Re: Trunk(4), vlan problems
Hi, I'm trying to set up an OpenBSD router against two switches (failover solution), the switches have a cable between them. em0 - connects to switch01 port 1 (switch01 addr: 10.10.1.18) em1 - connects to switch02 port 1 (switch02 addr: 10.10.1.19) switch 1 and 2 has a management vlan tagged on port 1 Now if i create vlan1 and use em0 as vlandev i can ping both switch01 and switch02, but if i create a failover trunk with em0 and em1 and use trunk0 as vlandev is don't work trunk0: flags=8802 mtu 1500 lladdr 00:0e:0c:db:3f:48 trunk: trunkproto failover trunkport em1 trunkport em0 master groups: trunk media: Ethernet autoselect status: active vlan1: flags=8843 mtu 1500 lladdr 00:0e:0c:db:3f:48 description: VLAN 1, Management vlan: 1 priority: 0 parent interface: trunk0 groups: vlan inet 10.10.1.17 netmask 0xfff0 broadcast 10.10.1.31 inet6 fe80::20e:cff:fedb:3f48%vlan1 prefixlen 64 scopeid 0xe If i ping the openbsd machine from the switch and listen on the trunk0 interface i see this: 23:21:18.907451 802.1Q vid 1 pri 0 arp who-has 10.10.1.17 tell 10.10.1.18 but if i listen to vlan1 that is connected to trunk0 i don't see any traffic. What am I doing wrong? Best regards Fredrik Carlsson I did some more testing, If i drop the tagging in the interfaces on the switch against the openbsd machine and use them as ordinary ports and assign an IP addr to trunk0 everything work fine. The switches has a vlan-trunk between them so that works as well. I unplugged the interfaces in trunk0 to test the connectivity between the switches and everything works. The problem seems to be when i attach a vlan to trunk0, the traffic don't go to trunk0. The vlan config works when I'm not using trunk(4), can this be a bug in trunk(4)? Any ideas?
Re: Trunk(4), vlan problems
On 2007/07/03 11:48, Fredrik Carlsson wrote: trunk0: flags=8802 mtu 1500 vlan1: flags=8843 mtu 1500 this is strange, where is the decode of the flags? In-Reply-To: [EMAIL PROTECTED] ahh... perhaps your mail client ate them. anyway, 8802 means your trunk0 is not ifconfig'd up.
Re: Trunk(4), vlan problems
On 2007/07/03 11:48, Fredrik Carlsson wrote: trunk0: flags=8802 mtu 1500 vlan1: flags=8843 mtu 1500 this is strange, where is the decode of the flags? In-Reply-To: [EMAIL PROTECTED] ahh... perhaps your mail client ate them. anyway, 8802 means your trunk0 is not ifconfig'd up. Thanks, up was missing, it is working now. I replied from another computer so i copied the text into a webclient. // Fredrik
Trunk(4), vlan problems
Hi, I'm trying to set up an OpenBSD router against two switches (failover solution), the switches have a cable between them. em0 - connects to switch01 port 1 (switch01 addr: 10.10.1.18) em1 - connects to switch02 port 1 (switch02 addr: 10.10.1.19) switch 1 and 2 has a management vlan tagged on port 1 Now if i create vlan1 and use em0 as vlandev i can ping both switch01 and switch02, but if i create a failover trunk with em0 and em1 and use trunk0 as vlandev is don't work trunk0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:db:3f:48 trunk: trunkproto failover trunkport em1 trunkport em0 master groups: trunk media: Ethernet autoselect status: active vlan1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:db:3f:48 description: VLAN 1, Management vlan: 1 priority: 0 parent interface: trunk0 groups: vlan inet 10.10.1.17 netmask 0xfff0 broadcast 10.10.1.31 inet6 fe80::20e:cff:fedb:3f48%vlan1 prefixlen 64 scopeid 0xe If i ping the openbsd machine from the switch and listen on the trunk0 interface i see this: 23:21:18.907451 802.1Q vid 1 pri 0 arp who-has 10.10.1.17 tell 10.10.1.18 but if i listen to vlan1 that is connected to trunk0 i don't see any traffic. What am I doing wrong? Best regards Fredrik Carlsson
Re: VLAN-Problems
Heinrich Rebehn wrote: [EMAIL PROTECTED]@mgEDV.net wrote: some hints: - the other switch seems to be cisco, too. (catalyst series, IOS) - if the trunk contains more lines, check them for physical damage (maybe 1 fails sometimes, 2 is ok) - try to setup the cisco-switches for nonegotiate-trunking to your box - setup the interfaces from autoselect to fixed rates (speed/duplex) on both sides (switches, box) - enable debugging on the switch and read what happens for the ports (maybe on/off events) - check for portfast/CDP settings on the cisco, maybe interferring w. your config - check with a packet-analyzer if the dot1q tags are ok within the packets - dump transparently with a bridge before and after your box (network monitoring port on switch may help you) - set the NICs on your box to the same interrupts (if possible) - check for a driver replacement for the marvell card provided by marvell (if you use it for trunking) good luck! Many thanks for the many responses :-) Most of them dealt with sk0 not being in full duplex mode. When plugged in, sk0 does negotiate full duplex, though. I also tried using one the the xl interfaces to rule out a problem with the sk(4) driver, still no luck. I still have difficulties to believe that this might be a full/half duplex problem, because things work fine if i use non-dot1q mode (using a different switch port though) Anyway, i will be on leave next week, and for the week after, i already arranged with the admin of the switch to hunt down this bug together. I will sure report back then. --Heinrich So here is my report: 1. Problem is solved :-) 2. The cause was more complicated than duplex mode or driver issues. Let me try to explain: The original firewall which i was about to replace, had 4 physical interfaces. Interfaces 2 and 4 were bridged with a filtering bridge(4). During my experiments i bypassed the bridge with a cable, so the lans stayed connected when the firewall was down. At that time i already realized that id *had* to unplug one of the interfaces or otherwise i observed the phenomena described in my OP. Obviously obsd does not like seeing packets with the same MAC on different interfaces. In my new setup i replaced the 4 phys. interfaces with a trunk carrying 4 vlans. In order to avoid the problems i left one of the bridged vlans unconfigured (should have been equivalent to an unplugged cable on the setup described before). But it was not! I had to remove one of the vlans from the trunk on the cisco side for the problems to go away. I am not sure if this is expected behaviour, but anyway, the setup is running fine now! --Heinrich
