Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to access cisco switch GUI on pfSense vlan

    L2/Switching/VLANs
    vlan vlans vlan interface cisco cisco switch
    3
    4
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maxisthebest55
      last edited by

      Hi All - Thank you in advance for any help you can provide.

      Relevant components: (1) build your own pfSense box, (2) managed cisco switch

      Starting config:
      (1) switch is in layer 2 mode with a couple of trunk ports
      (2) native vlan = 1 for swtich
      (3) static ip address is assigned to native vlan, vlan 1 (192.168.2.2)
      (4) pfsense has vlans 20, 30, 40, 50 and 60 configured and working as intended (handles all layer 3 routing) and is playing well with the managed switches as far as vlan tagging

      Goal: Change the native vlan on switch from vlan 1 to something else. I've experimented with changing the native vlan from vlan 1, to vlan 20.

      Why: I've read that segmenting switch management traffic in a separate vlan, other than vlan 1, is a good opsec practice if implemented thoughtfully.

      What I changed:
      I assigned all trunk ports a new native vlan, vlan 20.
      Then I shutdown vlan 1.
      Then assigned an ip address to vlan 20 in switch (192.168.20.1)
      Switch default gateway changed from 192.168.2.1 ---> 192.168.20.1

      Problem: Short of using a serial cable, I have lost access to the switch. I am attempting to access the switch through an access port assigned to vlan 20. I can access the pfsense box through that port at 192.168.20.1 (so I have access to vlan 20) but I cannot access or even ping my switch at 192.168.20.2.

      Why is this happening?

      I suspect that because the cisco switch wants native vlan traffic untagged, by assigning the native vlan to vlan 20, which is tagged via pfSense, there is a conflict.

      None of my devices have lost internet connectivity in my attempt to move my switch off vlan 1.

      Thanks - Jeff.

      I'm new here. Please be gentle.

      pfSense = default gateway 192.168.2.1
      vlan 20 gateway = 192.168.20.1

      M 1 Reply Last reply Reply Quote 0
      • M
        marvosa @maxisthebest55
        last edited by marvosa

        I suspect that because the cisco switch wants native vlan traffic untagged, by assigning the native vlan to vlan 20, which is tagged via pfSense, there is a conflict.

        Correct. To my knowledge, PFsense can only create tagged VLANs and the switch sends traffic on the native VLAN as untagged, so there's no way to move away from VLAN 1 if you intend on leveraging the native VLAN to access PFsense or a device in another VLAN thru PFsense. The only caveat I can think of where it may be possible is using a Netgate appliance with an integrated switch.

        I've read that segmenting switch management traffic in a separate vlan, other than vlan 1, is a good opsec practice if implemented thoughtfully.

        Cisco best practice says to disable VLAN 1... and configure the native VLAN to something unused that goes nowhere.

        My recommendation:

        • Disable VLAN 1 on your switch (if it isn't already)
        • Remove the IP from the LAN interface on PFsense and leave it unaddressed
        • Create a management VLAN on PFsense
        • On your switch, create a catch-all VLAN (e.g. 199) that will never be used and configure that for the native VLAN on your trunks.
        johnpozJ 1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @marvosa
          last edited by johnpoz

          @marvosa said in Unable to access cisco switch GUI on pfSense vlan:

          so there's no way to move away from VLAN 1

          Huh? What the switch default vlan is has nothing to do with pfsense. To pfsense its untagged doesn't care what the switch uses for the vlan id.

          What specific cisco switch are you working with?

          I have my default vlan on my sg300 set to 9

          vlan.jpg

          Only reason using 9, is it lines up with what that network uses 192.168.9/24

          While yes is common practice to change the default vlan in the enterprise away from 1. In home or small network there is really no reason for it, other than if you were needing to tag this vlan to carry it across your network.

          If its going to be untagged doesn't really matter what the vlan id is, just what the switch is using internally.. Only reason I moved mine away from 1 is habit ;)

          As to untagged on your trunks - while sure you can do that, but not something that must be done.. I have some trunks where there is a native untagged vlan, doesn't have to be the default vlan, I run vlan 2 as native on 1 trunk, and that is another untagged network into pfsense (my wlan network). I have multiple uplinks into pfsense. And other trunks where there is no untagged (native) traffic on it - and all traffic is tagged.

          I take it this is all just a learning exercise? If your not comfortable currently with changing the default vlan on the switch.. Just leave it at 1.. Are you wanting/needing to carry this vlan tagged across a vlan? Because your using some other vlan as untagged already?

          I would say the better security practice would be in line with what @marvosa was saying about catch-all or never used vlan. I have a vlan 99 on my switch that is used nowhere on my network... And all ports that are not actively in use are configured for this vlan99.. So you can not just plug in and connect to anything, even if the port was enabled.. Which another good practice is disable all ports not actively used. But even if turned it on by accident say, anything plugged into that wouldn't be able to talk to anything because the vlan on that port is 99, which is a dead vlan id and not used anywhere else.

          Really the only caveat to changing what the switch uses for its default vlan, is not locking yourself out of the switch when you change it. Prob best to have console access to the switch when changing it ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          M 1 Reply Last reply Reply Quote 1
          • M
            maxisthebest55 @johnpoz
            last edited by

            @johnpoz

            The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG

            Re: There is really no reason for it
            I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.

            I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...

            From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.

            Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.

            Thank you. -jeff

            1 Reply Last reply Reply Quote 0
            • First post
              Last post