My linux VM cannot ping VLAN interface

Version 1
    This document was generated from CDN thread

    Created by: Vijay Raman on 07-11-2012 07:49:40 AM
    Hi,
    I followed the Section Cisco IOS Layer 3 Routed Configuration - Devices in the Same Branch Subnet, but my Linux VM cannot pring the VLAN interface.  I have IOS 15.1(3)T, router CISCO2911/K9 with SRE-900 installed with SRE-V2.0.0. Below is the configuration on the router:
    Current configuration : 5937 bytes
    !
    ! Last configuration change at 13:38:50 UTC Wed Nov 7 2012 by admin
    !
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname top-2911
    !
    boot-start-marker
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    !
    no ipv6 cef
    ip source-route
    ip cef
    !
    !
    !
    !
    !
    ip domain name netsys.com
    ip name-server 192.168.39.150
    ip name-server 192.168.38.201
    multilink bundle-name authenticated
    !
    !
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-2051855198
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2051855198
     revocation-check none
     rsakeypair TP-self-signed-2051855198
    !
    !
    crypto pki certificate chain TP-self-signed-2051855198
    certificate self-signed 01
      3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32303531 38353531 3938301E 170D3130 30343031 32303531
      33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353138
      35353139 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      81008BDC 0C0976AC 0B1815A6 CF96F748 CAEBAB1C 18668A58 BE8911D8 60C8F06A
      5E64ECF6 304DE73D 7EEE9276 A06CB3B0 E253E74E 8D02B305 DF499D5C F5B297F8
      BFF4EC82 767ADA11 0370FE2E 9F83BD3B 35B1451F F17A2C8C 7D74FE90 CA5F2A1B
      657585EE 1754E9F1 DDE86A20 949AE078 EE88D0D5 49C21A93 60D05841 A561E3B5
      80AB0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
      551D1104 19301782 15746F70 2D323931 312E6E65 7473636F 75742E63 6F6D301F
      0603551D 23041830 16801474 C2EDADEB 27EAA3F9 101858AE 40758CBD 31581430
      1D060355 1D0E0416 041474C2 EDADEB27 EAA3F910 1858AE40 758CBD31 5814300D
      06092A86 4886F70D 01010405 00038181 006252D9 173A2A9C 5D9C8CEA 3C40F165
      035DDF35 B864B3A4 709C94E0 E25774D9 51511C41 2F0B0504 D10E87E3 AB09248D
      E78D4B8C 33EE7DBC 90BD67C2 6DA6B619 8C1B72EA 871721B1 830A2EEC 24F82B32
      7AEC9752 875F57AB 4D111114 184BE448 F13964DD A4DB37BE BF59EF04 6381F612
      AECE6BEB 5A654461 1509F3E8 ACFE548E 0B
            quit
    license udi pid CISCO2911/K9 sn FTX1348A0NK
    hw-module sm 1
    !
    !
    !
    username admin privilege 15 secret 5 $1$NP0.$P0FcBwp4eK43TR6FjydAx.
    username cisco privilege 15 password 0 cisco
    !
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
     description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
     ip address 172.25.1.13 255.255.255.0
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/0.202
     encapsulation dot1Q 202
     ip address 172.25.202.1 255.255.255.0
    !
    interface GigabitEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/2
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface SM1/0
     ip address 172.25.192.177 255.255.255.240
     service-module ip address 172.25.192.178 255.255.255.240
     !Application: VMware ESXi 5.0.0 build-474610 running on SRE
     service-module ip default-gateway 172.25.192.177
     hold-queue 60 out
    !
    interface SM1/1
     description Internal switch interface connected to Service Module
     switchport trunk allowed vlan 1-1005
     switchport mode trunk
    !
    interface Vlan202
     ip unnumbered GigabitEthernet0/0.202
    !
    ip default-gateway 172.25.1.1
    ip forward-protocol nd
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip route 0.0.0.0 0.0.0.0 172.25.1.1
    ip route 172.25.192.178 255.255.255.255 SM1/0
    ip route 172.25.202.10 255.255.255.255 Vlan202
    !
    access-list 23 permit 10.10.10.0 0.0.0.7
    !
    !
    control-plane
    !
    !
    banner exec ^C
    % Password expiration warning.
    -----------------------------------------------------------------------

    Cisco Configuration Professional (Cisco CP) is installed on this device
    and it provides the default username "cisco" for  one-time use. If you have
    already used the username "cisco" to login to the router and your IOS image
    supports the "one-time" user option, then this username has already expired.
    You will not be able to login to the router with this username after you exit
    this session.

