Solved: SG220-26 VLANS

Dean Thompson · ‎07-09-2018

Excuse the newbie in me, VLANS are new to me and I decided to create them for the pure reason of security. With all the devices around these days, Echo Dots and so forth, I want these off of my regular network and put into a Virtual Network.

I have a PFSense router box that I made, I have 2 VLANS assigned to one of the interfaces, each with their own DHCP server.

VLAN 10 - 10.0.10.0/24

VLAN 20 - 10.0.20.0/24

From my PFSense I have a connection configured as a trunk port going to my SG220-26 switch. If I configure lets say port 5 on my switch as an access port, my non-VLAN aware device will lose connection. If I configure the port as a general port it connects but to the default VLAN of 1.....

I am at a loss with VLANs, I thought they would be simple to implement, but after a few days I am at the point of walking away.

I know this is only a home network, but I take security seriously and really need some help to get this thing working.

Ask questions and I will provide the details needed.

I appreciate your time in helping me.

Seb Rupik · ‎07-10-2018

Looking at the mac address table, have you got the pfsense box connected to wrong switchport? :

1 | 00:26:55:E2:E2:4E | Dynamic           | gi1
1 | 00:26:55:E2:E2:4F | Dynamic           | gi13

...shouldn't that MAC appear on Gi13? Maybe the port numbering on the HP NIC is not what you think it is? Try swapping Gi1 an Gi13 around.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎07-10-2018

Hi there,

Please provide the running config of the switch.

My first guess would be that you have not configured the correct access VLAN on port 5....but lets take a look at the config :)

cheers,

Seb.

Dean Thompson · ‎07-10-2018

The config as of right now is this... I have omitted some items that are not relevant. I have also changed and added a couple of VLANS.

Switch486752#show running-config
config-file-header
Switch486752
v1.1.4.1
CLI v1.0
@
!
!
!
clock source sntp
sntp server 192.168.0.1 port 123
clock timezone EST -5 minutes 0
clock summer-time web recurring usa
username "#$%*#" secret encrypted ##########################################=
no passwords complexity enable
!
!
!
vlan 10
name "Admin"
vlan 20
name "Data"
vlan 30
name "Home WiFi"
vlan 40
name "UNSECURE"
vlan 50
name "GAMING_VLAN"
voice vlan oui-table add 00:E0:BB 3COM
voice vlan oui-table add 00:03:6B Cisco
voice vlan oui-table add 00:E0:75 Veritel
voice vlan oui-table add 00:D0:1E Pingtel
voice vlan oui-table add 00:01:E3 Siemens
voice vlan oui-table add 00:60:B9 NEC/Philips
voice vlan oui-table add 00:0F:E2 H3C
voice vlan oui-table add 00:09:6E Avaya

!
!
!
!
no spanning-tree
spanning-tree mst configuration
name "B0:7D:47:48:67:52"
!
!
!
!
!
!
snmp-server location "Server CLoset"
snmp-server contact "Dean"
!
!
!
ip ssh server
!
!
!
!
!
!
!
!
!
interface gi1
!
interface gi2
!
interface gi3
!
interface gi4
!
interface gi5
switchport mode access
switchport access vlan 50
!
interface gi6
!
interface gi7
!
interface gi8
!
interface gi9
!
interface gi10
!
interface gi11
!
interface gi12
!
interface gi13
switchport trunk allowed vlan add 10,20,30,40,50
!
interface gi14
!
interface gi15
!
interface gi16
!
interface gi17
!
interface gi18
!
interface gi19
!
interface gi20
!
interface gi21
!
interface gi22
!
interface gi23
!
interface gi24
!
interface gi25
!
interface gi26
!
!
!

So in an attempt to try to get this working, I setup more VLANS and changed them to what you see. My Trunk port for now is port 13 going to the PFsense machine, I am wondering if I need to set encapsulation on the port 13?

Port 5 is the port I am testing with a non-vlan aware device, I will also be adding in vlan aware devices like my Ubiquity Uni-Fi WAPs on another port.

I look forward to your reply.

Seb Rupik · ‎07-10-2018

OK, I'd like to make some changes to your running config which will help with our troubleshooting:

!
no spanning-tree mst configuration
!
spanning-tree enable
spanning-tree mode rstp
!
int gi5
  spanning-tree portfast
!

Connect the switch to the pfsense box in gi13...give it 30 seconds...

