OK. I've been banging my head against this for a bunch of hours and I would love it if someone could just point out where I'm being dumb. I cannot for the life of me get my 7250 to route between VLANs. I'm running pfsense/opnsense (virtualized and switching between back and forth between the two while I get my opnsense install fully operational--for the purposes of this question, it doesn't matter which firewall I'm running). I have a bunch of VLANs--more than I need, but whatever. 3 of the VLANs are trusted, and I want to be able to route between them via the switch rather than going out to the firewall. The rest of the VLANs I want to go ahead and use the firewall to the extent there needs to be routing between them (rare), because I'm substantially more comfortable with filter rules than ACLs. At the bottom of this message is my current running config, and here is the output of 'sh ip route':
The three VLANs between which I want to route are 2, 10, and 1010. 2161 and 2162 are transit VLANs for WAN and LAN, respectively. When I set the gateway on any of the trusted VLANs for the firewall (X.X.X.1), everything works as expected. The firewall routes between VLANs according to my rules and I can get out to the internet. On the other hand, when I set the gateway on any of the trusted VLANs for the switch (X.X.X.254), I cannot reach one subnet from another. SSH/HTTPS are both inaccessible between local subnets. However, going out to the internet works, and for some reason I can ping between local subnets. This behavior is the same whether I'm running pfsense and opnsense, and even if I yank the LAN transit cable between the switch and the firewall.
At this point I'm ready to give up and just let the firewall handle all the routing, even thought it's not quite up to the task of linespeed routing. As an aside, how much CPU do you need to max iperf on 10gbe? Brief testing I can get ~7gbit with my i3-8100t.
Anyway, any suggestions would be awesome.
Thanks!
Code:
SSH@coreswitch(config)#sh ip route
Total number of IP routes: 6
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - v:Inter-VRF
Destination Gateway Port Cost Type Uptime
1 0.0.0.0/0 172.16.2.1 ve 2162 1/1 S 10h49m
2 10.10.10.0/24 DIRECT ve 1010 0/0 D 10h49m
3 172.16.1.0/24 DIRECT ve 2161 0/0 D 10h49m
4 172.16.2.0/24 DIRECT ve 2162 0/0 D 10h49m
5 192.168.0.0/24 DIRECT ve 2 0/0 D 10h49m
6 192.168.10.0/24 DIRECT ve 10 0/0 D 10h49m
At this point I'm ready to give up and just let the firewall handle all the routing, even thought it's not quite up to the task of linespeed routing. As an aside, how much CPU do you need to max iperf on 10gbe? Brief testing I can get ~7gbit with my i3-8100t.
Anyway, any suggestions would be awesome.
Thanks!
Code:
SSH@coreswitch>sh run
Current configuration:
!
ver 08.0.95fT213
!
stack unit 1
module 1 icx7250-24p-poe-port-management-module
module 2 icx7250-sfp-plus-8port-80g-module
!
!
global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 2 name infra by port
tagged ethe 1/2/2 to 1/2/4
untagged ethe 1/1/2 to 1/1/3 ethe 1/1/5 to 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24
router-interface ve 2
spanning-tree
!
vlan 10 name home by port
tagged ethe 1/1/2 ethe 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2 to 1/2/4
untagged ethe 1/1/4 ethe 1/1/8 to 1/1/9 ethe 1/1/11 ethe 1/1/14 ethe 1/1/16 ethe 1/2/5
router-interface ve 10
spanning-tree
!
vlan 11 name voip by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
untagged ethe 1/1/12 ethe 1/1/18
spanning-tree
!
vlan 12 name guest by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
spanning-tree
!
vlan 20 name kids by port
tagged ethe 1/1/2 ethe 1/1/5 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
spanning-tree
!
vlan 30 name IOT by port
tagged ethe 1/1/2 ethe 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2 to 1/2/4
untagged ethe 1/1/13 ethe 1/1/17 ethe 1/1/19 ethe 1/1/22 to 1/1/23 ethe 1/2/7
spanning-tree
!
!
vlan 999 by port
tagged ethe 1/1/24 ethe 1/2/2
!
vlan 1010 name data by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
untagged ethe 1/2/3 to 1/2/4
router-interface ve 1010
spanning-tree
!
!
!
!
vlan 2161 name wansit_176_16_1 by port
untagged ethe 1/2/1
router-interface ve 2161
!
vlan 2162 name lansit_176_16_2 by port
untagged ethe 1/2/2
router-interface ve 2162
!
vlan 2222 name wan_vlan by port
tagged ethe 1/2/1
untagged ethe 1/1/1
spanning-tree
!
!
!
vlan 3333 name 5g_wan_vlan by port
tagged ethe 1/1/24 ethe 1/2/1
untagged ethe 1/1/10
spanning-tree
!
!
!
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
hostname coreswitch
ip dhcp-client disable
ip dns server-address 192.168.0.1
ip route 0.0.0.0/0 172.16.2.1
!
no telnet server
username super password .....
!
!
!
!
clock summer-time
clock timezone gmt GMT-06
!
!
ntp
disable serve
server 192.168.0.1
server 10.10.10.1
!
!
no web-management http
web-management https
!
manager disable
!
!
manager port-list 987
!
!
!
!
!
!
!
!
!
interface management 1
ip address 10.10.2.254 255.255.255.0
!
interface ethernet 1/1/1
port-name cablemodem
!
interface ethernet 1/1/2
port-name firemox
!
interface ethernet 1/1/3
port-name prox-enp35
!
interface ethernet 1/1/4
port-name printer
!
interface ethernet 1/1/5
port-name minimox-eno1
!
interface ethernet 1/1/6
port-name piman
!
interface ethernet 1/1/7
port-name micromox1
!
interface ethernet 1/1/8
port-name IPMI1
!
interface ethernet 1/1/9
port-name note-nook
!
interface ethernet 1/1/12
port-name obi200
!
interface ethernet 1/1/15
port-name kitchen-no-poe
!
interface ethernet 1/1/17
port-name master-bed
!
interface ethernet 1/1/18
port-name security
!
interface ethernet 1/1/19
port-name garage
!
interface ethernet 1/1/20
port-name foyer
!
interface ethernet 1/1/21
port-name kitchen
!
interface ethernet 1/1/22
port-name garage-south-2
!
interface ethernet 1/1/23
port-name 2nd-bed
!
interface ethernet 1/1/24
port-name 4th-floor
!
interface ethernet 1/2/1
port-name WANuplink
!
interface ethernet 1/2/2
port-name LANuplink
!
interface ethernet 1/2/3
port-name mmx-10g
!
interface ethernet 1/2/4
port-name prox-10g
!
interface ethernet 1/2/5
port-name m1mini
!
interface ve 2
ip address 192.168.0.254 255.255.255.0
!
interface ve 10
ip address 192.168.10.254 255.255.255.0
!
interface ve 1010
ip address 10.10.10.254 255.255.255.0
!
interface ve 2161
ip address 172.16.1.254 255.255.255.0
!
interface ve 2162
ip address 172.16.2.254 255.255.255.0
!
!
!
!
!
!
!
!
!
!
ip ssh password-authentication no
ip ssh idle-time 0
ip ssh interactive-authentication no
!
!
!
!
!
end