I have a situation where I'm setting up multiple VLANS on a pfSense firewall on the same physical interface for a client.

So in pfSense, I now have VLAN 100 (employees) and VLAN 200 (students - student computer lab).

Downstream from pfSense, I have a Cisco SG200 switch, and coming off of the SG200 is the student lab (running on a Catalyst 2950. Yes, that's old, but it works, and this is a poor nonprofit we're talking about).

What I'd like to do is tag everything on the network as VLAN 100, except for the student computer lab.

Earlier today when I was on-site with the client, I went into to the old Catalyst 2950, and assigned all of its ports to access VLAN 200 (switchport mode access vlan 200) without setting up a trunk on the Catalyst or on the SG200.

Looking back on it, I now understand why internet in the lab broke. I reverted the lab back to the default VLAN1 (we're still running on a different firewall - we haven't deployed pfSense -, and the traffic is still separated physically).

So my question is, what do I need to do in order to properly deploy this scenario?

I believe the correct answer is:

• Ensure VLANs 100 and 200 are setup in pfSense, and that DHCP is operating correctly (on separate subnets)
• Setup a trunkport VLAN that allows both 100 & 200 traffic, and plug that port directly into pfSense.
• Setup a VLAN 200 trunkport on the SG200 (It's not running iOS, but if it were, the command would be switchport trunk native vlan 200), which will then plug into the Catalyst 2950.
• Setup a VLAN 200 trunkport on the Catalyst 2950 (that is plugged into the SG200 VLAN200 port with the same command - switchport trunk native vlan 200)
• Setup the rest of the ports on the old Catalyst 2950 in the lab to be access ports on VLAN200.

Is there anything that I'm missing, or do I need to tweak any of these steps, in order to properly segment the network traffic?