cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5177
Views
0
Helpful
7
Replies

Cisco SG-300 VLAN Groups setup

kzhang
Level 1
Level 1

Hi, I'm kinda new to this vlan. what we want is to set the following:

VLAN 10 for accounting (port 1-10)

VLAN 20 for sales (port 11-20)

VLAN (10+20) for servers that both accounting and slaes can access (port 22-25)

I've been goofing around with no luck, either one of them is accessible but the other group is not.

my setup is the following

port 1-10 : access ports, VLAN ID 10, untagged PVID

port 11-20: access ports, VLAN ID 20, untagged PVID

how should port 22-25 be setup so that vlan 10 and vlan 20 have access to?

7 Replies 7

kzhang
Level 1
Level 1

I was able to get this with the following:

G1 General PVID 10, 1T 10U

G2 General PVID 20, 1T 20U

G3 General PVID 1, 1U 10T 20T

so say port 1 are for accounting users, port 2 are for sales users, and port 3 are the servers.

Is this the RIGHT way to do it???

Ke Zhang,

With vlans, you can only be a member of one vlan.  Just how you can only be a member of one network.  So the ports that you have configured for accounting need to be access ports member of that vlan.  The only time you need more than one vlan is when your passing the traffic to another switch or a layer 3 device to route from one vlan to another.

Hi thanks for the reply, I have attached a drawing to clarify of what I'm trying to do.

Basically I need to seperated different departments and at the same time they all need access to the internet.

I can configure the different groups to be access ports and therefore they can be seperated, but how is the trunk port configured so that all have internet access??

thanks.

Dear Mr Zhang

'Hello' in Chinese script

Not trying to interfere with  my dear colleague Mr Carr work, but it is late at night here, I have turned on my 300 series switch and want to try to give you an answer.  The 300 series switches are many generations ahead of the old Linksys switches, the only thing they really have in common is a shared ordering part number.

I believe I understand what you want to do, but would like not to complicate things too much by using VLAN interface  general mode.

If you want servers to be accessable by both the sales and accounting VLAN users, why not just put the servers in a seperate VLAN, maybe I could call it the server VLAN  with a VID=30.

I can see from your diagram above,  you already have three sub-interfaces that can support all three VLANs. ( i have ignored the default VLAN VID=1 ).

These sub-interfaces on your WAN router  can tagged for the three VLANs .

Because your WAN router supports sub-interfaces it can therefore route between VLANs.  Why not make use of that excellent feature, if it is possible..

My proposal is to make use of those routable sub-interfaces on your WAN router  and just trunk three VLANs to your WAN router  via GbE port 28  

Again, luckily you have a 300 series switch that also supports wirespeed Access-Lists,  in case you need to add restrictions or restrict access between  network resources.

What about the following VLAN setup. Click on the table below  to make it bigger.

I guess you used VID 10 and 20 because they are the sub-interface numbers on your WAN router.  That is only a guess on my part.

Why not use port 28 as a link to propagate the Tagged VLANs to your VLAN aware WAN router.

Leave all switch ports in trunk mode and not use general mode.

(NOTE: could be easier just  to set the switch back to factory defaults and start again).

Check out this 6 minute recording and see if this works for you, yes it took me only 6 minutes to configure the switch for your needs.

Remember when viewing the recording,  that you can pause the recording to perform the necessary configuration steps..

Click here to see recording

Hope this helps,

regards Dave

Hi David, I want to thank you for the time and effort you put in answering my question. And the video you put up is really great.

I really appreciate it. I guess I'll go this way.

A few things, since we are using ports of a single VALN, can we make them into access ports? instead of leaving them as trunk port mode?

Second, after I configured this I did a testing to ping the router interface, say for example using laptop 192.168.1.15 pingping the router interface 192.168.1.1, out of 10 pings, there is one ping that would be in the 400-500ms. There are no dropped pings but lots of pings with delays.

Can you make sense out of this?

Hi Mr Zhang,

Very glad to hear that your network is coming together nicely.

Access mode as you know, allows only one untagged VLAN to be associated with a port..

Trunk mode , like access mode  allows for again only one untagged vlan to be associated with a port, but trunk mode allows  many tagged VALNs to also be associated with the port.

Tagged VLANs are not added automatically to a port, they have to be manually added,.

Since your IP hosts  (PCs) are not VLAN aware it really is fine for the ports to be left in the default trunk mode.

But, I live in the USA, the land of the free, so  feel free to make the change from trunk mode to access mode, if it makes you feel happier.

the ping response time is not good.

Is that ping response time  of 400 to 500 millisecond all the time or only when the uplink to the WAN router may be congested. 

It would be interesting to see pings at different times of day to understand if it's just the uplink that is getting congested or the WAN router that is running very hard.

Since the WAN router is also routing between VLANs all traffic destined for another VLAN will go out on your uplink port 28.

Pinging another device within the same VLAN on the same switch should exhibit much less delay .

What is the ping time between to IP hosts on the same VLAN ?

I would think this ping response time would be very low.  If it is,  I am still thinking there is trouble with routing betweeen VLANs via the WAN router.

regards Dave

Hi there!

It might not be the best thread but still the closest to what i'm trying to configure :-)

I'm using a SG 300-52 and a no VLAN capable router (for internet access) and trying to setup the following with no luck :-(

VLAN's are probably not the best idea and I might need to use ACL's but please advice how could I achieve the following setup:

  1.      An office with (let's say ports 1-10) connected to internet (through port 50) and to 4 servers (port 41-44) where servers should have internet access too.
  2.      For security reason we would like to deny any access (inlcuding internet) on ports 1-10 unless registered MAC addresses are connected to this ports but without using the router or a fw.
  3.      A meeting room (ports 20-21) where ony internet acces should be accessible (for guests) and servers should only be accessible for a list of MAC addresses. (again without using the routers as a filter/fw)
  4.      Another meeting room with a another VLAN capable L2 switch (another brand) connected to port 49 where we would like to have same access rights as in point (3)
  5.     The second switch mentioned above have 4 workstations a well for which ports should deny acces for guest MAC adresses (but this would be a setup in the second swith I guess)

lets solve first points 1-3 if possible than we can go further :-)

Any help is welcome and many thanks in advace!

br.

Szabi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X