PfSense advanced etherchannel and vlan howto with cisco 2900
From Chaos
Contents |
Summary
This article is designed to give you a better understanding of how you can configure a pfSense box with 4 NICs with EtherChannel and 802.1q VLAN trunking.
Scenario
pfSense Test Box
- Pentium 3 866 with 512MB RAM
- 6GB Disk
- 4 NICS
- xl0 -> LAN
- xl1 -> WAN
- fxp0 (eventually bonded to fec0)
- fxp1 (eventually bonded to fec0)
Cisco Catalyst 2900XL
- STP enabled globally
- Etherchannel destination-based forwarding enabled on ports 23/24
- 11 VLANS:
- 1 - Default
- 2 - OPT1
- 3 - OPT2
- 4 - OPT3
- 5 - OPT4
- 6 - OPT5
- 7 - OPT6
- 8 - OPT7
- 9 - OPT8
- 10 - OPT9
- 11 - OPT10
- 24 ports 10/100MB Copper
- FastEthernet 0/17 - Linux Box for testing (10.128.128.20/24)
- static access on vlan 2
- FastEthernet 0/23 - fxp0
- FastEthernet 0/24 - fxp1
- FastEthernet 0/17 - Linux Box for testing (10.128.128.20/24)
- 4 ports 10/100MB Fiber
Details
Cisco Configuration
For the initial config of my Cisco 2900XL, I wanted to do all of my testing on ports 23/24, and enable STP on it with Etherchannel. This was done like so.
1. First, I removed all existing ports on the switch from all vlans, except default.
2. Then, I created 10 new VLANs:
ren-dsw-02#vlan database ren-dsw-02(vlan)#vlan 2 name OPT1 ren-dsw-02(vlan)#vlan 3 name OPT2 ren-dsw-02(vlan)#vlan 4 name OPT3 ren-dsw-02(vlan)#vlan 5 name OPT4 ren-dsw-02(vlan)#vlan 6 name OPT5 ren-dsw-02(vlan)#vlan 7 name OPT6 ren-dsw-02(vlan)#vlan 8 name OPT7 ren-dsw-02(vlan)#vlan 9 name OPT8 ren-dsw-02(vlan)#vlan 10 name OPT9 ren-dsw-02(vlan)#vlan 11 name OPT10 ren-dsw-02(vlan)#apply ren-dsw-02(vlan)#exit
3. The next thing was to assign ports 23 and 24 to the 10 new vlans I just created, enable 802.1Q (which pfSense supports), and enable EtherChannel source distribution:
ren-dsw-02#conf t ren-dsw-02(config)#int fa0/23 ren-dsw-02(config-if)#switchport mode trunk ren-dsw-02(config-if)#switchport trunk encapsulation dot1q ren-dsw-02(config-if)#switchport trunk allowed vlan all ren-dsw-02(config-if)#port group 1 distribution source ren-dsw-02(config-if)#int fa0/24 ren-dsw-02(config-if)#switchport mode trunk ren-dsw-02(config-if)#switchport trunk encapsulation dot1q ren-dsw-02(config-if)#switchport trunk allowed vlan all ren-dsw-02(config-if)#port group 1 distribution source
4. To ensure you're VLANs are setup correct, verify it with 'show vlan' (fa0/23 and fa0/24 are not listed, which is normal) and 'show vtp status':
ren-dsw-02#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Fa0/13, Fa0/14, Fa0/15, Fa0/16,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa1/1, Fa1/2, Fa2/1, Fa2/2
2 OPT1 active Fa0/17, Fa0/18
3 OPT2 active
4 OPT3 active
5 OPT4 active
6 OPT5 active
7 OPT6 active
8 OPT7 active
9 OPT8 active
10 OPT9 active
11 OPT10 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
7 enet 100007 1500 - - - - - 0 0
8 enet 100008 1500 - - - - - 0 0
9 enet 100009 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
11 enet 100011 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 trcrf 101003 4472 1005 3276 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trbrf 101005 4472 - - 15 ibm - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7 7 off
5. You can verify your EtherChannel configuration by doing 'show port group':
ren-dsw-02#show port group
Group Interface Transmit Distribution
----- --------------------- ---------------------
1 FastEthernet0/23 source address
1 FastEthernet0/24 source address
6. You may wish to verify your switchport configuration for fa0/23 and fa0/24. Use 'show int fa0/23 switchport' and 'show int fa0/24 switchport':
ren-dsw-02#show int fa0/23 switchport Name: Fa0/23 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1-11 Pruning VLANs Enabled: 2-1001 Priority for untagged frames: 0 Override vlan tag priority: FALSE Voice VLAN: none Appliance trust: none ren-dsw-02#show int fa0/24 switchport Name: Fa0/24 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1-11 Pruning VLANs Enabled: 2-1001 Priority for untagged frames: 0 Override vlan tag priority: FALSE Voice VLAN: none Appliance trust: none Self Loopback: No
pfSense Config
Using a recent version of HEAD, go to Interfaces -> Assign, and then the LAGG tab. You can add in your LAGG info here. 802.1q VLAN trunking should automatically work.
