. If you don't want pfSense to handle routing and firewall duties for all your home, then when you place your Plex server in your lab hosts, keep it directly connected to the modem/router/ap combo device, and make sure you don't place it behind pfSense.

5. Your scenario does complicate things a bit, as now you need to keep existing functionality intact, create a pfSense instance for your lab only, and also keep Plex connected directly to your existing modem/router/ap combo device, but running on the ESXi machines. This is doable:

If I understand what you're wanting to do correctly, it would be something like this:

modem/router/ap device -> switch
PC and other devices -> switch = happy users with Internet access
------this is the existing setup^------

ESXi hosts with trunked VLANs being managed at the port group level
Some lab VMs that you want behind pfSense
Plex accessible from modem/router/ap device
-----this is what you want to achieve^-------

If I understood this correctly, then the WAN connection for pfSense is coming from the modem/router/ap device NATed LAN. In that case, Plex would just be connected to the WAN portgroup in ESXi (same as the WAN vNIC of your pfsense VM), as they both would be receiving an IP from the modem/router/ap device.
Don't place Plex behind pfSense, just connect it to the WAN port group, let it pick up (or assign it a static address) in the LAN subnet range of your modem/router/ap device and it should continue working same as it is now, only communicating with your combo device through the trunked VLANs.

To throw a wrench in my earlier posts' explanation, if you're only using a single switch, I would not use the default VLAN to connect your pfSense's LAN vNIC back to the switch, as that would mean you have two routers potentially serving DHCP requests. Keep pfSense's LAN connected to either a portgroup on a different VLAN altogether, or keep it connected to a vSwitch with no uplinks (basically a host only vSwitch that only connects to VMs, not physical network)

If you keep it connected to the default VLAN, then at least disable DHCP on it, and configure all your lab VMs statically, using pfSense's address as the gateway/dns server.
 
Last edited:
  • Like
Reactions: Spiffy

Spiffy

New Member
Jan 12, 2019
8
0
1
You don't have to have a native VLAN at all if you don't want.
Ultimately, I want pretty much everything segregated. I'd leave a couple ports on the switch as the default vlan, though I'll probably change the default vlan from 1 to some other number. I want my server LAN, workstation LAN, SAN, VoIP, Management, vMotion, VPN, and WAN each with their own vlans, and want to be very deliberate about any inter-vlan routing.

you are going to have headaches configuring port forwarding in pfSense since this is a double NAT scenario.
I can't put the modem into bridge mode, but I can turn off the firewall for individual ports, or put an individual port in the DMZ.
Pretty sure I also have the option of getting 5 static IPs assigned, which I think would only work in the DMZ. Can't recall the details of that; would have to look it up again. Not important right now.

I want Plex in my lab behind pfSense, so I guess I will just need to run another cable up from the lab switch, and link it to a second managed switch. Then use that new switch for everything upstairs - the TV and an AP - except guest wifi. Maybe a 2960C and an Aironet 3602i would be an affordable and quiet setup? Eh, I can worry about that later.

In the switch ports where you will connect your ESXi hosts, trunk the WAN VLAN you defined above. To keep things simple, you can keep the native VLAN untagged on it - you could use this for LAN access on every port on the switch (except for the previously defined WAN access port)
I might be confused by your various uses of the word "trunk" as a verb. You talk about trunking ports, trunking traffic, and trunking vlans. To me, "trunking" means to configure a port as a trunk port for connecting one switch to another, as things can either be trunk ports or access ports. Is that how you're using it, too? It seems like you're using it more broadly than that.
I think I'm getting thrown off by talk of trunking things that aren't ports (traffic and vlans), and also because I've only got the one switch. Every example online shows devices on, say, Switch A trying to connect to devices on Switch B over a single link, and keeping the traffic logically separated the whole way. That seems straightforward to me, but what I'm trying to do here seems a quite bit different, and things aren't so clear to me.

Putting this into my own words to make sure I'm not misunderstanding:

1. The switch port connecting to the modem (call it Port #1) should be an access port, since it would be just the one vlan that isn't the switch's default vlan (let's say untagged VLAN 2).

2. The switch ports connecting to the pNICs assigned to pfSense on each host (call them Port #s 2 & 3) would both be trunk ports (meaning they have more than one VLAN assigned). For these trunk ports, they should be tagged for VLAN 2. Optionally leave VLAN 1 as the default/untagged vlan.

3. For the WAN port group for pfSense, set that to VLAN 2. This is untagged at the port group level, and tagging is handled at the vswitch level.

4. For the LAN port group for pfSense and other VMs intended for this logical LAN, set VLAN to None, so that they belong to the Default VLAN 1.

If any word of that is wrong, please let me know.

If it is OK, I'll go ahead and try to implement it, and see how it goes.

In step #2 above, I'm not sure what the benefit would be of leaving the default VLAN 1 on trunk ports #s 2 & 3.

