Using a VLAN to isolate a vendor
-
I want to setup a VLAN on our network to isolate a specific PC.
I added VLAN 10 to the firewall following the instructions in the 2.1 manual. Well done.
I added VLAN 10 to the two Cisco 3560 switches, one in BldgA, one in BldgB. They are connected by an underground 1Gb CAT6 line.
I can ping the firewall from both switches. The routing works.
I cannot ping nor access the PC from the switch it is connected to. It is a Broadcom NetXtreme running on a WinXP box. There are no utilities on the PC to enable VLAN tagging. Let's assume there are none available.
I setup the port:
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfastThis did not work. I added
switchport trunk encapsulation dot1q
but that didn't help.So I changed to trunk mode, which is how the rest of the ports are configured except that they use port 20 for voice (voip).
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport mode trunk
spanning-tree portfastNow I am reading something about using native vlan affecting all of the ports.
The goal is to enable traffic to come to a specific IP address on pfSense, be isolated to a VLAN and sent only to this box.
Any help?
-
The PC port should look like this:
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfastThe Ports between the switches and the port where the firewall is connected should look like this:
interface FastEthernet0/x
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,10
switchport mode trunkIt will work, but following best practices, the ports between the switches and the port where the fw is connected should look like this:
interface FastEthernet0/x
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10
switchport mode trunkWhich means you should have two VLAN tagged interfaces on pfsense, and not use the native one.
-
Thank you.
I had to resolve that one right away, so we opened up access to the consultant's static IP address and NATed him to that specific box using an obfuscated port.
I will test this soon so that I can have it in my arsenal. Thanks again!