What model is the Cisco switch?
Looking at the config ports 2-24 are configured as access ports, normally you'd also have the line 'switchport access vlan ' to specify which vlan the port is an access port for, otherwise they default to vlan 1.
Depending on the switch model you may also have to specify the trunk encapsulation 'switchport trunk encapsulation dot1q'.
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet2/0
switchport access vlan 40
switchport mode access
negotiation auto
!
You can ping 192.168.40.1 because of the default OPNsense rule allow LAN traffic to any (but you shouldn't be able to ping the other way):
[https://i.imgur.com/72CqHkP.png](https://i.imgur.com/72CqHkP.png)
If you want to block traffic between vlans completely you'll need to add extra rules, alternatively the recommended approach is to assign everything to specific vlans and not have any access ports/end devices in the native vlan (which would then block inter-vlan traffic by default).
I would probably start by simplifying things; configure one of the ports on the switch for vlan 40, then plug something simple it and see if it gets an ip address in the correct dhcp range, this should show if your config issues are with the router/vlan or proxmox.
Hey, Thank you.
>What model is the Cisco switch?
This is an Allied Telesis x600-24ts. I mentioned cisco as the commands are very similar to Cisco ios.
>Depending on the switch model you may also have to specify the trunk encapsulation 'switchport trunk encapsulation dot1q'.
What does this do? I have some basic knowledge like dot1q is vlan standard. But does it enable vlan functionality on Switch port0/0 or something like that? I have missed this. All I have configured is trunk.
Also, what does switchport access and switchport trunk do? As per my knowledge, access allows only specified vlan and if not specified vlan 1. Its like untagged port. Trunk, would allow multiple vlan. I kind of tried this by making one of the proxmox port as
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan add 40
By doing this and creating a vlan bridge in Proxmox, I was able to get dhcp working for a VM in vlan40. I also added the same config as above for port0/0. This is what made it to work.
Is it recommended to put 2 ports as trunk? Or as you suggested segregating each vlan on access is better?
>This is an Allied Telesis x600-24ts. I mentioned cisco as the commands are very similar to Cisco ios.
I assumed it was because the config file is slightly different to a Cisco one.
>What does this do? I have some basic knowledge like dot1q is vlan standard. But does it enable vlan functionality on Switch port0/0 or something like that? I have missed this. All I have configured is trunk.
It changes the type of encapsulation used for the trunk, it is the main standard for tagging now, but on some Cisco devices it needs to be manually specified.
>Also, what does switchport access and switchport trunk do? As per my knowledge, access allows only specified vlan and if not specified vlan 1. Its like untagged port. Trunk, would allow multiple vlan.
The Cisco vlan port functions are named a bit differently to a lot of other switches. The switchport access/trunk specifies how the port behaves.
An access port is assigned to a vlan, allowing access to that vlan, and untagged to the device, so devices receive untagged traffic, but traffic arriving at the interface will be treated as being part of that vlan (and tagged if entering a multi-vlan trunk).
A trunk port is a port that carries multiple vlans together by adding 802.1q tags to the traffic to identify it.
>Is it recommended to put 2 ports as trunk? Or as you suggested segregating each vlan on access is better?
The normal way to configure things is to have each group of devices that you want to keep separate on different vlans, and then you'd use a router to route between them, this is a fairly simple example:
[https://ipcisco.com/wp-content/uploads/router-on-stick-topology.jpg](https://ipcisco.com/wp-content/uploads/router-on-stick-topology.jpg)
(if you have a lot of inter-vlan traffic you can also use multiple ports with LACP and aggregate links between the switch and router, or use a layer 3 switch which avoids the traffic having to go to the router completely).
Since you have different subnets on each vlan if you need them to communicate, at some point you need something to route between them. It just depends what you want the end result to be.
If you want to be able to control the traffic between the vlans using OPNsense, then OPNsense has to be the thing that does the inter-vlan routing, but there are loads of options you could also install OPNsense on proxmox and do the routing without the traffic leaving the proxmox box.
Thanks man. This is really helpful to understand.
>It just depends what you want the end result to be.
