Switching from untagged LAN to 8021q tagged LAN
-
I have a deployed pfsense box which isn't currently set up to use VLANs for its interfaces. I'm familiar with how to add new VLAN interfaces to the device, but I'm wondering if there's any easy way to migrate the existing LAN interface to a tagged VLAN interface.
What I'd like to do is switch the Cisco switch from untagged to a trunk port, and simultaneously switch the pfsense from untagged to tagged on the same VLAN, hopefully to minimize downtime as much as possible.
I didn't see an easy way to take existing interfaces and add VLAN tagging to them. Am I missing something?
-
Create the vlan in advance, but don't assign it to an interface. When you are ready to move the firewall from a lan port to a trunk port, re-assign your lan to the vlan instead of the hardware port. Then move the firewall to a trunk port.
-
this is what i want to do as well, to shut off the LAN (native VLAN) and set up my cisco switch to have the Native VLAN go to a blackhole and shut down VLAN1 (default untagged interface)
-
Create the vlan in advance, but don't assign it to an interface. When you are ready to move the firewall from a lan port to a trunk port, re-assign your lan to the vlan instead of the hardware port. Then move the firewall to a trunk port.
So to go over the steps as I understand them:
- Create a new VLAN interface with the parent port of the physical LAN interface
- Assign it the same subnet as the current untagged LAN interface
+ Note: Won't this cause routing issues? - When I'm ready to move over, go to Interfaces -> (assign) and assign the interface from the existing port (call it igb0) to the VLAN port
-
So to go over the steps as I understand them:
- Create a new VLAN interface with the parent port of the physical LAN interface
- Assign it the same subnet as the current untagged LAN interface
+ Note: Won't this cause routing issues? - When I'm ready to move over, go to Interfaces -> (assign) and assign the interface from the existing port (call it igb0) to the VLAN port
No. You create the new vlan interface with the parent port of the physical LAN interface, then you change the assignment for LAN from the physical port to the vlan interface. Don't assign the vlan, just switch the assignment when you are ready to move.
-
Got it, seems like it's working fine. Thank you.
-
can you then disable the LAN port and still carry traffic over the VLANs?
-
can you then disable the LAN port and still carry traffic over the VLANs?
In the original example, the LAN was moved to the tagged vlan and the raw interface was no longer assigned to an interface, so no you would not disable the LAN.