Updating interface from 1Gb to 10Gb using VLANs

Sorry, don't understand the reason for "the physical is unnumbered".

The first interface using a physical port can be a VLAN-interface too.

I have a lot of installations where i have vlan-tagged interfaces only. (eth2.100, eth2.122) but no untagged interface (eth2).

DirkKotte;

That is probably my fault for not clearly laying out my intent and giving a full detail of what I am trying to accomplish. First let me say that I have been in networking / engineering for about 20 years predominately Cisco therefore when I explain situations many times it is using that terminology, so I may not be explaining it in a consistent manner for everyone.

My challenge is I recently moved from a VM implementation of Sophos UTM; I have been using the product since it was called Astaro and I often still refer to it as such, the reasoning for moving away from the VM implementation is solely related to performance as my internet rates on renewal of my contract went up by a factor of 4x and I was no longer able to maintain the max speed behind the UTM.  The ESXi host has 4 1Gb interfaces and 1 10Gb and of course that is trunked with about 6 vlan segments to my Cisco 3560E switch via fiber.

I went to a Dell 7020 SFF pc with 8Gb of RAM I5 quad core with a 4 port 1Gb Intel nic and a 1 port Intel SFP+ nic, I have 2 VLAN's that are completely untrusted, one for IoT, the other for WiFi and Guests, there are 4 other VLANs for general use that are trusted inside my enviroment.

The goal is I want to use the 10Gb interface for those 4 VLAN interfaces to share the available bandwidth and still have insight of the communications between those trusted VLAN's.  The untrusted are landed on the 4 port 1Gb interface and will not have access to the trusted segments at all. there is also a management VLAN that is landed on the 4 port card and the WAN interface, future there hopefully will be a backup link through the onboard NIC to the internet.

As mentioned, I configured the 10Gb in interfaces set the MTU to 9000, but have left the IP 0.0.0.0/0 as well as tried 192.0.2.1/32 as I don't expect anything to be untagged on that interface nor use that IP address range.  I then created eth5.88, eth5.128, eth5.149 ... .... and put corresponding IP addresses on the sub interfaces and I am unable to ping those sub interfaces at all from within the subnet I do a live log on the firewall log and I don't even see the traffic.  So my main question is how should I be setting up the global trunk interface as far as tagged / untagged and what other settings if I don't intend to have any untagged traffic on the 10Gb interface?

Thanks in advance

Scott Bertsch

First i would delete the unused untagged interface. Sophos can't use from packets typical using this "default VLAN".

... but this should not stop the traffic within tagged vlan's.

next i would try a single link without vlan-tag (possible there is a L2 problem between Switch and server)

next i would try to use a single link with vlan-trunc.

If the problem exist only with lacp ... you need the "active" mode at cisco side. (but seems your 10GB Interface is stand alone)

You should enable logging for all rules and use a browser with xx.xx.xx.xx/1234 to check connection.

ICMP/HTTP(s) may be used without logging.

If you try to ping the sophos VLAN-interface from within the subnet, do you see sonething within arp-cache? Which answer do you got?

DirkKotte;

OK so I deleted the eth5 interface and the existing trunks eth5.1XXYY are still there, and you were correct the problem must lie somewhere else as I am not seeing any ARP entries for any of the interfaces created off the 10Gb interface (eth5).

I am going to re-install the OS tonight, and am wondering if I just create the VLAN off ETH5 without ever setting that up in the actual host as a used interface, and will leaving the MTU at 1500 have any effect if the remaining VLAN interfaces are all configured for 9000 as are the switch interfaces.

As advised by DirkKotte I reloaded the OS and this time I set an IP address on the interface and was able to manage the host and get o the internet through the 10Gb link, and I was able to add the additional VLAN's and everything created fine.

I can't understand what would have happened before but I have resolved this existing issue, thanks to DirkKotte....

Also I didn't run through the initial setup the first time, this time I did allow that to finish, so I am wondering if that may have had an issue with the finalized hardware setup....

The Cisco switch has 1 Native vlan and no trunk restrictions have been placed on the trunk I will be testing by adding the vlan allowed commands and verify funtionality.

Hi Scott and welcome to the UTM Community!

Yeah, Dirk is a smart guy.  Thanks for coming back and completing the thread.

Cheers - Bob

Bob;

Actually I was a member of the original Astaro community, I don't know where / if that got integrated into this community.  Yes Dirk is smart, I should've tried what he mentioned prior to even posting but maybe someone else will find it useful as well.

Thanks

Scott Bertsch

Bob;

Actually I was a member of the original Astaro community, I don't know where / if that got integrated into this community.  Yes Dirk is smart, I should've tried what he mentioned prior to even posting but maybe someone else will find it useful as well.

Thanks

Scott Bertsch