[pfSense] VLAN Issue - pfSense/VMware/Cisco
Hi guys, how u doing? I'm doing a home lab for VLAN studying and it's going bad. I don't know where the problem is. Here's my setup: VMware ESXi 5.5 pfSense 2.3.4 (VM) Cisco SF300 - The ESXi has o vSwitch attached to a port group in a physical interface with VLAN 10. - The pfSense has this port group attached and recognizing as em2. - In the pfSense I created a VLAN interface binding on em2 with de ID 10. - The FW rules are allowed everything in this interface and a DHCP server is configured on the VLAN interface. - Physically, this em2 interface is connected to the SF300 on a TRUNK port (port 10), with the VLAN 10 allowed. - And the port 11 is configured as an access port with VLAN 10, where I connected a laptop expecting to receive a DHCP address and got I ICMP response *which I didn't*, even configuring a static IP. Does anyone have a clue where the problem is? Thx! Jonatas Baldin de Oliveira Profissional de TI Skype: jonatas.baldin ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VLAN Issue - pfSense/VMware/Cisco
Hi If the port group is already in vlan 10 then you don't need to create a vlan in pfsense as the vswitch is already untaging it. Just add teh interface and assign an ip, or set the vswitch to be vlan 4095 and it will send tagged traffic through. Which is what I do so that you can make changes to pfSense without rebooting to detect a new interface that has been added through esx. Also throw an ip on the cisco switch ion vlan 10, that will help you trouble shoot the problem. Hope that helps Cheers Alex On 13 July 2014 18:03, Jonatas Baldin wrote: > Hi guys, how u doing? > > I'm doing a home lab for VLAN studying and it's going bad. I don't know > where the problem is. > > Here's my setup: > > VMware ESXi 5.5 > pfSense 2.3.4 (VM) > Cisco SF300 > > - The ESXi has o vSwitch attached to a port group in a physical interface > with VLAN 10. > - The pfSense has this port group attached and recognizing as em2. > - In the pfSense I created a VLAN interface binding on em2 with de ID 10. > - The FW rules are allowed everything in this interface and a DHCP server > is configured on the VLAN interface. > - Physically, this em2 interface is connected to the SF300 on a TRUNK port > (port 10), with the VLAN 10 allowed. > - And the port 11 is configured as an access port with VLAN 10, where I > connected a laptop expecting to receive a DHCP address and got I ICMP > response *which I didn't*, even configuring a static IP. > > Does anyone have a clue where the problem is? > > Thx! > > Jonatas Baldin de Oliveira > Profissional de TI > Skype: jonatas.baldin > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VLAN Issue - pfSense/VMware/Cisco
Here is some interesting info about esxi NICs when used with Cisco, or other, VLAN: "Only allowing through VLAN traffic on physical switch ports connecting to ESX reduces TCP/IP overhead. Native VLANs do not tag the out going VLAN packets toward ESX NICs and if the same VLAN ID is used to configure the vSwitch port group, the vSwitch drops any packet that is not tagged for it, causing the connection to fail. Unnecessary VLAN traffic on a TRUNK port that connects to ESX can cause major performance issues. Note: Do not use the Native VLAN ID of a physical switch as a VLAN on ESX/ESXi portgroups." Also the link shows the proper Cisco trunk config http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628 On Sun, Jul 13, 2014 at 10:07 PM, Alex Needham wrote: > Hi > > If the port group is already in vlan 10 then you don't need to create a vlan > in pfsense as the vswitch is already untaging it. > > Just add teh interface and assign an ip, or set the vswitch to be vlan 4095 > and it will send tagged traffic through. Which is what I do so that you can > make changes to pfSense without rebooting to detect a new interface that has > been added through esx. > > Also throw an ip on the cisco switch ion vlan 10, that will help you trouble > shoot the problem. > > Hope that helps > > Cheers > > Alex > > > > > > > > > > > > > > > > > > > On 