PfSense with Catalyst Switch -> VLANs

Rossco P. · Nov 26, 2017, 4:36 AM

I cannot SSH into my Catalyst 3750 switch. (Everything else is working like it should, just an FYI)

Port 1/0/48 on the Catalyst is configure as so,

-switchport access vlan 20
-switchport trunk encapsulation dot1q
-switchport trunk native vlan 20
-switchport mode trunk

The physical connection when I can NOT SSH to switch.

pfSense –> Catalyst Switch trunk port

When I connect the Catalyst switch through my Cisco SMB switch, everything works like it should. I can SSH the switch.

The physical connection when I CAN SSH Catalyst switch.

pfSense –> Cisco SMB switch --> Catalyst switch
(Both ports on the SMB switch that connect the pfSense box and the Catalyst switch are trunked. BUT the SMB switch forces at least one VLAN to be UNTAGGED on every trunk port. This seems to be the only reason why it is working)

I hope all of this makes sense!

Am I screwed?

Derelict · Nov 26, 2017, 10:34 AM

Damn, dude. Do you want that port to be an access (untagged) port or a trunk (tagged) port?

You're kind of all over the place there.

johnpoz · Nov 26, 2017, 11:05 AM

"BUT the SMB switch forces at least one VLAN to be UNTAGGED on every trunk port."

What switch is this?

Rossco P. · Nov 26, 2017, 6:23 PM

@Derelict:

Damn, dude. Do you want that port to be an access (untagged) port or a trunk (tagged) port?

I want it to be a trunk port.
"switchport access vlan 20"
is different from
"switchport mode access"

@johnpoz:

"BUT the SMB switch forces at least one VLAN to be UNTAGGED on every trunk port."

What switch is this?

My apologies, I thought it was SMB. It is a Small Business Switch.

I attached a screenshot of the GUI

![Screen Shot 2017-11-26 at 11.16.50 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.16.50 AM.png)
![Screen Shot 2017-11-26 at 11.16.50 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.16.50 AM.png_thumb)

johnpoz · Nov 27, 2017, 10:12 AM

that is set at the PVID.. what is the setting from the cli on that port?

PVID in cisco is a bit different than some other switches. That just means any untagged traffic that inters that interface will be put into that vlan.. You can always tag the egress default vlan with the

switchport default-vlan tagged

command and the cli to the switch.. But you can for sure set tagged ports only on a switch via the gui.. I don't use 500, but the 300 uses the pretty much same firmware.. Just set it to general type vs trunk.. Then your pvid would be set to 4095 with cisco is junk or trash vlan.. So any untagged traffic hitting ingress on this port would be trashed..

What exactly are you wanting to accomplish exactly? So you want to setup vlans on pfsense interface with no settings on the native or naked interface - so all traffic will be tagged. Then I would set you port setting to general vs trunk.. Trunk in cisco wants an untagged vlan setting - gui will not allow you to put in 4095, etc.


sg300#sho run int gi1
interface gigabitethernet1
 description "esxi vmkern"
 switchport general acceptable-frame-type tagged-only
 switchport general pvid 4095
 switchport mode general
 switchport general allowed vlan add 20,100,200 tagged

If no untagged traffic is going to enter the port then set that as tagged only via above example.. See attached screenshots.

You can also use trunk, and just set the pvid some junk vlan your not using. All all the vlan ids you want to use as trunked.. Say for example 2nd shot where pvid is set to 500..

All comes down to what cat your trying to skin.. And how you want to skin it.. If your wanting to prevent any untagged traffic from entering the port on the switch then put it in general mode and filter all untagged traffic, etc. As to your SMB.. yeah normally means small business - was just wanting clarification of which small business switches, wasn't sure it was cisco.. Other switches do it differently, etc.

Keep in mind that the gui tries to make sure you don't shoot yourself in the foot as well ;) Unlike catalyst switches via cli where you could do crazy not valid stuff like trunk and access same time, etc.

mikeisfly · Nov 27, 2017, 10:58 AM

As others have stated the answer to your question here particularly johnpoz, I would only offer that a few years ago I made a YouTube video that might help you out. You can take a look at it below. Hope it helps:

Youtube Video

Rossco P. · Nov 28, 2017, 5:24 AM

Thank you, mikeisfly!

johnpoz, the issue I am having is that I cannot SSH into the Catalyst switch I have. I was talking about the Small Business Cisco switch to tell everyone that it is the only way that I'm able to gain access to the Catalyst.

