Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense with Catalyst Switch -> VLANs

    Scheduled Pinned Locked Moved Routing and Multi WAN
    12 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rossco P.
      last edited by

      I cannot SSH into my Catalyst 3750 switch. (Everything else is working like it should, just an FYI)

      Port 1/0/48 on the Catalyst is configure as so,

      -switchport access vlan 20
      -switchport trunk encapsulation dot1q
      -switchport trunk native vlan 20
      -switchport mode trunk

      The physical connection when I can NOT SSH to switch.

      pfSense –> Catalyst Switch trunk port

      When I connect the Catalyst switch through my Cisco SMB switch, everything works like it should. I can SSH the switch.

      The physical connection when I CAN SSH Catalyst switch.

      pfSense –> Cisco SMB switch --> Catalyst switch
      (Both ports on the SMB switch that connect the pfSense box and the Catalyst switch are trunked. BUT the SMB switch forces at least one VLAN to be UNTAGGED on every trunk port. This seems to be the only reason why it is working)

      I hope all of this makes sense!

      Am I screwed?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Damn, dude. Do you want that port to be an access (untagged) port or a trunk (tagged) port?

        You're kind of all over the place there.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "BUT the SMB switch forces at least one VLAN to be UNTAGGED on every trunk port."

          What switch is this?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • R
            Rossco P.
            last edited by

            @Derelict:

            Damn, dude. Do you want that port to be an access (untagged) port or a trunk (tagged) port?

            I want it to be a trunk port.
                "switchport access vlan 20"
            is different from
                "switchport mode access"

            @johnpoz:

            "BUT the SMB switch forces at least one VLAN to be UNTAGGED on every trunk port."

            What switch is this?

            My apologies, I thought it was SMB. It is a Small Business Switch.

            I attached a screenshot of the GUI

            ![Screen Shot 2017-11-26 at 11.16.50 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.16.50 AM.png)
            ![Screen Shot 2017-11-26 at 11.16.50 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.16.50 AM.png_thumb)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              that is set at the PVID.. what is the setting from the cli on that port?

              PVID in cisco is a bit different than some other switches.  That just means any untagged traffic that inters that interface will be put into that vlan..  You can always tag the egress default vlan with the

              switchport default-vlan tagged

              command and the cli to the switch.. But you can for sure set tagged ports only on a switch via the gui.. I don't use 500, but the 300 uses the pretty much same firmware.. Just set it to general type vs trunk.. Then your pvid would be set to 4095 with cisco is junk or trash vlan.. So any untagged traffic hitting ingress on this port would be trashed..

              What exactly are you wanting to accomplish exactly?  So you want to setup vlans on pfsense interface with no settings on the native or naked interface - so all traffic will be tagged.  Then I would set you port setting to general vs trunk.. Trunk in cisco wants an untagged vlan setting - gui will not allow you to put in 4095, etc.

              
              sg300#sho run int gi1
              interface gigabitethernet1
               description "esxi vmkern"
               switchport general acceptable-frame-type tagged-only
               switchport general pvid 4095
               switchport mode general
               switchport general allowed vlan add 20,100,200 tagged
              
              

              If no untagged traffic is going to enter the port then set that as tagged only via above example.. See attached screenshots.

              You can also use trunk, and just set the pvid some junk vlan your not using.  All all the vlan ids you want to use as trunked..  Say for example 2nd shot where pvid is set to 500..

              All comes down to what cat your trying to skin.. And how you want to skin it.. If your wanting to prevent any untagged traffic from entering the port on the switch then put it in general mode and filter all untagged traffic, etc.  As to your SMB.. yeah normally means small business - was just wanting clarification of which small business switches, wasn't sure it was cisco.. Other switches do it differently, etc.

              Keep in mind that the gui tries to make sure you don't shoot yourself in the foot as well ;)  Unlike catalyst switches via cli where you could do crazy not valid stuff like trunk and access same time, etc.

              pvid4095.png
              pvid4095.png_thumb
              unusedpvidid.png
              unusedpvidid.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                mikeisfly
                last edited by

                As others have stated the answer to your question here particularly johnpoz, I would only offer that a few years ago I made a YouTube video that might help you out. You can take a look at it below. Hope it helps:

                Youtube Video

                1 Reply Last reply Reply Quote 0
                • R
                  Rossco P.
                  last edited by

                  Thank you, mikeisfly!

                  johnpoz, the issue I am having is that I cannot SSH into the Catalyst switch I have. I was talking about the Small Business Cisco switch to tell everyone that it is the only way that I'm able to gain access to the Catalyst.

                  I guess I don't fully understand what the Native VLAN command does?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "The physical connection when I can NOT SSH to switch."
                    "I guess I don't fully understand what the Native VLAN command does?"

