cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco SG-300 VLAN Groups setup

kzhang
Beginner
Beginner

Hi, I'm kinda new to this vlan. what we want is to set the following:

VLAN 10 for accounting (port 1-10)

VLAN 20 for sales (port 11-20)

VLAN (10+20) for servers that both accounting and slaes can access (port 22-25)

I've been goofing around with no luck, either one of them is accessible but the other group is not.

my setup is the following

port 1-10 : access ports, VLAN ID 10, untagged PVID

port 11-20: access ports, VLAN ID 20, untagged PVID

how should port 22-25 be setup so that vlan 10 and vlan 20 have access to?

7 REPLIES 7

kzhang
Beginner
Beginner

I was able to get this with the following:

G1 General PVID 10, 1T 10U

G2 General PVID 20, 1T 20U

G3 General PVID 1, 1U 10T 20T

so say port 1 are for accounting users, port 2 are for sales users, and port 3 are the servers.

Is this the RIGHT way to do it???

David Carr
Frequent Contributor
Frequent Contributor

Ke Zhang,

With vlans, you can only be a member of one vlan.  Just how you can only be a member of one network.  So the ports that you have configured for accounting need to be access ports member of that vlan.  The only time you need more than one vlan is when your passing the traffic to another switch or a layer 3 device to route from one vlan to another.

Hi thanks for the reply, I have attached a drawing to clarify of what I'm trying to do.

Basically I need to seperated different departments and at the same time they all need access to the internet.

I can configure the different groups to be access ports and therefore they can be seperated, but how is the trunk port configured so that all have internet access??

thanks.

Dear Mr Zhang

'Hello' in Chinese script

Not trying to interfere with  my dear colleague Mr Carr work, but it is late at night here, I have turned on my 300 series switch and want to try to give you an answer.  The 300 series switches are many generations ahead of the old Linksys switches, the only thing they really have in common is a shared ordering part number.

I believe I understand what you want to do, but would like not to complicate things too much by using VLAN interface  general mode.

If you want servers to be accessable by both the sales and accounting VLAN users, why not just put the servers in a seperate VLAN, maybe I could call it the server VLAN  with a VID=30.

I can see from your diagram above,  you already have three sub-interfaces that can support all three VLANs. ( i have ignored the default VLAN VID=1 ).

These sub-interfaces on your WAN router  can tagged for the three VLANs .

Because your WAN router supports sub-interfaces it can therefore route between VLANs.  Why not make use of that excellent feature, if it is possible..

My proposal is to make use of those routable sub-interfaces on your WAN router  and just trunk three VLANs to your WAN router  via GbE port 28  

Again, luckily you have a 300 series switch that also supports wirespeed Access-Lists,  in case you need to add restrictions or restrict access between  network resources.

What about the following VLAN setup. Click on the table below  to make it bigger.

I guess you used VID 10 and 20 because they are the sub-interface numbers on your WAN router.  That is only a guess on my part.

Why not use port 28 as a link to propagate the Tagged VLANs to your VLAN aware WAN router.

Leave all switch ports in trunk mode and not use general mode.

(NOTE: could be easier just  to set the switch back to factory defaults and start again).

Check out this 6 minute recording and see if this works for you, yes it took me only 6 minutes to configure the switch for your needs.

Remember when viewing the recording,  that you can pause the recording to perform the necessary configuration steps..

Click here to see recording

Hope this helps,

regards Dave

Hi David, I want to thank you for the time and effort you put in answering my question. And the video you put up is really great.

I really appreciate it. I guess I'll go this way.

A few things, since we are using ports of a single VALN, can we make them into access ports? instead of leaving them as trunk port mode?

Second, after I configured this I did a testing to ping the router interface, say for example using laptop 192.168.1.15 pingping the router interface 192.168.1.1, out of 10 pings, there is one ping that would be in the 400-500ms. There are no dropped pings but lots of pings with delays.

Can you make sense out of this?