AHA, Yes that was def part of the problem. I changed all my ports to general and it lets me untag ports to multiple VLAN's now. However, something is still not right...

I have this:

Interface      Mode        Administrative VLANs Operational VLANs

GE39        General               1331UP                  1331UP 

GE41        General          1UP, 20U, 1331U     1UP, 20U, 1331U

Shouldn't port 39 be able to communicate with port 41? I can't ping either way between ports 39 and 41. I want port 39 isolated from the rest of the network but still able to talk to port 41. I also want port 41 accessible from all ports. Do I have to reboot the switch after changing all ports from trunk to general?

Thanks for your help thus far.

Hi Andrew,

I'm guessing you have a server on vlan 1331.

I'm guessing you want PCs on vlan 1, 20  to be able to communicate with a server on vlan 1331 ?

PC's on a specific  VLAN still  can communicate  with devices in the same IP network. That's why PC's have gateway addresses, so if the  destination network isn't on the same network then the packet is directed to a gateway..

Having said that do you have multihomes IP addresses or secondary addresses  associated with the ethernet interface on the server?

This is to allow the server to be 'seen' on these other vlans.

regards Dave

Not sure what you mean. Here is what I am trying to do. This is how I had it on the old switch (which worked fine):

Identical ports that show up in multiple vlans are servers,nas,routers,firewall,etc. For example, vlan 420... art department. always screwing stuff up SO they can only communicate with ports 36,41,43, and 45 (server,internet). Art's port is 23 and it can't see anything but those 4 ports and only those 4 ports can see it. All ports everywhere are untagged FYI. How do I do the same thing with the Cisco switch?

IEEE 802.1Q PVID Table

IEEE 802.1Q VLAN Settings

In my first example with the Cisco config, it is supposed to be that port 39 can only see 41 (nothing else) and only 41 can see 39 (41 can also see everything else). BUT it can't what happens is 39 cant see anything and nothing can see it even though it should be able to see 41 and 41 should be able to see it because 41 is an untagged member of 1331 (39's only vlan and friend)

BTW, i am just doing these two ports as test. The end goal is to have the big table above migrated to the cisco switch.

Still interested?

OK, apparently the answer is that this model switch can't do what I'm trying to do. It is a level 2 switch. I just spent a half a day with Cisco support and they said I can accomplish what I need with a layer 3 switch. I will exchange this one with the SG300-52. Thanks for your help forum folk.

PS It seems there are indeed differences in the way that some hardware vendors implement the 802.1Q protocol... it be what it be.

OK this really sucks. WHY can't I do the SAME thing with the uber awesome super powerful cisco switches that I can do very successfully with a simple NETGEAR switch??

I sent the SG200-50 back and got the SG300-52 hoping that I would get different results with the more powerful switch.

I did not. Does anyone know how to do this SIMPLE task? I wish I hadn't bought this ONE THOUSAND DOLLAR SWITCH THAT WON'T DO WHAT I WANT IT TO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

GE39 General 1331UP 1331UP   

GE45 General 1UP, 420U, 1331U

I tried it with ingress filtering turned on and off and neither fixes the problem.

When I did this with my crappy netgear switch it worked perfectly.

Think I got it...

for some reason port 39 had to be an untagged member of vlan 1...

OK so in the example below... port 39 can ONLY talk to 40 and 45 AND ONLY 40 and 45 can talk to port 39 which is exactly what I wanted. This is a great way to isolate broadcast domains and seperate groups of ports WITHOUT different subnets and special settings on the computers... This should help folks here. Apparently (despite what cisco support guys said) you CAN do this. This is really just PORT based VLAN's. They said it wasn't possible. They were wrong. OK so cisco switches aren't so bad afterall

GE39 General 1T, 1331UP

GE40 General 1UP, 1331U

GE45 General 1UP, 420U, 1331U

SCRATCH THAT. Still having problems, it works for certain ports but not others and I can't find a pattern.

the above config is still working but I have only been able to get one other port to do the same thing..... BEEZARE.

YEP. 2 different ports set up exactly the same way to talk to the same vlans... 1 works the other doesn't???

Hi Andrew, I just posted a request pretty similar to yours. I have the SG300-28.

Were you having any luck on implementing this?

It is HALF working... sounds bizarre I know, but it is bizarre.

OK I'm going to post an example again and tell what is working and what is not... as for the WHY I am hoping someone can shed some light...

keep in mind while reading this, that I had this configuration working PERFECTLY on my old Netgear 48 port 802.1Q switch.... on that switch it was super simple and everything was UNTAGGED. See several posts above for my old Netgear vlan table as reference.

GE33 General 1UP, 20U, 420U, 1331U

GE39 General 1T, 1331UP

OK in the above example, PORT 33 can talk to port 39 furthermore port 33 is the ONLY port that can talk to 39. ALSO, port 39 can talk ONLY to port 33. I have done numerous tests (nmap with no ping, traceroute, ping, try to map network drive) and have verified that because 39's PVID is 1331 and port 33 is untagged member of 1331 there is full communication between the two. NOW, there are many ports that are 1UP... including port 33... HOWEVER, port 39 CANNOT talk to any of these 1UP members EXCEPT port 33. APPARENTLY, (and this makes no sense to me) because port 39 is only TAGGED in vlan 1. Though I do not fully understand why this configuration works, it got me what I wanted (first 2 sentences).

This is where it gets super wierd...

GE1 General 1T, 20UP

GE43 General 1UP, 20U, 30U, 40U, 50U, 60U, 70U, 420U

In the above example I should get the SAME communication as is with ports 39 and 33. Port 1 should be able to talk to port 43, but it CANNOT. Furthermore, port 43 should be able to talk to and be the ONLY ONE WHO CAN talk to port 1.

the computers connected to the ports are:

1 - windows 2000 pc

33 - WRT54GL DD-WRT router (gateway to server internet conn.)

39 - windows XP pc

43 - WRT54GL Tomato firmware wireless router (user wireless/internet)

My requirements are working fine on several ports but won't work at all when i try the same thing on others... the only diffence being a different pc plugged in...

SO, to sum up. This inconsistent environment is as far as I have been able to get. I'm waiting for someone to explain WHY this is happening? How could it be a difference in pc network cards??? Why did the Netgear work PERFECTLY? Why did Cisco support say this isn't possible?

Hi Andrew, I was able to test the following:

G1 General PVID 3739, 1T 3739U

G2 General PVID 1916, 1T 1916U

G4 General PVID 1, 1U 3739T 1916T

G5 General PVID 1, 1U 3739T 1916T

With this I was able to do the following:

1. G1 can ping both 4 and 5

2. G2 can ping both 4 and 5

3. G1 CANNOT ping G2

so this is exactly what we wanted.