Re: VLAN-Problems
[EMAIL PROTECTED]@mgEDV.net wrote: some hints: - the other switch seems to be cisco, too. (catalyst series, IOS) - if the trunk contains more lines, check them for physical damage (maybe 1 fails sometimes, 2 is ok) - try to setup the cisco-switches for nonegotiate-trunking to your box - setup the interfaces from autoselect to fixed rates (speed/duplex) on both sides (switches, box) - enable debugging on the switch and read what happens for the ports (maybe on/off events) - check for portfast/CDP settings on the cisco, maybe interferring w. your config - check with a packet-analyzer if the dot1q tags are ok within the packets - dump transparently with a bridge before and after your box (network monitoring port on switch may help you) - set the NICs on your box to the same interrupts (if possible) - check for a driver replacement for the marvell card provided by marvell (if you use it for trunking) good luck! Many thanks for the many responses :-) Most of them dealt with sk0 not being in full duplex mode. When plugged in, sk0 does negotiate full duplex, though. I also tried using one the the xl interfaces to rule out a problem with the sk(4) driver, still no luck. I still have difficulties to believe that this might be a full/half duplex problem, because things work fine if i use non-dot1q mode (using a different switch port though) Anyway, i will be on leave next week, and for the week after, i already arranged with the admin of the switch to hunt down this bug together. I will sure report back then. --Heinrich
VLAN-Problems
Hi all, i am currently setting up a new firewall for our department. I already set up an OpenBSD Firewall and i am very satisfied with it :-) The new machine is set up to use dot1q vlans in order to save on interfaces and ports in our Cisco switch. This is the first time i am using dot1q and i am experiencing strange problems, which are not easy to describe, but i will try: Generally, operation is *very* slow, if i try to ping one of the machine's interfaces, one ping is echoed, then it pauses for a minute, then another ping comes though. ssh'ing into the box is possible after some 20 seconds delay (no, it is not reserve dns lookup), i can type commands and see the outputs, interspersed with occasional delays. As soon as i do a tcpdump on the interface that i used to login, the connection is dead. Logging in and working locally works w/o problems. Routing is very sluggish, close to unusable. Some questions (could not find answers with google or mailinglist): - Do the physical interfaces need an ip address (i guess not) - Can i filter on the physical interfaces in pf / do i have to explicitly pass them (does not seem to make a difference) If i change the configuration to non-vlan operation everything runs fine :-) I am attaching ifconfig and dmesg output. The physical interface, sk0 is shown as having no carrier, this is because i had to pull the plug while taking the information because another machine (our old firewall) was running with the same address. I have googled and looked in the mailing list, but did not find such problems mentioned. Does anybody have an idea? If i cannot get this to work, someone else will probably set up a linux firewall, which i would rather try to avoid.. I am not sure what type of switch is on the other end, here is some output that the admin mailed me: vlan 86 name WLAN ! vlan 182 name BackBone ! interface FastEthernet6/19 description k307 n2340-19a switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,86,182,231,232 switchport mode trunk duplex full Thanks for any hints, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 media: Ethernet autoselect (1000baseT half-duplex) status: no carrier xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:61:7a:2d media: Ethernet autoselect (none) status: no carrier xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:61:7a:04 media: Ethernet autoselect (none) status: no carrier pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 16 parent interface: sk0 groups: vlan inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 vlan1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 231 parent interface: sk0 groups: vlan vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 182 parent interface: sk0 groups: vlan egress inet 134.102.186.20 netmask 0xff00 broadcast 134.102.186.255 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 86 parent interface: sk0 groups: vlan inet 172.21.1.8 netmask 0x broadcast 172.21.255.255 OpenBSD 3.8-stable (ANT) #2: Thu Mar 30 16:59:00 CEST 2006 [EMAIL PROTECTED]:/root/flashboot-0.9beta1/obj/ANT cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD Powernow: FID VID TTP TM STC real mem = 536125440 (523560K) avail mem = 459415552 (448648K) using 4278 buffers containing 26910720 bytes (26280K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1106 product 0x3227 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x800 0xcb800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0
Re: VLAN-Problems
