Is this vlan configuration correct?

tman904 · ‎03-09-2020

Hi.

The switch is a 3750 and I have issued a "no ip routing" command. I'm using an OpenBSD 6.6 machine for intervlan routing and I'm trying to rule out if my problem is in the 3750's configuration or in OpenBSD's.

spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/5
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/6
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/7
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/8
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/9
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/10
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/11
 shutdown
!
interface GigabitEthernet1/0/12
 shutdown
!
interface GigabitEthernet1/0/13
 shutdown
!
interface GigabitEthernet1/0/14
 shutdown
!         
interface GigabitEthernet1/0/15
 shutdown
!
interface GigabitEthernet1/0/16
 switchport access vlan 200
 switchport mode access
!
interface GigabitEthernet1/0/17
 switchport access vlan 200
 switchport mode access
!
interface GigabitEthernet1/0/18
 switchport access vlan 200
 switchport mode access
!
interface GigabitEthernet1/0/19
 switchport access vlan 200
 switchport mode access
!
interface GigabitEthernet1/0/20
 shutdown
!
interface GigabitEthernet1/0/21
 shutdown
!
interface GigabitEthernet1/0/22
 shutdown
!
interface GigabitEthernet1/0/23
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,10,200
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,10,200
 switchport mode trunk
!
interface Vlan1
 no ip address
!
ip classless
no ip http server
no ip http secure-server
!
!         
ip sla enable reaction-alerts
!
!
!
line con 0
 logging synchronous
 login local
line vty 0 4
 logging synchronous
 login local
line vty 5 15
 logging synchronous
 login local
!
end

Thanks for your time.

Mark Malone · ‎03-09-2020

Hi
Looks fine but you need a default gateway still for return traffic response on L2 switch

tman904 · ‎03-09-2020

Is that best practice regardless of if your routing with a L3 switch or not?

Mark Malone · ‎03-09-2020

yes if you send a ping it wont know how to get back for return traffic , should always be a default gateway on the switch at L2 or if its acting as L3 you can use a default route ...ip route 0.0.0.0 0.0.0.0 etc

tman904 · ‎03-12-2020

My problem was with OpenBSD's pf.conf configuration. I started with a block drop all rule and forgot to pass packets to the physical interface that was the parent of the vlan interfaces. It's always the small little things causing the biggest problems huh lol :)

For anyone needing to use OpenBSD with a vlan configuration in the future here's a working pf.conf.

lan="vlan10"
wan="em1"
dmz="vlan200"
vlanpt="em0"

set skip on lo0
set block-policy drop

#note pf is last matching rule wins, except if a rule matches containing the quick keyword in that case it bypasses it's last match logic.
#block all types of traffic/flows by default
block drop all

#pass lan/vlan10 traffic to wan and source nat it.
pass in on $lan from $lan:network to any keep state
pass out on $wan from $lan:network to any nat-to ($wan) keep state

#pass dmz/vlan200 traffic to wan and source nat it.
pass in on $dmz from $dmz:network to any keep state
pass out on $wan from $dmz:network to any nat-to ($wan) keep state

#pass packets on vlan parent/physical interface
pass in on $vlanpt