cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
342
Views
0
Helpful
1
Replies

Help with community VLAN and Primary VLAN

I'm a beginner, but I'm slowly but surely learning new features in my Cisco SG-switch.

 

I want to use a centralized switch, in this I prefer to work with limitations for the rest of the network. Should I get any trouble with one of the other switches, I want to be able to replace these easily without making a lot of settings. That's the dream.

 

I got a SG300 as my central switch in my network and I have 8 stages. Each stage has its own "mainswitch", they should be able to communicate with each other on the same switch, but not to other stages. On my centralized switch I have a file server, WIFI and some internet which everyone needs to reach.

 

If I understood it all right, I can use the community VLAN and a PRIMARY VLAN to solve this.

 

I have created VLAN 11-18 as a community VLAN. 100 as Primary VLAN and 200 as Isolated/private VLAN. 

 

Private_VLAN_Settings.jpg

VLAN_settings.jpg

 

Port 1-8 on my switch I setup COMMUNITY VLAN 11-18, on the rest I want PRIMARY VLAN. I have created these as TRUNK and PVID 11-18. They are untagged. Found a video about that, but I also saw someone that use other stuff then TRUNK.

Port_VLAN_Membership.jpg

 

Each port stop communicating with each other and if I put e.g. my port 11 as PVID 11 and UNTAGED, then it communicates with the things on port 1 from my centralized switch that have the same setting. That's how I want it to work to lock out the other stages from the separated stage network.

 

When I come to PRIMARY I have not managed to figure out if they should be ACCESS, GENERAL, TRUNK ... if they should be UNTAGED, TAGGED or EXCLUDE for the different VLANs. Should they be on PVID 100 which is my PRIMARY VLAN? Should I taged all the VLANS on PRIMARY VLAN-port?

 

Searched and read on internet, watched youtube clips and in most places I found, it is done as I described above ... but nothing how to handle the PRIMARY ports and how it could communicate to my COMMUNITY VLANS. I may have misunderstood it all and done the right thing, but that I hoped that from my PRIMARY ports will be able to access everything in PVID 11 to 18, but that they will not be able to communicate outside their community VLANS more then reach fileserver and WIFI.

If I have set up as I did, my questions are:
"Can I access all my COMMUNITY VLANS from my PRIMARY VLAN or is it just that all my COMMUNITY VLANS access what is on the PRIMARY VLAN ports?"
If it is possible to use PRIMARY VLAN: "How should I set port 19... TRUNK, ACCESS, GENERAL and what should it look like 1TP, 100T, 11T, 12T... so I can reach computer on PVID 11-18?"


GE18-GE20.jpg

1 REPLY 1
pieterh
VIP Collaborator

please look at figure 1-2 in 

Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Private VLANs [Cisco Nexus 5000 Series Switches] - Cisco
maybe this explains the flow 
NB each ports belong to both a primary and either a community-or-private vlan

port-type general, dynamically assigns a port access or trunk depending on the connected device
define all ports connected to a normal pc as access,
ports to other switches as trunk

tagged or untagged, defines if packed contain a vlan-tag,
ports where pc's are connected should be untagged,
on ports to other switches vlans should be tagged (you can tag all vlan's or untag a "default vlan")
the untagged vlan (default vlan) on sending and receiving switch should match

NB! when using a Virtualisation host with multiple VM's in different vlans, its more complicated