The first thing I noticed is that SK0 is only at half duplex and you have duplex full on the switch port. This can cause similar problems to what you are describing. I've found it always best to set the speed duplex on both devices (switch and PC) when creating trunks. HTH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heinrich Rebehn Sent: Tuesday, April 04, 2006 12:13 PM To: misc@openbsd.org Subject: VLAN-Problems Hi all, i am currently setting up a new firewall for our department. I already set up an OpenBSD Firewall and i am very satisfied with it :-) The new machine is set up to use dot1q vlans in order to save on interfaces and ports in our Cisco switch. This is the first time i am using dot1q and i am experiencing strange problems, which are not easy to describe, but i will try: Generally, operation is *very* slow, if i try to ping one of the machine's interfaces, one ping is echoed, then it pauses for a minute, then another ping comes though. ssh'ing into the box is possible after some 20 seconds delay (no, it is not reserve dns lookup), i can type commands and see the outputs, interspersed with occasional delays. As soon as i do a tcpdump on the interface that i used to login, the connection is dead. Logging in and working locally works w/o problems. Routing is very sluggish, close to unusable. Some questions (could not find answers with google or mailinglist): - Do the physical interfaces need an ip address (i guess not) - Can i filter on the physical interfaces in pf / do i have to explicitly pass them (does not seem to make a difference) If i change the configuration to non-vlan operation everything runs fine :-) I am attaching ifconfig and dmesg output. The physical interface, sk0 is shown as having no carrier, this is because i had to pull the plug while taking the information because another machine (our old firewall) was running with the same address. I have googled and looked in the mailing list, but did not find such problems mentioned. Does anybody have an idea? If i cannot get this to work, someone else will probably set up a linux firewall, which i would rather try to avoid.. I am not sure what type of switch is on the other end, here is some output that the admin mailed me: vlan 86 name WLAN ! vlan 182 name BackBone ! interface FastEthernet6/19 description k307 n2340-19a switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,86,182,231,232 switchport mode trunk duplex full Thanks for any hints, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 media: Ethernet autoselect (1000baseT half-duplex) status: no carrier xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:61:7a:2d media: Ethernet autoselect (none) status: no carrier xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:61:7a:04 media: Ethernet autoselect (none) status: no carrier pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 16 parent interface: sk0 groups: vlan inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 vlan1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 231 parent interface: sk0 groups: vlan vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 182 parent interface: sk0 groups: vlan egress inet 134.102.186.20 netmask 0xff00 broadcast 134.102.186.255 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 86 parent interface: sk0 groups: vlan inet 172.21.1.8 netmask 0x broadcast 172.21.255.255 OpenBSD 3.8-stable (ANT) #2: Thu Mar 30 16:59:00 CEST 2006 [EMAIL PROTECTED]:/root/flashboot-0.9beta1/obj/ANT cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD Powernow: FID VID TTP TM STC real mem = 536125440 (523560K) avail mem = 459415552 (448648K) using 4278 buffers containing 26910720 bytes (26280K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0
Re: VLAN-Problems
On 04/04/06, Heinrich Rebehn [EMAIL PROTECTED] wrote: interface FastEthernet6/19 description k307 n2340-19a switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,86,182,231,232 switchport mode trunk duplex full sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 media: Ethernet autoselect (1000baseT half-duplex) status: no carrier Do you have full duplex hardcoded on the switch and sk0 set to auto negotiate ? /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: VLAN-Problems
On 2006/04/04 13:24, Rob Gault wrote: The first thing I noticed is that SK0 is only at half duplex OP says the cable is out. However auto and duplex full are likely to not be compatible (they aren't for 10/100, though I'm not sure about gig). I am attaching ifconfig and dmesg output. The physical interface, sk0 is shown as having no carrier, this is because i had to pull the plug while taking the information because another machine (our old firewall) was running with the same address. What steps are taken to clear ARP caches, etc?
Re: VLAN-Problems
Stuart Henderson wrote: On 2006/04/04 13:24, Rob Gault wrote: The first thing I noticed is that SK0 is only at half duplex OP says the cable is out. However auto and duplex full are likely to not be compatible (they aren't for 10/100, though I'm not sure about gig). I will double check that when i'm at work again tomorrow. The switch port is set to 10/100. I am attaching ifconfig and dmesg output. The physical interface, sk0 is shown as having no carrier, this is because i had to pull the plug while taking the information because another machine (our old firewall) was running with the same address. What steps are taken to clear ARP caches, etc? I did an arp -d ip_of_firewall on the accessing host. However, the setup worked perfectly, when i switched to non-vlan mode, so i do not think it is an arp problem. I did have to select different port switches for non-vlan mode, though. So i cannot rule out a problem with the switch port. I will ask the switch admin for help, maybe there is some debugging facility on the cisco. Any other ideas? Heinrich
