SG300 Native Trunk confusion - Best practice for security

Rogger Melly · ‎11-15-2017

Hi Experts

I have to setup some SG300’s, 2960 switch stack and a Palo Alto firewall. The design states that I need to have VLAN1 shutdown and also place all unused VLANs into VLAN99. I will also have 3 more VLANs 66,77 and 5. VLAN5 will be my management and the VLAN5 gateway will be a port on the Palo Alto. VLAN66 and VLAN77 will not have IP addresses on the Cisco switch’s but the Palo Alto will have 10.0.66.1 and 10.0.77.1 on two of it’s interface’s. All the Cisco switches will have VLAN5 management address and a default gateway of 10.0.5.1

I’m happy with most of the configuration but the SG300’s are puzzling me.I found the bellow example’s of how to configure a trunk and at present I can only talk to the Palo Alto by configuring;

interface gi1

Description **UPLINK-TO-PA3020**
switchport mode trunk
switchport trunk native vlan 5

If I try and make a connection with access port I can’t route traffic. If I try and configure with just “Switch Port Trunk Allow Vlan Add 5” it drops my connection. The SG300’s are in L3 mode.

Is there something I am missing regards to “Native VLAN”, is VLAN1(Shutdown) giving me issue’s? Do I need to create a global native VLAN?

Below ‘example’ are what I found on 3rd party website and as mentioned I can only get it to work with the native trunk version. Any help would be much appreciated.

Set up a switchport (range) for untagged VLAN as "Native VLAN" on "Trunk"
interface gi1
switchport mode trunk
switchport trunk native vlan 55

Set up a switchport (range) for tagged ("Allowed")/untagged ("Native") VLAN
interface gi1
switchport mode trunk
switchport trunk allowed vlan add 55
switchport trunk native vlan 2

Reza Sharifi · ‎11-15-2017

I am not familiar with SG series switches but usually you need one vlan as your native vlan across all devices. In your case that is vlan 5. So, vlan 5 needs to be the native vlan in all your switches.

here is the config you need on all Cisco switches uplinks including the uplink to the firewall. In this example vlan 66 and 77 are your regular vlans and 5 is native.

interface gi1
switchport mode trunk
switchport trunk allowed vlan add 66,77
switchport trunk native vlan 5

HTH

Rogger Melly · ‎11-16-2017

Thanks for the reply, so if I only have VLAN 5 on my switch (as I do for a couple of them) the configuration for the trunk would look like this?

interface gi1
switchport mode trunk
switchport trunk native vlan 55

Reza Sharifi · ‎11-16-2017

that is correct. If you have multiple switches, they all need to have the same native vlan id (in your case 55).

HTH

Rogger Melly · ‎11-19-2017

So I been messing around with this now for way too long and these SG300's are for want of a better work S*&T.. Nothing makes any sense on them. The only way I can get the trunk to connect is by using the following;

interface gi1
switchport mode trunk
switchport trunk native vlan 5

All my ports on the SG300 (with VLAN5 - Management switch) are set to 5UP and the connecting Trunk has an end IP Address of 10.0.5.1 (this is the DG IP and the port on the Firewall)

For my other switch connecting to the same Firewall I have management IP of 10.0.5.11 but this is my access switch and all the ports are in VLAN77. I can only get this to connect and pass traffic if I set the trunk to the following;
switchport trunk native vlan 77

I have a PC plugged into vlan77 - PC IP Address 10.0.77.100 with default gateway of 10.0.77.1 (this is anouther port on the Firewall). I can connect to the firewall and open the management page via 10.0.77.1 and I can ping my management IP's. The problem comes when I want to connect to anything other than the SG300's as I have a 2960 sat on another port with 2 more VLANs.

I think it may be of some use to put a diagram together and attach to this post as I feel I am now chasing my tail and understand that it's more complex than originally intended.

Regards R