    It is strongly suggested that you create a new username with a privilege level
    of 15 using the following command.

    username <myuser> privilege 15 secret 0 <mypassword>

    Replace <myuser> and <mypassword> with the username and password you want to
    use.

    -----------------------------------------------------------------------
    ^C
    banner login ^C
    -----------------------------------------------------------------------
    Cisco Configuration Professional (Cisco CP) is installed on this device.
    This feature requires the one-time use of the username "cisco" with the
    password "cisco". These default credentials have a privilege level of 15.

    YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
    CREDENTIALS

    Here are the Cisco IOS commands.

    username <myuser>  privilege 15 secret 0 <mypassword>
    no username cisco

    Replace <myuser> and <mypassword> with the username and password you want
    to use.

    IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
    TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.


    top-2911#
     
    My Linux VM IP:172.25.202.10 255.255.255.0 and its gateway: 172.25.202.1.  I also configured vlan 202 in the port group in vswitch1 the VM is connected to.
     
    Can you give me some help?
     
    Thanks!

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Brett Tiller on 07-11-2012 12:29:31 PM
    Hi Vijay,
    In ESXi you need to link the network adapter of the VM to the vlan ID.  Via the vSphere Client please create a port group and assign it the vlan ID 202.  Then assign the port group as the network adapter of the VM.  If that doesn't fix your issue, please also check that your Linux OS is not blocking access.
    Thanks,
    Brett

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Vijay Raman on 09-11-2012 12:24:28 PM
    Brett Tiller:
    Hi Vijay,
    In ESXi you need to link the network adapter of the VM to the vlan ID.  Via the vSphere Client please create a port group and assign it the vlan ID 202.  Then assign the port group as the network adapter of the VM.  If that doesn't fix your issue, please also check that your Linux OS is not blocking access.
    Thanks,
    Brett