                    Why do you have it set then??  What is the settings on the interface connected to this switchport?

                    "This seems to be the only reason why it is working)"

                    Then don't set that!!  If you have a untagged network on your interface that you want to use to talk to the switch on.. Then that should be UNTAGGED, other name for native.

                    switchport mode trunk
                    switchport trunk allowed vlan add 200,300,500
                    switchport trunk native vlan 20

                    Remove
                    -switchport access vlan 20

                    Your trunk allowed vlan add command would list the vlans that will be on that trunk.  The native vlan 20 would set this as the untagged vlan.

                    So you have lets say em2 connected to this port.. And on this port you have an IP set directly on this interface.. Now sitting on that interface you have vlans 200,300,500 for example.  Then the above config should be really all you need.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      Rossco P.
                      last edited by

                      Okay. I got it!
                      Here is the end my cofig,

                      interface GigabitEthernet1/0/48
                      switchport trunk encapsulation dot1q
                      switchport mode trunk
                      !
                      interface GigabitEthernet1/1/1
                      !
                      interface GigabitEthernet1/1/2
                      !
                      interface GigabitEthernet1/1/3
                      !
                      interface GigabitEthernet1/1/4
                      !
                      interface TenGigabitEthernet1/1/1
                      !
                      interface TenGigabitEthernet1/1/2
                      !
                      interface Vlan1
                      no ip address
                      shutdown
                      !
                      interface Vlan20
                      ip address 10.0.20.3 255.255.255.0
                      !
                      ip default-gateway 10.0.20.1
                      no ip http server
                      no ip http secure-server

                      All I did to gain access back to my switch was

                      • Reassign the default-gateway

                      • Reassign the Vlan20 interface ip address

                      I can now SSH my switch!

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        You still have not stated how the interface on pfsense that is connected to port 48 of your switch is setup..

                        If you have pfsense interface connected that port as untagged, ie IP setup directly on that interface then you would want that vlan to be native on your switch port.. Or the untagged vlan.

                        If you do not have an IP setup on the physical interface and only vlans running on pfsense then you have no need of a native or untagged vlan and since your just doing trunk with no restrictions than any vlan that is tagged could talked on that port..  Any untagged traffic would hit be assigned to the default vlan on the switch - normally vlan 1.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • R
                          Rossco P.
                          last edited by

                          @johnpoz:

                          If you do not have an IP setup on the physical interface and only vlans running on pfsense then you have no need of a native or untagged vlan and since your just doing trunk with no restrictions than any vlan that is tagged could talked on that port..  Any untagged traffic would hit be assigned to the default vlan on the switch - normally vlan 1.

                          Yes Yes Yes!

                          No untagged traffic.
                          Only VLANs. Then like I stated in my last post, I did the following!

                          @Rossco:

                          • Reassign the default-gateway

                          • Reassign the Vlan20 interface ip address

                          Originally I thought that the the Native Vlan command allowed a specific port access to the described Vlan. I see now that the thought was incorrect.

                          Here's what my pfSense assignments look like

                          ![Screen Shot 2017-11-28 at 1.14.01 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-28 at 1.14.01 PM.png)
                          ![Screen Shot 2017-11-28 at 1.14.01 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-28 at 1.14.01 PM.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Ah ok.. Then your good.. there should be no untagged traffic hitting that port the way you have it setup.. Just know that if any untagged traffic does get onto that port from pfsense it would go to your default vlan on the switch.

                            To follow through with good practice you should limit your trunk port to those specific vlan IDs, 10,11,20 and 50.

                            Trunk ports will allows allow for untagged traffic, and if you do not call out what vlan untagged should be assigned to with the native vlan command then untagged traffic will go to whatever the default vlan is on the switch.

                            I just run a native vlan on my interface, and then run vlans on top of that.  But your way is also very common.  I do believe Derelict is a fan of only tagged traffic and not using any untagged traffic.

                            Glad you got it all sorted.. In the cisco world if your not going to run a native or untagged vlan on the interface then you would normally use general for the port and assign the tagged vlans and setup the port to only accept tagged traffic, etc.  Where any untagged would go to garbage vlan ID.  Lots of different ways to skin the cat ;)

                            Also bit of a side note with just using trunk vs limiting the vlans on the trunk port.  Any other vlans you might be running on the switch - broadcast traffic could go down that port.  It won't go anywhere since pfsense doesn't have any vlans setup for other IDs.  But broadcast traffic would be sent down that trunk port since you have set for ALL vlans with just the trunk command.  Blanket trunk commands like that are normally frowned upon.  You normally limit the trunk to the specific vlans that that are ok to travel on that port.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.