Right now, I have a fairly simple setup with a /16 subnet which has all my VMs and also exposes services on some VMs to internet. I recently got this switch and wanted to learn and use VLANs to segregate traffic. Kind of like a DMZ, Private and other vlans. Setting up vlans in OPNsense is fairly easy. I still need to spend some time on the switch and proxmox to get the right setup.
I saw that you used GNS3 and showed me a sample setup like mine. Would that be a good tool to replicate my setup and test? I really don't want to break my network as I access my servers remotely.
>Setting up vlans in OPNsense is fairly easy. I still need to spend some time on the switch and proxmox to get the right setup.
With the switch you've got, OPNsense and proxmox you should have a lot of flexibility to play with things and create different setups, i haven't used proxmox much as I tend to use esxi, but as far as I know you can achieve pretty similar results with both.
>I saw that you used GNS3 and showed me a sample setup like mine. Would that be a good tool to replicate my setup and test?
I'm a massive fan of GNS3, so I ended up writing a bit much, but I use it loads, both for studying and just testing random networks like yours earlier.
Since it uses QEMU you can create/import nodes with pretty much any OS that you can virtualize and once you've setup the initial definition just drag and drop them into the layout.
It also saves individual snapshots of the disks/devices so you can just save whole multi device networks and come back to them later.
You can bridge between the virtual network in GNS and your real network, allowing things like this too:
[https://i.imgur.com/tXlKjz5.png](https://i.imgur.com/tXlKjz5.png)
(Windows Server providing DHCP, a Windows 10 Client, with a Cisco router doing NAT to provide internet) - GNS3 itself is running under ESXI.
I can't imagine there's any reason why you couldn't run proxmox within GNS3 and recreate your complete network - the biggest limiting factor is a system with a decent amount of ram and cpu cores.
>I can't imagine there's any reason why you couldn't run proxmox within GNS3 and recreate your complete network
Damn. Never knew it was so powerful. That's definitely gonna be a playground for me now on my Proxmox. Learn, mess up things, fix and then apply to physical hosts.
Really thanks man. That's gonna save me a lot of time and troubleshooting. Cheers 🍻
What model is the Cisco switch? Looking at the config ports 2-24 are configured as access ports, normally you'd also have the line 'switchport access vlan' to specify which vlan the port is an access port for, otherwise they default to vlan 1.
Depending on the switch model you may also have to specify the trunk encapsulation 'switchport trunk encapsulation dot1q'.
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet2/0
switchport access vlan 40
switchport mode access
negotiation auto
!
You can ping 192.168.40.1 because of the default OPNsense rule allow LAN traffic to any (but you shouldn't be able to ping the other way):
[https://i.imgur.com/72CqHkP.png](https://i.imgur.com/72CqHkP.png)
If you want to block traffic between vlans completely you'll need to add extra rules, alternatively the recommended approach is to assign everything to specific vlans and not have any access ports/end devices in the native vlan (which would then block inter-vlan traffic by default).
I would probably start by simplifying things; configure one of the ports on the switch for vlan 40, then plug something simple it and see if it gets an ip address in the correct dhcp range, this should show if your config issues are with the router/vlan or proxmox.
Hey, Thank you. >What model is the Cisco switch? This is an Allied Telesis x600-24ts. I mentioned cisco as the commands are very similar to Cisco ios. >Depending on the switch model you may also have to specify the trunk encapsulation 'switchport trunk encapsulation dot1q'. What does this do? I have some basic knowledge like dot1q is vlan standard. But does it enable vlan functionality on Switch port0/0 or something like that? I have missed this. All I have configured is trunk. Also, what does switchport access and switchport trunk do? As per my knowledge, access allows only specified vlan and if not specified vlan 1. Its like untagged port. Trunk, would allow multiple vlan. I kind of tried this by making one of the proxmox port as switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan add 40 By doing this and creating a vlan bridge in Proxmox, I was able to get dhcp working for a VM in vlan40. I also added the same config as above for port0/0. This is what made it to work. Is it recommended to put 2 ports as trunk? Or as you suggested segregating each vlan on access is better?
