First of all, this is my first post in here, I hope someone can help me, and please be patient since I am very little experienced.
OK, so let me explain you the scenarion that I am facing and hopefully someone will be able to help me.
We have a Cisco SG500 - 28 port gigabit switch in our workplace.
Our goal, is to create 3 VLANs and seperate the networks between different departements.
VLAN1 (which is the default VLAN in the switch) - will be used for IT department and the management.
VLAN100 - will be used for business .
VLAN200 - will be used for guests who need to connect to the internet through WiFi.
I have created VLAN100 and VLAN200, and VLAN1 is there by default.
I want to use port 13 for VLAN200 and to connect the Wifi access-point there.
The uplink is in port 25.
I would be glad if you could explain me the stuff first in a abstract more general level, and then we can look at the specific scenario that we have.
The Cisco SG500 - 28 gets internet from a Sophos UTM 9 router.
I will need to take care of inter-VLAN routing as well, and subnet, and DHCP
Thanks in advance,
Solved! Go to Solution.
Hi Desmond, looking at that DHCP pool it looks correct.
For the second part, you waant VLAN 200 to only work on VLAN 200, this is fine. So if you have an access point and everything on VLAN 200 connects to this AP you can make an access list for this. The access list is ingress only, meaning inbound traffic to the interface.
So if you have an access point connecting to port #1. You will need to build the access list and apply it to port number 1. This is assuming you make an access list "deny" with source of VLAN 200 IP subnet to destination of the other subnet you don't want the access to.
Reference the picture on the other post to fill in your numbers then for the ACL binding, it needs to be placed on the interface where VLAN 200 first comes in to the switch (IE, the port the access point connects, ensure you choose to bind by port instead of by VLAN)
Please mark answered for helpful posts
I have a rather simple question here; In the link that you provided the inter-VLAN routing is done by the RV router or by the SX switch?
The link that you provided is paritally helpful to the point where I can create the VLANs, after that things get confusing becuase the router that we have is from a different manufacturer (Sophos).
The switch is performing the routing
Please mark answered for helpful posts
Any ide why am I getting "Duplicate IP address 192.168.0.1 from MAC 00:1a:8c:xx:xx:xx was detected on VLAN 200, port gi1/26" ; This MAC address belongs to the interface for VLAN 200 on my Sophos router/firewall.
You have two different options:
Configure Sg500 switch as a Layer 2 switch and let the Sophos firewall do all the Layer 3 routing along with internet access. If you choose this option, then, you need to configure your uplink port as a trunk port and allow all 3 vlans to pass through. Also, you need to make sure that the Sophos device supports VLANs and trunking (or at least sub interfaces and create sub interfaces for each vlan). Also, all LAN devices will have the respective sub-interface/VLAN interface IP on the Sophos as their default gateway.
Configure SG500 switch as a Layer 3 device and configure intervlan routing to manage internal network traffic locally and send just the internet traffic to Sophos device.
Hope this helps.
Thank you for your answer.
What is the good practice in this case? To use option 1) where the router does the routing, or option 2) where Layer 3 switch takes care of the routing?
Which one do you think applies better to my case?
Additionally, do you have any links or info which shows how to configure the SG500 for the option 1) (router does routing)?
The link for option 2) is already provided by Tom here:
In general good practice is to allow the switch to perform LAN routing to take some load off of the router/firewall. (Layer 3)
In Layer 2 the router will be the default gateway for all VLANs. You need to create a trunk between the router and switch so that all VLANs can reach the router. As far as the switch goes, there is little to do:
1) Give it a management IP
2) Create the desired VLANs and assign to ports
3) Create a trunk port to the router with one VLAN Untagged and the others Tagged
Create the same VLANs on the router and an identical trunk port to connect to the switch.
Please reply if you have any questions.
What is the specific reason that requires the trunk port (the one that is used fror uplink) on the Switch to be Untagged member of one VLAN (the VLAN1 most probably in my case) and Tagged member of the others (VLAN 200)?
With a trunk the switch and router are able to define which VLAN the traffic belongs to based on the VLAN tag. Without tagging all traffic would belong to the default VLAN. If there is no tag, the devices will assume that the traffic belongs to the default VLAN. That is why the default VLAN remains untagged.
According to the Sophos forums, my router does not support untagged VLANs and the VLAN1 is used by the router itself, so it's better to choose another VLAN for my equipment.
I guess I have to create a new VLAN for the internet connection, and make port 26 (the uplink to the router) a tagged member of VLAN xx (new VLAN for the internet) and VLAN 200 (the one where the Wifi access point is). Can you confirm?
The following links may help.
I just want to report back for an issue that I encountered.
My current port configuration is as follows:
port 13 - access - VLAN 200
port 26 - trunk - tagged member VLAN200, untagged member VLAN 1 (default VLAN)
The switch is router mode.
This setup would take years when I requestd to visit a http site over internet, but I would recieve the requested site after a while, in that case the DHCP was disabled at the switch. Once I enabled the DHCP the switch started to respond in timely manner. Why did this happen?
How can I make the switch to work fine, when the DHCP is turned off?
My ip for VLAN 200 (where the Wifi access point is connected) is: 192.168.0.1
I creted one netwrok pool according to that: it is in the attachment, can you confirm if it is OK?
Now I want to isolate the devices connected to VLAN 200, not to be able to access anything out of their VLAN, how can I achieve that, I looked at your post, but it confused me a bit with the ingress stuff. could you help please?