Issue connecting to Cisco switch (long)
-
I've been trying to set up a new SG5100 with a Cisco 250 series switch.
I've read lots of articles and watched lots of videos and I thought I would be okay but unfortunately, I’m not making any progress.On the SG5100, I have not enabled the WAN interface at this time since I’m still using to my consumer router. I basically got the SG5100 plugged in and connected directly to my laptop.
I defined the LAN interface and I have that port connected directly to my laptop. I have enabled DHCP and defined the following firewall rules for LAN.
I defined the OPT1 (IX0) interface but this is where I'm having a problem understanding the concept.I set up DHCP on OPT1 and connected it to the Cisco switch. The switch uses the new IP address, but I noticed that the switch assigns VLAN 1 to the connection.
I want to change it so the switch assigns VLAN 10 to OPT1 so I defined VLAN 10 on the switch and this is where I’m stuck. I defined VLAN 10 and 20.
I need to associate a port to VLAN 10. I assume that this is the port that I’ll be connecting back to OPT1 (IX0) on the SG5100. The Cisco switch has different terminology that most of the examples regarding setting up a VLAN I’ve encountered on the web.If I want to connect port 1 from the switch to IX0 using VLAN 10. From what I’ve read:
• I need to make port 1 a trunk on the switch.
• I need to define VLAN 10 in pfSense with parent OPT1 (I also tried no allocating OPT1 and just using it as a parent, but no luck).
• VLAN 10 in pfSense would have DHCP and I would assign a static IP address for the switch.
• I plug in port 1 to IX0 reboot the switch and all should be well; except this is not the case. What happens it that the switch loses its default IP address but pfSense is not handing out the static IP address that I defined for the switch. What’s worst is that I lose my management interface to the switch. I cannot count the number of times I needed to do a factory reset on the switch.Anyway, I think the issue is with the port definition on the switch. Below are screenshots of the default settings that work (VLAN 1).
This is a screenshot of one of my “experiments”. Just to show the terminology used by the switch.
I added VLAN 10 (screenshot below is the default, not what I did) with the static IP address that I defined in pfSense, but after I do that, I lose my management connection (pc with a connection directly to port 6 on the switch). I cannot ping the default IP address nor the one that is supposed be handed out by pfSense. What usually happens is that I factory reset the switch.
One of the things that I cannot understand is the relationship with the pfSense interface and the switch.
Let’s say I define OPT1 for IX0. I assign an IP address for OPT1. I then assign DHCP; assume need an IP address for the switch. Now I define a VLAN whose parent is OPT1. The VLAN has its own IP addresses. Therefore, is the IP addresses for OPT1 only used for the switch connection? But if that is the case, there is no VLAN association for OPT1 on the switch so shouldn’t the VLAN interface need to handout the IP address to the switch? If that is the case, what is the purpose of OPT1?Anyway, sorry for the long post. For now, I'm just trying to get the switch connected so it can be managed by the LAN interface. After that I should be able to define new VLANs on the switch without messing up the connection to pfSense...I hope.
Thank you
-
There are two different ways you can do this. Have the VLAN tagged between pfSense and switch. Or, since you're using a separate port, have it untagged between pfSense and switch. The latter case pfSense just sees it as a standard interface and the VLAN exists only at the switch.
If you are going to have more than one VLAN at the switch and pfSense needs to be able to use all of them you will need that traffic tagged to the switch. A trunk port in Cisco parlance that most others gave adopted. Let's assume you will since you have two VLANs shown in your screenshot.
First you need to create the VLAN interfaces in pfSense in Interfaces > Assignments > VLANs.
Create the new VLAN interface(s) with tag 10 and parent ix0.
Repeat for VLAN 20 if you need that.Now go back to Interfaces > Assign and assign the new VLAN interface(s) as new interfaces. So probably OPT5, OPT6 etc.
You could assign it as OPT1 instead of the raw ix0 NIC but if you do that you will lose connectivity on the untagged (native) VLAN there and the switch will still be using that for it's management. That's probably where you were going wrong previously.
Now go to Interfaces > OPT5 and enable it, change the name, set it as static and give it a new IP subnet etc.
Enable DHCP on that interface if you need it.On the switch set VLAN 10 to be tagged on port1, connected to the SG-5100, and untagged on any ports you want to have hosts on LAN10 connected to.
You might need to juggle some subnets about.
It sounds like the root issue here is that the switch management interface is available on the native/untagged VLAN by default and in creating the new VLAN you lost connectivity to that. So either keep an interface connected untagged perhaps as a management only subnet or chnage the switch interface so it is available on VLAN10.
Steve
-
Steve, thank you.
I read through your post and went at it again after factory resetting the switch and basically putting the OPT interfaces back to how they were when I received the SG5100 from Netgate.OPT1 (ix0), OPT2 (ix1), OPT3 (ix2), OPT4 (ix3) = added but not enabled
From there I went to Interfaces => VLANs
Define VLAN tag 10 interface ix0 (opt1), VLAN tag 20 interface ix0 (opt1)
Enabled VLAN 10 and VLAN 20. Assigned static IPv4.
Defined DHCP for VLAN 10 set range but added a static IP address for the Cisco switch outside of the pool range. Defined DHCP for VLAN 20, set range.On another computer connected directly to the Cisco switch, I defined VLAN 10 and 20.
Set port 1 as a trunk. Tagged VLAN 10 and 20.
Set port 8 as access. Untagged for VLAN 20.
Added an IPv4 interface for VLAN 10, DHCP.Usually this is where I get kicked off but this time after I connected port 1 from the switch to ix0, the switch was listed under DHCP and Online in pfSense. In addition, my other computer that is directly connected to the switch was still connected using the switches default IP address. I’m assuming it’s because VLAN 1 and VLAN 10 are both active on the switch and I have that computer plugged into a port that I didn’t mess around with.
I plugged a device into port 8 and confirmed it got an IP address in the VLAN 20 range.One issue I found is that I cannot connect to the switch from my laptop that’s on the LAN connection. But I’m guessing that’s probably a firewall issue. I can still connect to the switch directly from my other computer so I can do switch configuration from there.
I’m going to back up the settings on the switch and pfSense before I go any further. I guess for most people getting to where I am now seems trivial. After all, I don’t even know if the device works on port 8 since I just did a simple connectivity test, but after spending the last several weekends setting up, resetting, plugging in, and unplugging, I’m happy that I can finally move onto the next steps.
Thank you very much for your help!