13 July 2014 18:03, Jonatas Baldin wrote: >> >> Hi guys, how u doing? >> >> I'm doing a home lab for VLAN studying and it's going bad. I don't know >> where the problem is. >> >> Here's my setup: >> >> VMware ESXi 5.5 >> pfSense 2.3.4 (VM) >> Cisco SF300 >> >> - The ESXi has o vSwitch attached to a port group in a physical interface >> with VLAN 10. >> - The pfSense has this port group attached and recognizing as em2. >> - In the pfSense I created a VLAN interface binding on em2 with de ID 10. >> - The FW rules are allowed everything in this interface and a DHCP server >> is configured on the VLAN interface. >> - Physically, this em2 interface is connected to the SF300 on a TRUNK port >> (port 10), with the VLAN 10 allowed. >> - And the port 11 is configured as an access port with VLAN 10, where I >> connected a laptop expecting to receive a DHCP address and got I ICMP >> response which I didn't, even configuring a static IP. >> >> Does anyone have a clue where the problem is? >> >> Thx! >> >> Jonatas Baldin de Oliveira >> Profissional de TI >> Skype: jonatas.baldin >> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VLAN Issue - pfSense/VMware/Cisco
Using the same configuration, but excluding the ESXi host (using a physical pfSense) it worked smoothly. I tried to remove the VLAN ID Tag from the vSwitch, but didn't work too :/ 2014-07-13 23:55 GMT-03:00 Justin Edmands : > Here is some interesting info about esxi NICs when used with Cisco, or > other, VLAN: > > "Only allowing through VLAN traffic on physical switch ports > connecting to ESX reduces TCP/IP overhead. Native VLANs do not tag the > out going VLAN packets toward ESX NICs and if the same VLAN ID is used > to configure the vSwitch port group, the vSwitch drops any packet that > is not tagged for it, causing the connection to fail. Unnecessary VLAN > traffic on a TRUNK port that connects to ESX can cause major > performance issues. > > Note: Do not use the Native VLAN ID of a physical switch as a VLAN on > ESX/ESXi portgroups." > > Also the link shows the proper Cisco trunk config > > > http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628 > > On Sun, Jul 13, 2014 at 10:07 PM, Alex Needham > wrote: > > Hi > > > > If the port group is already in vlan 10 then you don't need to create a > vlan > > in pfsense as the vswitch is already untaging it. > > > > Just add teh interface and assign an ip, or set the vswitch to be vlan > 4095 > > and it will send tagged traffic through. Which is what I do so that you > can > > make changes to pfSense without rebooting to detect a new interface that > has > > been added through esx. > > > > Also throw an ip on the cisco switch ion vlan 10, that will help you > trouble > > shoot the problem. > > > > Hope that helps > > > > Cheers > > > > Alex > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 13 July 2014 18:03, Jonatas Baldin wrote: > >> > >> Hi guys, how u doing? > >> > >> I'm doing a home lab for VLAN studying and it's going bad. I don't know > >> where the problem is. > >> > >> Here's my setup: > >> > >> VMware ESXi 5.5 > >> pfSense 2.3.4 (VM) > >> Cisco SF300 > >> > >> - The ESXi has o vSwitch attached to a port group in a physical > interface > >> with VLAN 10. > >> - The pfSense has this port group attached and recognizing as em2. > >> - In the pfSense I created a VLAN interface binding on em2 with de ID > 10. > >> - The FW rules are allowed everything in this interface and a DHCP > server > >> is configured on the VLAN interface. > >> - Physically, this em2 interface is connected to the SF300 on a TRUNK > port > >> (port 10), with the VLAN 10 allowed. > >> - And the port 11 is configured as an access port with VLAN 10, where I > >> connected a laptop expecting to receive a DHCP address and got I ICMP > >> response which I didn't, even configuring a static IP. > >> > >> Does anyone have a clue where the problem is? > >> > >> Thx! > >> > >> Jonatas Baldin de Oliveira > >> Profissional de TI > >> Skype: jonatas.baldin > >> > >> > >> ___ > >> List mailing list > >> List@lists.pfsense.org > >> https://lists.pfsense.org/mailman/listinfo/list > > > > > > > > ___ > > List mailing list > > List@lists.pfsense.org > > https://lists.pfsense.org/mailman/listinfo/list > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > -- Jonatas Baldin de Oliveira Profissional de TI Skype: jonatas.baldin ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VLAN Issue - pfSense/VMware/Cisco