     
    Hi Brett,
    Yes we did put the port group in the samce vlan and it still didn't work. So I've played around with the configurations, and tried to stayed closed to the section Cisco IOS Layer 3 routed Configuration in the documentation. finally I got the VM able to ping the vlan interface and vice versa and ping the router, but my VM cannot ping netowrk 10.20.0.0 Below is the configuration. I am using vlan 202 and assigned sub interface gig 0/0.202 ip address to the vlan interface.
    Current configuration : 5545 bytes
    !
    ! Last configuration change at 15:25:37 UTC Fri Nov 9 2012 by admin
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname axp-dev-3826
    !
    boot-start-marker
    boot system flash0:c3900-universalk9-mz.SPA.152-1.GC.bin
    boot-end-marker
    !
    !
    enable secret 5 $1$cVny$d/FPC.FDQlfSQ9Dd7v.5X0
    !
    no aaa new-model
    !
    no ipv6 cef
    !
    ip traffic-export profile calvin-rite
    ! No outgoing interface configured
    ! No destination mac-address configured
    !
    !
    !
    !
    !
    ip domain name netscout.com
    ip name-server 192.168.39.150
    ip name-server 192.168.38.201
    ip cef
    multilink bundle-name authenticated
    !
    !
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-2534788575
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2534788575
     revocation-check none
     rsakeypair TP-self-signed-2534788575
     crypto pki certificate chain TP-self-signed-2534788575
     certificate self-signed 01
      30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32353334 37383835 3735301E 170D3130 31323238 31353037
      34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35333437
      38383537 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100AE36 F59113AA F507A73F 1C2B0F2F DEFD7229 8EE04EAE E3A23BAC AB6FCC10
      F6BD94DA 370E2A70 C1F03686 6CE25F5E 79556E5C 64F19B54 F2407FDB 7507D7FD
      D5311A64 0433A739 9CD44AA4 73473A58 29BC0DE0 E07548F6 9D750741 93AF0313
      919069EC 4115EFA8 E8849091 136D8A3C 1285C4D9 427F9D0C 920DD95D E1B76CBF
      058F0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
      551D1104 1F301D82 1B333238 362D6178 702D6465 76656C2E 6E657473 636F7574
      2E636F6D 301F0603 551D2304 18301680 14744618 2A34FB9A EA16B9AB E2CE4ACC
      22DEC9AB 91301D06 03551D0E 04160414 7446182A 34FB9AEA 16B9ABE2 CE4ACC22
      DEC9AB91 300D0609 2A864886 F70D0101 04050003 81810013 27ED1CB5 E2BE7EBE
      4D2E0786 59EF161B 26A0A9F6 841DE6E2 0EAC31EC 3B43A6DE 635C8D47 8952ADCE
      5AD19678 D2EC06CA 05FF9AD6 17BA932F 9DEFC15D D6296927 99C50C88 29D47F36
      815231FF B93412CD 87F3D06D 59F8F254 700A1D21 5C5A1C6B B0F0E1A3 87E19871
      3A882167 0CFC332C F09A14B8 56BE8D90 AFEB4F8C 8E83C7
            quit
    license udi pid C3900-SPE100/K9 sn FOC13353X3Z
    hw-module sm 1
    !
    hw-module sm 2
    !
    !
    !
    username root privilege 3 password 7 0208014F1805003458
    username admin privilege 15 secret 5 $1$Os/.$WcX/gzSUjcLfPwvLcPUTW.
    username user1 password 0 user1
    !
    !
    !
    !
    !
    !
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
    !
    interface GigabitEthernet0/0
     ip address 172.25.1.12 255.255.255.0
    speed auto
     no mop enabled
    !
    interface GigabitEthernet0/0.202
     encapsulation dot1Q 202
     ip address 172.25.202.50 255.255.255.0
    !
    interface GigabitEthernet0/1
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip accounting output-packets
     ip wccp 61 redirect in
     ip flow ingress
     duplex full
     speed 1000
     no keepalive
     no mop enabled
    !
    interface GigabitEthernet0/2
     no ip address
     duplex auto
     speed auto
    !
    interface SM1/0
     ip unnumbered GigabitEthernet0/0
     service-module ip address 172.25.1.18 255.255.255.0
     !Application: VMware ESXi 5.0.0 build-474610 running on SRE
     service-module ip default-gateway 172.25.1.12
    !
    interface SM1/1
     description Internal switch interface connected to Service Module
     switchport access vlan 202
     switchport trunk allowed vlan 1-1024
     switchport mode trunk
     no ip address
    !
    interface SM2/0
     ip unnumbered GigabitEthernet0/0
     service-module ip address 172.25.1.16 255.255.255.0
     !Application: VMware ESXi 4.1.0 build-348481 running on SRE
     service-module ip default-gateway 172.25.1.12
     hold-queue 60 out
    interface SM2/1
     description Internal switch interface connected to Service Module
     no ip address
    !
    interface Vlan1
     no ip address
    !
    interface Vlan30
     no ip address
    !
    interface Vlan40
     ip address 40.0.0.100 255.255.255.0
    !
    interface Vlan202
     ip unnumbered GigabitEthernet0/0.202
    !
    ip default-gateway 172.25.1.1
    ip forward-protocol nd
    !
    ip http server
    no ip http secure-server
    !
    ip route 0.0.0.0 0.0.0.0 172.25.1.1
    ip route 40.0.0.1 255.255.255.255 Vlan40
    ip route 40.0.0.101 255.255.255.255 Vlan40
    ip route 172.25.1.14 255.255.255.255 SM2/0
    ip route 172.25.1.16 255.255.255.255 SM2/0
    ip route 172.25.1.18 255.255.255.255 SM1/0
    ip route 172.25.202.51 255.255.255.255 Vlan202
    ip route 172.25.202.101 255.255.255.255 Vlan202
    !
    !
    !
    snmp-server community public RO
    snmp-server enable traps entity-sensor threshold
    tftp-server flash 10.20.197.15
    tftp-server flash 10.20.197.52
    !
    control-plane
    !
    !
    !
    line con 0
     login local

    Thanks!

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Brett Tiller on 09-11-2012 03:15:15 PM
    Hi Vijay,
    The 10.20.0.0 IP is on a separate network than your VM.   Please check that the TFTP servers on that IP resides on the same vlan.  Also from your VM try doing a traceroute to the tftp server.  My guess is that the packets are being routed to the default IP you've specified in the router which is probably the wrong path.  If that is the case, I think you'll want to create an IP route in the router to route packets to the 10.20.0.0 network.
    Thanks,
    Brett

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Vijay Raman on 12-11-2012 02:38:06 PM
    Brett Tiller:
    Hi Vijay,
    The 10.20.0.0 IP is on a separate network than your VM.   Please check that the TFTP servers on that IP resides on the same vlan.  Also from your VM try doing a traceroute to the tftp server.  My guess is that the packets are being routed to the default IP you've specified in the router which is probably the wrong path.  If that is the case, I think you'll want to create an IP route in the router to route packets to the 10.20.0.0 network.
    Thanks,
    Brett