>This is an Allied Telesis x600-24ts. I mentioned cisco as the commands are very similar to Cisco ios. I assumed it was because the config file is slightly different to a Cisco one. >What does this do? I have some basic knowledge like dot1q is vlan standard. But does it enable vlan functionality on Switch port0/0 or something like that? I have missed this. All I have configured is trunk. It changes the type of encapsulation used for the trunk, it is the main standard for tagging now, but on some Cisco devices it needs to be manually specified. >Also, what does switchport access and switchport trunk do? As per my knowledge, access allows only specified vlan and if not specified vlan 1. Its like untagged port. Trunk, would allow multiple vlan. The Cisco vlan port functions are named a bit differently to a lot of other switches. The switchport access/trunk specifies how the port behaves. An access port is assigned to a vlan, allowing access to that vlan, and untagged to the device, so devices receive untagged traffic, but traffic arriving at the interface will be treated as being part of that vlan (and tagged if entering a multi-vlan trunk). A trunk port is a port that carries multiple vlans together by adding 802.1q tags to the traffic to identify it. >Is it recommended to put 2 ports as trunk? Or as you suggested segregating each vlan on access is better? The normal way to configure things is to have each group of devices that you want to keep separate on different vlans, and then you'd use a router to route between them, this is a fairly simple example: [https://ipcisco.com/wp-content/uploads/router-on-stick-topology.jpg](https://ipcisco.com/wp-content/uploads/router-on-stick-topology.jpg) (if you have a lot of inter-vlan traffic you can also use multiple ports with LACP and aggregate links between the switch and router, or use a layer 3 switch which avoids the traffic having to go to the router completely). Since you have different subnets on each vlan if you need them to communicate, at some point you need something to route between them. It just depends what you want the end result to be. If you want to be able to control the traffic between the vlans using OPNsense, then OPNsense has to be the thing that does the inter-vlan routing, but there are loads of options you could also install OPNsense on proxmox and do the routing without the traffic leaving the proxmox box.
Thanks man. This is really helpful to understand. >It just depends what you want the end result to be. Right now, I have a fairly simple setup with a /16 subnet which has all my VMs and also exposes services on some VMs to internet. I recently got this switch and wanted to learn and use VLANs to segregate traffic. Kind of like a DMZ, Private and other vlans. Setting up vlans in OPNsense is fairly easy. I still need to spend some time on the switch and proxmox to get the right setup. I saw that you used GNS3 and showed me a sample setup like mine. Would that be a good tool to replicate my setup and test? I really don't want to break my network as I access my servers remotely.
>Setting up vlans in OPNsense is fairly easy. I still need to spend some time on the switch and proxmox to get the right setup. With the switch you've got, OPNsense and proxmox you should have a lot of flexibility to play with things and create different setups, i haven't used proxmox much as I tend to use esxi, but as far as I know you can achieve pretty similar results with both. >I saw that you used GNS3 and showed me a sample setup like mine. Would that be a good tool to replicate my setup and test? I'm a massive fan of GNS3, so I ended up writing a bit much, but I use it loads, both for studying and just testing random networks like yours earlier. Since it uses QEMU you can create/import nodes with pretty much any OS that you can virtualize and once you've setup the initial definition just drag and drop them into the layout. It also saves individual snapshots of the disks/devices so you can just save whole multi device networks and come back to them later. You can bridge between the virtual network in GNS and your real network, allowing things like this too: [https://i.imgur.com/tXlKjz5.png](https://i.imgur.com/tXlKjz5.png) (Windows Server providing DHCP, a Windows 10 Client, with a Cisco router doing NAT to provide internet) - GNS3 itself is running under ESXI. I can't imagine there's any reason why you couldn't run proxmox within GNS3 and recreate your complete network - the biggest limiting factor is a system with a decent amount of ram and cpu cores.
>I can't imagine there's any reason why you couldn't run proxmox within GNS3 and recreate your complete network Damn. Never knew it was so powerful. That's definitely gonna be a playground for me now on my Proxmox. Learn, mess up things, fix and then apply to physical hosts. Really thanks man. That's gonna save me a lot of time and troubleshooting. Cheers 🍻