Can you then tell me the output of:

sh interfaces switchport gi13

sh spanning-tree gi13

sh mac-address table

Can you find out the MAC address on the pfSense VLAN interfaces too?

cheers,

Seb.

Dean Thompson · ‎07-10-2018

I will check on the other items right now, but the VLANS all are all virtual residing on 1 port if that makes sense?

Be right back with the rest of the info..

Dean Thompson · ‎07-10-2018

Switch486752#sh interfaces switchport gi13
Port : gi13
Port Mode : Trunk
Gvrp Status : disabled
Ingress Filtering : enabled
Acceptable Frame Type : all
Ingress UnTagged VLAN ( NATIVE ) : 1
Trunking VLANs Enabled: 10,20,30,40,50

Port is member in:
 Vlan            Name              Egress rule
------- ----------------------- -----------------
    1                default       Untagged
   10                  Admin         Tagged
   20                   Data         Tagged
   30              Home WiFi         Tagged
   40               UNSECURE         Tagged
   50            GAMING_VLAN         Tagged

Forbidden VLANs:
 Vlan            Name
------- -----------------------

Switch486752#sh spanning-tree gi13
% Unknown command

Switch486752#sh mac-address table
% Unknown command

The VLANS do not have a MAC Address as I thought, only the physical will have one, but I have the option to spoof a MAC if needed.

The Physical MAC is = 00:26:55:e2:e2:4e

It is a 4 port nic branded HP card, was not cheap and should be fine for the application.

Dean Thompson · ‎07-10-2018

SH apparently does not work on all commands, weird.

This worked..

Switch486752#show mac address-table
 VID  | MAC Address       | Type              | Ports
------+-------------------+-------------------+----------------
    1 | B0:7D:47:48:67:52 | Management        | CPU
    1 | 00:0C:C6:81:4C:59 | Dynamic           | gi25
    1 | 00:16:6C:F0:80:7C | Dynamic           | gi25
    1 | 00:26:55:E2:E2:4E | Dynamic           | gi1
    1 | 00:26:55:E2:E2:4F | Dynamic           | gi13
    1 | 08:62:66:35:77:D5 | Dynamic           | gi25
    1 | 2C:54:91:38:BA:B3 | Dynamic           | gi25
    1 | 34:AB:37:0A:A0:15 | Dynamic           | gi3
    1 | 34:D2:70:EE:BC:A2 | Dynamic           | gi25
    1 | 38:F7:3D:4C:2C:7E | Dynamic           | gi25
    1 | 3C:2E:FF:91:53:21 | Dynamic           | gi3
    1 | 44:61:32:DF:2C:3B | Dynamic           | gi3
    1 | 50:C7:BF:2D:B3:99 | Dynamic           | gi25
    1 | 50:C7:BF:2D:C8:33 | Dynamic           | gi25
    1 | 50:C7:BF:53:A1:40 | Dynamic           | gi25
    1 | 54:33:CB:E3:85:51 | Dynamic           | gi3
    1 | 68:B5:99:8F:56:CA | Dynamic           | gi25
    1 | 90:2B:34:8C:44:88 | Dynamic           | gi18
    1 | 90:8D:6C:12:4E:60 | Dynamic           | gi3
    1 | 98:B6:E9:28:A1:AB | Dynamic           | gi25
    1 | A0:CF:5B:E4:72:5F | Dynamic           | gi25
    1 | B0:4E:26:6F:DF:CB | Dynamic           | gi25
    1 | B0:7D:47:48:72:D1 | Dynamic           | gi25
    1 | B0:7D:47:48:72:EA | Dynamic           | gi25
    1 | B4:7C:9C:6D:53:23 | Dynamic           | gi3
    1 | B8:27:EB:9E:11:B7 | Dynamic           | gi25
    1 | B8:27:EB:D1:BA:0D | Dynamic           | gi25
    1 | BC:83:85:4D:09:21 | Dynamic           | gi25
    1 | F0:81:73:6D:E0:F4 | Dynamic           | gi25
    1 | F0:9F:C2:A6:B5:45 | Dynamic           | gi25
    1 | F0:9F:C2:F3:7D:1C | Dynamic           | gi3
    1 | FC:A1:83:6A:FB:15 | Dynamic           | gi3
    1 | FC:ED:B9:03:2E:78 | Dynamic           | gi25
   50 | FE:28:84:2D:27:09 | Dynamic           | gi5

Total number of entries: 34

Also, here is the ports listed again showing the spanning tree on port 5

interface gi1
!
interface gi2
!
interface gi3
!
interface gi4
!
interface gi5
 switchport mode access
 switchport access vlan 50
 spanning-tree portfast
!
interface gi6
!
interface gi7
!
interface gi8
!
interface gi9
!
interface gi10
!
interface gi11
!
interface gi12
!
interface gi13
 switchport trunk allowed vlan add 10,20,30,40,50
!
interface gi14
!
interface gi15
!
interface gi16
!
interface gi17
!
interface gi18
!
interface gi19
!
interface gi20
!
interface gi21
!
interface gi22
!
interface gi23
!
interface gi24
!
interface gi25
!
interface gi26
!
!
!