     
    Hi Brett,
    Thanks! I am able to connect VM to the network now. There is nothing wrong in the router configuration, the issue is we don't have a route in our network to the VM.  So after we update our network with the route to VM, the VM is connected to the networks.
    Now we have another issue. Our VM doesn't see any packets exported from Gig 0/1.  Our RITE configured as follows:
    ip traffic-export profile NETSCOUT
      interface SM1/1
      bidirectional
      mac-address 0080.8c00.0001
     
    interface GigabitEthernet0/1
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip accounting output-packets
     ip wccp 61 redirect in
     ip flow ingress
     ip traffic-export apply NETSCOUT
     duplex full
     speed 1000
     no keepalive
     no mop enabled
    So in the port group VM Networks I changed the vlanID to 4095 from 202 and the VM now can see exported packets, but the VM lost connetions to the network. If I change vlanID in the port group to 202 the vm can connect to the networks, but VM doesn't see exported packets.  Can you give us some help?
    Thanks!

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Brett Tiller on 12-11-2012 07:33:06 PM
    Hi Vijay,
    I did some research and it appears that VMware does special handling for tag 4095 which is why I think that is working for you.  Here's some information and the write up has some other ideas as well: http://vmnomad.blogspot.com/2011/07/vlan-tagging-and-use-cases-of-vlan-id.html .
    Regarding your issue, the packets coming from the interface Gig0/1 are not on that same vlan on the network right? If that's correct I think that is is probably why the VM cannot see them because they are not tagged.  Since you mentioned port 4095 works, I think in VMware you can create multiple network adapters and assign more than one to a VM.  If that's the case then as a work around you should be able to have your VM able to accept data from both vlan IDs 2095 and 202 which would give you the functionality that you desire.
    Please let us know if that work around resolves your issue.
    Thanks,
    Brett

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Vijay Raman on 13-11-2012 12:22:38 PM
    Brett Tiller:
    Hi Vijay,
    I did some research and it appears that VMware does special handling for tag 4095 which is why I think that is working for you.  Here's some information and the write up has some other ideas as well: http://vmnomad.blogspot.com/2011/07/vlan-tagging-and-use-cases-of-vlan-id.html .
    Regarding your issue, the packets coming from the interface Gig0/1 are not on that same vlan on the network right? If that's correct I think that is is probably why the VM cannot see them because they are not tagged.  Since you mentioned port 4095 works, I think in VMware you can create multiple network adapters and assign more than one to a VM.  If that's the case then as a work around you should be able to have your VM able to accept data from both vlan IDs 2095 and 202 which would give you the functionality that you desire.
    Please let us know if that work around resolves your issue.
    Thanks,
    Brett

     
    Hi Brett,
    If I put the port group in vlan 4095 the VM would loose network connection, ie, I cannot ping to the VM. So I put the port group in vlan 202, and change the RITE configuration as follows.  It works for me but I don't understand completely what is going on.  can you explain? Here is the full configuration:
    Thanks!