*ISSUE SOLVED!* I use the VLAN ID in the vSwitch and took off the TAG in the pfSense (just adding a simple interface) Thanks for the help guys! 2014-07-14 17:43 GMT-03:00 Jonatas Baldin : > Using the same configuration, but excluding the ESXi host (using a > physical pfSense) it worked smoothly. > > I tried to remove the VLAN ID Tag from the vSwitch, but didn't work too :/ > > > 2014-07-13 23:55 GMT-03:00 Justin Edmands : > > Here is some interesting info about esxi NICs when used with Cisco, or >> other, VLAN: >> >> "Only allowing through VLAN traffic on physical switch ports >> connecting to ESX reduces TCP/IP overhead. Native VLANs do not tag the >> out going VLAN packets toward ESX NICs and if the same VLAN ID is used >> to configure the vSwitch port group, the vSwitch drops any packet that >> is not tagged for it, causing the connection to fail. Unnecessary VLAN >> traffic on a TRUNK port that connects to ESX can cause major >> performance issues. >> >> Note: Do not use the Native VLAN ID of a physical switch as a VLAN on >> ESX/ESXi portgroups." >> >> Also the link shows the proper Cisco trunk config >> >> >> http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628 >> >> On Sun, Jul 13, 2014 at 10:07 PM, Alex Needham >> wrote: >> > Hi >> > >> > If the port group is already in vlan 10 then you don't need to create a >> vlan >> > in pfsense as the vswitch is already untaging it. >> > >> > Just add teh interface and assign an ip, or set the vswitch to be vlan >> 4095 >> > and it will send tagged traffic through. Which is what I do so that you >> can >> > make changes to pfSense without rebooting to detect a new interface >> that has >> > been added through esx. >> > >> > Also throw an ip on the cisco switch ion vlan 10, that will help you >> trouble >> > shoot the problem. >> > >> > Hope that helps >> > >> > Cheers >> > >> > Alex >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > On 13 July 2014 18:03, Jonatas Baldin wrote: >> >> >> >> Hi guys, how u doing? >> >> >> >> I'm doing a home lab for VLAN studying and it's going bad. I don't know >> >> where the problem is. >> >> >> >> Here's my setup: >> >> >> >> VMware ESXi 5.5 >> >> pfSense 2.3.4 (VM) >> >> Cisco SF300 >> >> >> >> - The ESXi has o vSwitch attached to a port group in a physical >> interface >> >> with VLAN 10. >> >> - The pfSense has this port group attached and recognizing as em2. >> >> - In the pfSense I created a VLAN interface binding on em2 with de ID >> 10. >> >> - The FW rules are allowed everything in this interface and a DHCP >> server >> >> is configured on the VLAN interface. >> >> - Physically, this em2 interface is connected to the SF300 on a TRUNK >> port >> >> (port 10), with the VLAN 10 allowed. >> >> - And the port 11 is configured as an access port with VLAN 10, where I >> >> connected a laptop expecting to receive a DHCP address and got I ICMP >> >> response which I didn't, even configuring a static IP. >> >> >> >> Does anyone have a clue where the problem is? >> >> >> >> Thx! >> >> >> >> Jonatas Baldin de Oliveira >> >> Profissional de TI >> >> Skype: jonatas.baldin >> >> >> >> >> >> ___ >> >> List mailing list >> >> List@lists.pfsense.org >> >> https://lists.pfsense.org/mailman/listinfo/list >> > >> > >> > >> > ___ >> > List mailing list >> > List@lists.pfsense.org >> > https://lists.pfsense.org/mailman/listinfo/list >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list >> > > > > -- > > Jonatas Baldin de Oliveira > Profissional de TI > Skype: jonatas.baldin > > -- Jonatas Baldin de Oliveira Profissional de TI Skype: jonatas.baldin ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