Seb Rupik · ‎07-10-2018

Looking at the mac address table, have you got the pfsense box connected to wrong switchport? :

1 | 00:26:55:E2:E2:4E | Dynamic           | gi1
1 | 00:26:55:E2:E2:4F | Dynamic           | gi13

...shouldn't that MAC appear on Gi13? Maybe the port numbering on the HP NIC is not what you think it is? Try swapping Gi1 an Gi13 around.

cheers,

Seb.

Dean Thompson · ‎07-10-2018

Yes, you are right. I guess PFsense when the card was installed, it did not map the ports in the right order. I feel like an idiot that I did not see this to begin with, I was feeding all my vlans to the wrong port.

Palm in face going on here....

I want to thank you so much for your assistance, you have been a great help!

Many regards.

Dean

Seb Rupik · ‎07-11-2018

Not a problem, glad you got it working.

anrodriguezco · ‎06-21-2019

Hi @Seb Rupik , i've same switch and problem than Dean but i've already checked and the Pfsense NIC it is connected to the right port ge 1 on my switch(please see image attached), not sure what else should i do, i've created and assigned DHCP service to these 3 VLANS(Vlan 10, Vlan20 and Vlan 30) however i'm not receiving any ip address when connecting to each port where i've assigned vlans, this is my sw config file:

----------------------------

SwitchF77A9B#sh run

config-file-header
SwitchF77A9B
v1.0.0.17
CLI v1.0
@
!
!
!
!
username "cisco" secret encrypted ##########################################=
!
!
!
vlan 10
name "VLAN10"
vlan 20
name "VLAN20"
vlan 30
name "VLAN30"
voice vlan oui-table add 00:E0:BB 3COM
voice vlan oui-table add 00:03:6B Cisco
voice vlan oui-table add 00:E0:75 Veritel
voice vlan oui-table add 00:D0:1E Pingtel
voice vlan oui-table add 00:01:E3 Siemens
voice vlan oui-table add 00:60:B9 NEC/Philips
voice vlan oui-table add 00:0F:E2 H3C
voice vlan oui-table add 00:09:6E Avaya
!
!
!
!
spanning-tree mode rstp
spanning-tree mst configuration
name "3C:0E:23:F7:7A:9B"
!
!
!
!
!
!
!
!
!
ip ssh server
!
!
!
!
!
!
!
!
!
!
interface gi1
switchport trunk allowed vlan add 10,20,30
!
interface gi2
!
interface gi3
!
interface gi4
!
interface gi5
!
interface gi6
!
interface gi7
!
interface gi8
switchport mode access
switchport access vlan 10
spanning-tree portfast
!
interface gi9
!
interface gi10
!
interface gi11
!
interface gi12
!
interface gi13
!
interface gi14
switchport mode access
switchport access vlan 20
!
interface gi15
!
interface gi16
!
interface gi17
!
interface gi18
!
interface gi19
!
interface gi20
switchport mode access
switchport access vlan 30
!
interface gi21
!
interface gi22
!
interface gi23
!
interface gi24
!
interface gi25
!
interface gi26
!
!
!

SwitchF77A9B#

----------------------------------------------------------------

Thank you very much for your help, I really appreciate it!

If you have any question please let me know and i'll try to answer and provide the details needed.

Regards,

Andrés

Seb Rupik · ‎07-01-2019

Hi there,

Can you try explictly setting gi1 as a trunk switchport:

!
int gi1
  switchport mode trunk
!

Then share the output of sh int trunk

cheers,

Seb.

anrodriguezco · ‎07-03-2019

Hi @Seb Rupik , Just as FYI this has been solved, the issue was because I was using Oracle Virtualbox and this app does not has VLAN support as another payed virtualizers like Hyper-V or VMware where you can create a Virtual switch and allow there traffic between VLANS on physical devices and interfaces.

Thank you very much for your help!

Regards,

Andres