I guess I don't fully understand what the Native VLAN command does?

johnpoz · Nov 28, 2017, 9:09 AM

"The physical connection when I can NOT SSH to switch."
"I guess I don't fully understand what the Native VLAN command does?"

Why do you have it set then?? What is the settings on the interface connected to this switchport?

"This seems to be the only reason why it is working)"

Then don't set that!! If you have a untagged network on your interface that you want to use to talk to the switch on.. Then that should be UNTAGGED, other name for native.

switchport mode trunk
switchport trunk allowed vlan add 200,300,500
switchport trunk native vlan 20

Remove
-switchport access vlan 20

Your trunk allowed vlan add command would list the vlans that will be on that trunk. The native vlan 20 would set this as the untagged vlan.

So you have lets say em2 connected to this port.. And on this port you have an IP set directly on this interface.. Now sitting on that interface you have vlans 200,300,500 for example. Then the above config should be really all you need.

Rossco P. · Nov 28, 2017, 6:47 PM

Okay. I got it!
Here is the end my cofig,

interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 10.0.20.3 255.255.255.0
!
ip default-gateway 10.0.20.1
no ip http server
no ip http secure-server

All I did to gain access back to my switch was

Reassign the default-gateway
Reassign the Vlan20 interface ip address

I can now SSH my switch!

johnpoz · Nov 28, 2017, 7:11 PM

You still have not stated how the interface on pfsense that is connected to port 48 of your switch is setup..

If you have pfsense interface connected that port as untagged, ie IP setup directly on that interface then you would want that vlan to be native on your switch port.. Or the untagged vlan.

If you do not have an IP setup on the physical interface and only vlans running on pfsense then you have no need of a native or untagged vlan and since your just doing trunk with no restrictions than any vlan that is tagged could talked on that port.. Any untagged traffic would hit be assigned to the default vlan on the switch - normally vlan 1.

Rossco P. · Nov 28, 2017, 8:22 PM

@johnpoz:

If you do not have an IP setup on the physical interface and only vlans running on pfsense then you have no need of a native or untagged vlan and since your just doing trunk with no restrictions than any vlan that is tagged could talked on that port.. Any untagged traffic would hit be assigned to the default vlan on the switch - normally vlan 1.

Yes Yes Yes!

No untagged traffic.
Only VLANs. Then like I stated in my last post, I did the following!

@Rossco:

Reassign the default-gateway

Reassign the Vlan20 interface ip address

Originally I thought that the the Native Vlan command allowed a specific port access to the described Vlan. I see now that the thought was incorrect.

Here's what my pfSense assignments look like

![Screen Shot 2017-11-28 at 1.14.01 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-28 at 1.14.01 PM.png)
![Screen Shot 2017-11-28 at 1.14.01 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-28 at 1.14.01 PM.png_thumb)

johnpoz · Nov 28, 2017, 9:00 PM

Ah ok.. Then your good.. there should be no untagged traffic hitting that port the way you have it setup.. Just know that if any untagged traffic does get onto that port from pfsense it would go to your default vlan on the switch.

To follow through with good practice you should limit your trunk port to those specific vlan IDs, 10,11,20 and 50.

Trunk ports will allows allow for untagged traffic, and if you do not call out what vlan untagged should be assigned to with the native vlan command then untagged traffic will go to whatever the default vlan is on the switch.

I just run a native vlan on my interface, and then run vlans on top of that. But your way is also very common. I do believe Derelict is a fan of only tagged traffic and not using any untagged traffic.

Glad you got it all sorted.. In the cisco world if your not going to run a native or untagged vlan on the interface then you would normally use general for the port and assign the tagged vlans and setup the port to only accept tagged traffic, etc. Where any untagged would go to garbage vlan ID. Lots of different ways to skin the cat ;)

Also bit of a side note with just using trunk vs limiting the vlans on the trunk port. Any other vlans you might be running on the switch - broadcast traffic could go down that port. It won't go anywhere since pfsense doesn't have any vlans setup for other IDs. But broadcast traffic would be sent down that trunk port since you have set for ALL vlans with just the trunk command. Blanket trunk commands like that are normally frowned upon. You normally limit the trunk to the specific vlans that that are ok to travel on that port.