Linux 5.9 VLAN interfaces don’t receive traffic unless promiscuous mode is enabled

I’ve just upgraded a NAS running Debian Buster to Debian Bullseye. This included a kernel upgrade from 4.19.0 to 5.9.0, and a systemd upgrade from 241 to 247.1 (the system is using systemd-networkd for configuration).

The network configuration is moderately complex:

  • eno1/eno2: dual-port Intel I210 onboard Gigabit Ethernet (using the igb driver)

  • main: 802.3ad bonding interface using eno1/eno2 as physical links

  • vlan60/vlan63: vlan subinterfaces using main as their base

main, vlan60, and vlan63 all have IPv4 and IPv6 addresses on them, but there are no addresses on eno1 or eno2.

All of the interfaces are using the default MAC address mode, which means all five are using the built-in MAC address of eno1. While attempting to solve this problem I configured locally-administered MAC addresses on vlan60 and vlan63 but that did not help (in fact it broke IPv6 support on main, but I never figured out why).

With the Buster configuration, this all worked fine. After upgrading to Bullseye, main works fine, but vlan60 and vlan63 do not send or receive any traffic. Internal traffic to/from their addresses works fine, but external traffic does not.

While attempting to troubleshoot this, I started tcpdump on vlan63, and immediately noticed that traffic began flowing. Stopping the packet capture caused traffic to stop flowing again.

At the moment I’ve got the system up and running by executing ip link eno1 set promisc on and ip link eno2 set promisc on, and all the interfaces are happily passing traffic. It is not necessary to enable promiscuous mode on the higher-level interfaces, only the physical interfaces.

Without promiscuous mode enabled, it appears that the VLAN subinterfaces don’t receive any broadcast frames from the network, so this results in ARP and NDP being non-functional.

Has there been some behavior change in between these kernel versions (I know, that’s a lot of kernel versions…) which could affect this?

cisco – inter vlan routing and access switch default gateway

I have a question. If we have 5 2960 layer 2 switches with vlans 2,3,4,5,6 that they are connected via trunk port to 3850 and we’ve created vlans(2,3,4,5,6) on 3850 and gave them an ip each in it’s vlan range. They all need to ping each other. does we need to set default gateway on 2960 to it’s vlan ip on 3850? or we just need to set that IP on clients in each vlan?
If we make vlan 1 as management does we need to set a default gateway for it?
Thank you in advance

configuration – How to bind maria-db server to external ip on eno1 and vlan ip on eno2

Server version: Ubuntu 18.04
MariaDB 10.1

On eno1 I have an extra failover IP configured
On eno2 I have a VLAN configured

I read that MYSQL can bind to more than one IP using separated with a comma.

My question is, can I bind a failover IP from eno1 and a VLAN IP from eno2 like so?

bind-address = vvv.vvv.vvv.vvv,

Triple checking before I commit to the install and configuration.

security – Network (VLAN) vulnerability scanner

I have setup VLANs on my home network ER-X. I configured firewall policies to create exceptions for instances where devices need to communicate across VLAN boundaries.
I’m looking for a tool I can run to check the security of my VLAN configurations in case I have made errors or something just isnt working as configured.

I already run nessus but that mostly checks for vulnerabilities on each host. I’m looking to scan for vulnerabilities in my network.

best idea for vlan classification

I have a Server Room with about 40 servers. some servers are DB. Some of them is for web .
some of them need internet and some no.
what is the best idea for vlan classification them?
putting on DB sever and WEB sever in one Vlan is Dangerous؟؟
what is the best policy for vlan classification them?

subnet – VMWare Workstation VLAN – Vyatta routers not able to ping each other

I have two routers configure to be within the same VLAN – LAN 2

View post on

And here are the network configurations:

Router 1:

Router 2:

I’m unable to figure out why *.49 and *.50 can’t ping each other and I’ve been staring at this for ~2 hrs now

do you set vlan for servers ?


you may sell shared hosting and colo your servers at datacenter,
with a /24,
do you set it as little range as possible and some servers… | Read the rest of

What are the security issues can be exploited to VLAN switches to compromise network?

While VLAN switches can be used to provide security between network segments using VLAN filtering rules. Is there any possibility to have an security issue which is exploited to VLAN switches?

VMware nested ESXi + pfSense + VLAN trunk lab

I got a lab issue. the env is:

  1. A nested ESXi env
  2. 3 x ESXi 6.7 U2 VMs within the 1st level ESXi
  3. One VCSA 6.7 U2 VM within the 1st level ESXi
  4. A pfSense 2.4.5-p1 VM within the 1st level ESXi
  5. 2 x win10 VM within the 1st level ESXi
  6. A Ubuntu 18.04 VM within the 1st level ESXi
  7. A vds/vss created and configured as a trunk (0-4094)
  8. All above VMs NIC are vmxnet3

The lab facts are:

a). 2 x win10 VM setup the VLAN ID xxx and connect to the vds/vss are able to communicate with each other
b). Ubuntu VMs also connect to the same vds/vss and configure the same VLAN ID xxx, but CAN NOT communicate to other VMs
c). The 3x ESXi VMs also connect to the same vds/vss and setup the VGT attached to VLAN ID xxx, but also not communicate with each other.

does the pfSense trunk pick the client? how come win10 works perfectly but ubuntu and ESXi VM are not working? Did I miss any configure?

vlan – in packet tracer dhcp server drops arp frame

i’m using packet tracer to prepare myself for CCNA,i’m encountering a problem where i have a server as a DHCP for multivlan network which is in vlan 40,the router is in router on the stick mode, when a frame is from a vlan 10 and tryin to reach dhcp on vlan 40 the ip address-helper sends the request to the DHCP ip,
the router doesnt find the ip in arp table so he sends an arp request , but when the arp frame reaches the DHCP server, it simply drops it and it says “this device does not have a service that that accepts this frame”.