Native VLAN on sg6100?
-
Hi everyone,
Is there someone willing to explain how to configure the sg6100 to communicate (management purposes only) across the "discrete" ports (acting as "trunk" ports) to external managed switches/ AP's?
Thanks to anyone for your patience!
-
@Orny LACP would be my choice. LACP from pfsense to the switch, then connect the AP to the switch.
There is another way that I strongly don't recommend, which is to set up a bridge. -
@mcury Thanks for the quick reply!
I will never bridge! haha. Seriously, though.
I guess I have a lot of homework to do before I can post a concise question on here - I am very network new, and challenged. I know that LACP is link aggregation control protocol, but that's all I know.
Really what I would like to do is utilize physical "discrete" port "LAN1" as a trunk to an uplink port on a managed switch. I don't even have the knowledge to configure "LAN1" as such, much less everything that follows. I went from an sg1100 to the sg6100 and perhaps that was bigger jump than anticipated. I basically don't even know how the 6100 fundamentally works in comparison. Seems like an entirely different animal.
Thanks for listening! -
@Orny said in Native VLAN on sg6100?:
Thanks for listening!
You are welcome.
It is very easy to set up a LAG, then create the VLANs on top of it.
LAGG will be untagged.
LAGG.10 will be VLAN10 (tagged) and so on.Then, you configure the switch in the same way and that is it.
-
@mcury Don't have enough reputation to give you a "thumbs up", so.. Thumbs Up!
-
-
It's easier to configure this on the 6100 than the 1100 because it doesn't have an internal switch to worry about.
The default config in the 6100 already has 'LAN1' (igc0) assigned as an interface. If you want to use VLANs on that to a connected switch simply create those in Interfaces > VLANs then assign them as a new interface.
I always recommend avoiding having tagged and untagged traffic on the same port if you can. So if I were setting this up I would probably unassign igc0. However if that's your main LAN maybe use one of the other LAN ports as the trunk link.
-
@stephenw10 said in Native VLAN on sg6100?:
I always recommend avoiding having tagged and untagged traffic on the same port if you can.
Is there a particular reason to do it ?
I mean, so much easier to use VLAN1 to manage everything, VLAN hopping or double tagging are not much of a threat these days.
-
The risk is less in an attack and more in consequences of misconfiguration somewhere. Especially if you're using untagged for management. If some traffic gets incorrectly untagged pfSense will see that on the parent interface and handle it accordingly. If the parent is unassigned then any untagged traffic is simply dropped.
-
@stephenw10 Hey thank you for a great reply. I think the biggest hurdle here is me. Lot's to learn at the most basic levels of networking..
-
@stephenw10 said in Native VLAN on sg6100?:
The risk is less in an attack and more in consequences of misconfiguration somewhere. Especially if you're using untagged for management. If some traffic gets incorrectly untagged pfSense will see that on the parent interface and handle it accordingly. If the parent is unassigned then any untagged traffic is simply dropped.
Thanks stephenw10.
For my use case, no concerns then.. But thanks for the feedback
-
@mcury said in Native VLAN on sg6100?:
For my use case, no concerns then
Yup it certainly can work, technically there is no problem. And a correctly configured network will have no problems.
It just mitigates a risk that I have seen happen all too many times. Including due to things I have done!
-
