Using a VLAN to isolate a vendor


  • I want to setup a VLAN on our network to isolate a specific PC.

    I added VLAN 10 to the firewall following the instructions in the 2.1 manual. Well done.

    I added VLAN 10 to the two Cisco 3560 switches, one in BldgA, one in BldgB. They are connected by an underground 1Gb CAT6 line.

    I can ping the firewall from both switches. The routing works.

    I cannot ping nor access the PC from the switch it is connected to. It is a Broadcom NetXtreme running on a WinXP box. There are no utilities on the PC to enable VLAN tagging. Let's assume there are none available.

    I setup the port:

    interface FastEthernet0/4
      switchport access vlan 10
      switchport mode access
      spanning-tree portfast

    This did not work. I added
      switchport trunk encapsulation dot1q
    but that didn't help.

    So I changed to trunk mode, which is how the rest of the ports are configured except that they use port 20 for voice (voip).

    interface FastEthernet0/4
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10
    switchport mode trunk
    spanning-tree portfast

    Now I am reading something about using native vlan affecting all of the ports.

    The goal is to enable traffic to come to a specific IP address on pfSense, be isolated to a VLAN and sent only to this box.

    Any help?


  • The PC port should look like this:

    interface FastEthernet0/4
      switchport access vlan 10
      switchport mode access
      spanning-tree portfast

    The Ports between the switches and the port where the firewall is connected should look like this:

    interface FastEthernet0/x
      switchport trunk encapsulation dot1q
      switchport trunk native vlan 1
      switchport trunk allowed vlan 1,10
      switchport mode trunk

    It will work, but following best practices, the ports between the switches and the port where the fw is connected should look like this:

    interface FastEthernet0/x
      switchport trunk encapsulation dot1q
      switchport trunk allowed vlan 1,10
      switchport mode trunk

    Which means you should have two VLAN tagged interfaces on pfsense, and not use the native one.


  • Thank you.

    I had to resolve that one right away, so we opened up access to the consultant's static IP address and NATed him to that specific box using an obfuscated port.

    I will test this soon so that I can have it in my arsenal. Thanks again!