What vlan do I assign to the physical switch ports that are connected to pNICs that are assigned to the pfSense LAN port group? And what gets tagged and what doesn't? I think everything is left untagged VLAN 1, but want to confirm.

You only need to trunk the WAN VLAN into the host pNIC(s)
I'm not sure what you mean by that.

so you can save from having to use a dedicated WAN pNIC on it.
I have an abundance of ports on the hosts and the switch, so I'm OK with having dedicated ports to simplify the concepts for me for now. Later I may do away with this.
 

Spiffy

New Member
Jan 12, 2019
8
0
1
3. For the WAN port group for pfSense, set that to VLAN 2. This is untagged at the port group level, and tagging is handled at the vswitch level.
That part appears to have been wrong. Tagging is set at the port group, not at the dvswitch itself. I mis-read what was written earlier.
Other than that, I made the changes.

Something else must be wrong, too, because it's not working. pfSense no longer has WAN connectivity. :(
 

Spiffy

New Member
Jan 12, 2019
8
0
1
This is what I have configured in my switch. Port Gi4/0/1 is the link to the modem, and Gi4/0/7 & 8 are the links for the pfSense WAN, although 8 hasn't yet been added to the port group, since that's Host B and pfSense isn't on there. PfSense was did have internet access prior to making these changes. I'm using VLAN 2 for the WAN vlan. I set the vlan id on the dvswitch port group, too.


Code:
#show interface Gi4/0/1

GigabitEthernet4/0/1 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 001c.0e53.f501 (bia 001c.0e53.f501)
  Description: UpLink to Modem
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 42854
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 2 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     6870431526 packets input, 7409192285445 bytes, 0 no buffer
     Received 11205312 broadcasts (4387525 multicasts)
     281 runts, 0 giants, 0 throttles
     281 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 4387526 multicast, 0 pause input
     0 input packets with dribble condition detected
     4759944616 packets output, 5279647827244 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


#show interface Gi4/0/7

GigabitEthernet4/0/7 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 001c.0e53.f507 (bia 001c.0e53.f507)
  Description: Host A WAN UpLink
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 199
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 2000 bits/sec, 3 packets/sec
     385003773 packets input, 197919318900 bytes, 0 no buffer
     Received 42801 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     885277007 packets output, 1141181786239 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


#show interface vlan 2

Vlan2 is up, line protocol is up
  Hardware is EtherSVI, address is 001c.0e53.f542 (bia 001c.0e53.f542)
  Description: DMZ VLAN
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     87237 packets input, 5947199 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out



#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi4/0/2, Gi4/0/3, Gi4/0/4
                                                Gi4/0/5, Gi4/0/6, Gi4/0/9
                                                Gi4/0/10, Gi4/0/11, Gi4/0/12
                                                Gi4/0/13, Gi4/0/14, Gi4/0/15
                                                Gi4/0/16, Gi4/0/17, Gi4/0/18
                                                Gi4/0/19, Gi4/0/20, Gi4/0/21
                                                Gi4/0/22, Gi4/0/23, Gi4/0/24
                                                Gi4/0/25, Gi4/0/26, Gi4/0/27
                                                Gi4/0/28, Gi4/0/29, Gi4/0/30
                                                Gi4/0/31, Gi4/0/32, Gi4/0/33
                                                Gi4/0/34, Gi4/0/35, Gi4/0/36
                                                Gi4/0/37, Gi4/0/38, Gi4/0/39
                                                Gi4/0/40, Gi4/0/41, Gi4/0/42
                                                Gi4/0/43, Gi4/0/44, Gi4/0/45
                                                Gi4/0/46, Gi4/0/47, Gi4/0/48
                                                Gi4/0/49, Gi4/0/50, Gi4/0/51
                                                Gi4/0/52
2    VLAN0002                         active    Gi4/0/1
30   VLAN0030                         active
1002 fddi-default                     act/unsup

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
30   enet  100030     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------


#show int sw

Name: Gi4/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi4/0/7
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 2
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
 
Last edited:

Spiffy

New Member
Jan 12, 2019
8
0
1
I think my last post may have given the impression that I finally had things working, but I do not.

I've done some more looking into it.

I'm not sure that Gi4/0/7 is configured right. It shows
Code:
Trunking VLANs Enabled: 2
but I don't see the Gi4/0/7 interface listed when I run #show vlan. Should it be listed there alongside Gi4/0/1?

Here's a little more info that might be helpful
Code:
#show int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi4/0/7     on               802.1q         trunking      1
Gi4/0/8     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi4/0/7     2
Gi4/0/8     2

Port        Vlans allowed and active in management domain
Gi4/0/7     2
Gi4/0/8     2

Port        Vlans in spanning tree forwarding state and not pruned
Gi4/0/7     2
Gi4/0/8     2
Also, what about pfSense? Do I need to set anything for either my WAN or LAN interfaces under the options for VLANs or QinQ?