Re: WS-C3650 VLAN problems

noobienat0r · ‎08-17-2019

Hello,

i have a LAN-Based Cisco WS-C3650. I have created 2 VLANs "10" and "20" on it. I have configured a trunk port without any restrictions. There is a Pfsense Firewall connected to this trunk port. Both VLANs are existing on the PFSense Firewall. There is an DHCP Relay configured on the Pfsense firewall which forward all dhcp requests to a windows dhcp server.

i have configured a "switchport mode access" and "switchport access vlan 10" and the same on another port for vlan 20.

My computers are getting an ip adress from proper pools, so dhcp relay/helper on the firewall is working, but there is no connection. They cant ping the default gateway and have no internet.

Client Portconfig:

interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access

Uplink to firewall Portconfig:

interface GigabitEthernet1/0/48
description Uplink-Firewall
switchport mode trunk

Please help

balaji.bandi · ‎08-17-2019

Since your Gateway is FW ( PFSENSE ) you need to look at the FW rule and make necesary rule for the IP range of VLAN 10 and VLAN 20 can have access.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

noobienat0r · ‎08-17-2019

Hi,

on my firewall is everything allowed in all directions (for testing purposes)

From my default LAN (VLAN 1), i can ping both vlan gateways. but inside a vlan, i cant

balaji.bandi · ‎08-17-2019

we need more information on the FW how the rules setup done.

if VLAN 1 try to reach VLAN 10 IP, they go vial PFSENSE. since the Switch actinng as Layer 2, all the request go to PFSENSE.

interface GigabitEthernet1/0/48
description Uplink-Firewall
switchport mode trunk
switchport trunk encapsulation dot1q

if still have issue show full config of switch and screenshot of pfsense FW rules.

show vlan from switch also to verify

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Martin L · ‎08-17-2019

check DHCP settings on whoever provides IPs. maybe default gateway IP is wrong and , as a result, PCs have wrong d.g. IP .

Georg Pauwen · ‎08-17-2019

Hello,

post a screenshot of the 'Interface Assignments' page of the PFsense GUI.

On the switch, I am not sure if you need the 'switchport trunk allowed vlan all' configured on the trunk port, you might want to give that a try...

noobienat0r · ‎08-19-2019

Hello,

here is a screenshot of interface assignments :

Here are the vlan settings on a switch:

Here is "allow all" firewall rule configured in each vlan:

I have a same installation in another office, with another (older) cisco switch and everything works perfect. For me it looks like a switch configuration problem, maybe a security setting (acl or something similar) and not a pfsense issue.

Georg Pauwen · ‎08-19-2019

Hello,

odd. What is the output of 'show sdm prefer' ? I think on the 3650, you have two options:

3650#conf t

3650(config)#sdm prefer { advanced | vlan }

Try both (you need to reload the switch to load the SDM)...

noobienat0r · ‎08-19-2019

Hello,

it looks like advanced template is loaded:

core-switch#show sdm prefer
Showing SDM Template Info

This is the Advanced template.
  Number of VLANs:                                     4094
  Unicast MAC addresses:                               32768
  Overflow Unicast MAC addresses:                      512
  L2 Multicast entries:                                4096
  Overflow L2 Multicast entries:                       512
  L3 Multicast entries:                                4096
  Overflow L3 Multicast entries:                       512
  Directly connected routes:                           16384
  Indirect routes:                                     7168
  STP Instances:                                       4096
  Security Access Control Entries:                     3072
  QoS Access Control Entries:                          2560
  Policy Based Routing ACEs:                           1024
  Netflow ACEs:                                        768
  Flow SPAN ACEs:                                      512
  Tunnels:                                             256
  LISP Instance Mapping Entries:                       256
  Control Plane Entries:                               512
  Input Netflow flows:                                 8192
  Output Netflow flows:                                16384
  SGT/DGT (or) MPLS VPN entries:                       4096
  SGT/DGT (or) MPLS VPN Overflow entries:              512
  Wired clients:                                       2048
  MACSec SPD Entries:                                  256
  MPLS L3 VPN VRF:                                     127
  MPLS Labels:                                         2048
  MPLS L3 VPN Routes VRF Mode:                         7168
  MPLS L3 VPN Routes Prefix Mode:                      3072
  MVPN MDT Tunnels:                                    256
  L2 VPN EOMPLS Attachment Circuit:                    256
  MAX VPLS Bridge Domains :                            64
  MAX VPLS Peers Per Bridge Domain:                    8
  MAX VPLS/VPWS Pseudowires :                          256
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.
* values can be modified by sdm cli.

I will try to set it to "vlan" and reload switch.

noobienat0r · ‎08-19-2019

switched from sdm prefer advanced to vlan, reloaded. still same issues :-(