    Current configuration : 5493 bytes
    !
    ! Last configuration change at 18:41:05 UTC Tue Nov 13 2012 by admin
    ! NVRAM config last updated at 17:40:22 UTC Mon Nov 12 2012 by admin
    ! NVRAM config last updated at 17:40:22 UTC Mon Nov 12 2012 by admin
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname axp-dev-3826
    !
    boot-start-marker
    boot system flash0:c3900-universalk9-mz.SPA.152-1.GC.bin
    boot-end-marker
    !
    !
    enable secret 5 $1$cVny$d/FPC.FDQlfSQ9Dd7v.5X0
    !
    no aaa new-model
    !
    no ipv6 cef
    !
    ip traffic-export profile ns-agent
      interface Vlan202
      bidirectional
      mac-address 0080.8c00.0001
    !
    !
    !
    !
    !
    ip domain name netscout.com
    ip name-server 192.168.39.150
    ip name-server 192.168.38.201
    ip cef
    multilink bundle-name authenticated
    !
    !
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-2534788575
     enrollment selfsigned
     sinterface GigabitEthernet0/0
     ip address 172.25.1.12 255.255.255.0
     duplex auto
     speed auto
     no mop enabled
    !
    interface GigabitEthernet0/1
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip accounting output-packets
     ip wccp 61 redirect in
     ip flow ingress
     ip traffic-export apply ns-agent
     duplex full
     speed 1000
     no keepalive
     no mop enabled
    !
    interface GigabitEthernet0/2
     no ip address
     duplex auto
     speed auto
    !
    interface SM1/0
     ip unnumbered GigabitEthernet0/0
     service-module ip address 172.25.1.18 255.255.255.0
     !Application: VMware ESXi 5.0.0 build-474610 running on SRE
     service-module ip default-gateway 172.25.1.12
    !
    interface SM1/1
     description Internal switch interface connected to Service Module
     switchport mode trunk
     no ip address
    !
    interface SM2/0
     ip unnumbered GigabitEthernet0/0
     service-module ip address 172.25.1.16 255.255.255.0
     !Application: VMware ESXi 4.1.0 build-348481 running on SRE
     service-module ip default-gateway 172.25.1.12
     hold-queue 60 out
    !
    interface SM2/1
    ubject-name cn=IOS-Self-Signed-Certificate-2534788575
     no ip address
    !
    interface Vlan1
     no ip address
    !
    interface Vlan30
     no ip address
    !
    interface Vlan40
     ip address 40.0.0.100 255.255.255.0
    !
    interface Vlan202
     ip address 172.25.202.50 255.255.255.0
    !
    ip default-gateway 172.25.1.1
    ip forward-protocol nd
    !
    ip http server
    no ip http secure-server
    !
    ip route 0.0.0.0 0.0.0.0 172.25.1.1
    ip route 40.0.0.1 255.255.255.255 Vlan40
    ip route 40.0.0.101 255.255.255.255 Vlan40
    ip route 172.25.1.14 255.255.255.255 SM2/0
    ip route 172.25.1.16 255.255.255.255 SM2/0
    ip route 172.25.1.18 255.255.255.255 SM1/0
    ip route 172.25.202.51 255.255.255.255 Vlan202
    !
    !
    !
    snmp-server community public RO
    snmp-server enable traps entity-sensor threshold
    tftp-server flash 10.20.197.15
    tftp-server flash 10.20.197.52
    !
    control-plane
    !

    Show ip traffic export :

    Router IP Traffic Export Parameters
    Monitored Interface             GigabitEthernet0/1
            Export Interface                Vlan202
            Destination MAC address 0080.8c00.0001
            bi-directional traffic export is on
    Output IP Traffic Export Information    Packets/Bytes Exported    0/0
            Packets Dropped           0
            Sampling Rate             one-in-every 1 packets
            No Access List configured
    Input IP Traffic Export Information     Packets/Bytes Exported    19546575/899142450
            Packets Dropped           0
            Sampling Rate             one-in-every 1 packets
            No Access List configured
            Profile ns-agent is Active


    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Brett Tiller on 13-11-2012 06:45:42 PM
    Hi Vijay,

    Nice job!  It looks to me that you are now sending all propagated packets to vlan 202 on which your VM resides.  This change must be bypassing the problem you saw when you were routing the packets to the service module rather than directly to the VM which was probably due to the fact that the propagated packets were not tagged with the vlan ID. I'm assuming that your VM is now receiving all packets, those propagated from the Gig0/1 interface and those being sent to the VM?  Since the propagated packets are being directed to the vlan, I think they must be tagged which would make them acceptable to the vswitch on ESXi and accessible to the VM.

    Did that answer your question?

    Thanks,

    Brett

    Subject: RE: My linux VM cannot ping VLAN interface
    Replied by: Vijay Raman on 16-11-2012 12:37:34 PM
    Brett Tiller:
    Hi Vijay,

    Nice job!  It looks to me that you are now sending all propagated packets to vlan 202 on which your VM resides.  This change must be bypassing the problem you saw when you were routing the packets to the service module rather than directly to the VM which was probably due to the fact that the propagated packets were not tagged with the vlan ID. I'm assuming that your VM is now receiving all packets, those propagated from the Gig0/1 interface and those being sent to the VM?  Since the propagated packets are being directed to the vlan, I think they must be tagged which would make them acceptable to the vswitch on ESXi and accessible to the VM.

    Did that answer your question?

    Thanks,

    Brett

     
    Hi Brett,
    Thanks for your help! I understand things in the router better now. I tried different configurations and the result is we can monitor all tagged and untagged traffic.
     
    Have a great weekend!