07-16-2012 12:28 PM
I have an SG300 switch that I need help to configure.
Here is what I am attempting to set-up:
Switch #1 (Production) - Cisco SG300-28 managed switch
2 - Mac workstations - group A - priority 1
3 - Mac workstations - group B - priority 2
2 - PC worksations - group B - priority 2
4 - Mac workstations - group C - restrict access to servers
1 - Apple Xserve with 2 network connections
1 - Xerox printer
1 - Large format printer
1 - Wifi access point
Switch #2 (Admin) - 100 BaseT Lynksys switch unmanaged switch
6 - PC workstations
1 - Windows 2008 R2 server
1 - Windows 2003 server
1 - Filemaker server
1 - web server
1 - Xerox printer
1 - wifi access point
Internet router is connected to the SG300 via Switch #2
Where do I start?
07-16-2012 04:26 PM
Hello John, depending on your firewall capability here is a basic idea of your network.
This write up is assuming (1) Your firewall understands vlans (2) Group a is vlan 1, group b is vlan 2, group c is vlan 3. (3) The switches will remain in layer 2.
The trunk between the firewall and switch.
config t
vlan database
vlan 2,3
interface fa1
switchport mode trunk
switchport trunk allowed vlan add 2,3
The trunk between switch #1 and switch #2 also the same
config t
interface fa2
switchport mode trunk
switchport trunk allowed vlan add 2,3
This configuration will give intervlan communication and allow all traffic to traverse the single wire between devices. The devices in Group A (VLAN1), a computer should be configured as access port.
config t
interface fa3
switchport mode access
Devices in Group B (vlan 2) should also be configured as access port
config t
interface fa4
switchport mode access
switchport access vlan 2
Devices in Group C (vlan 3) should also be configured as access port
config t
interface fa5
switchport mode access
switchport access vlan 3
These examples lay your basic framework. Now, if you have your DHCP server that is not the router, this port needs to be configured to allow all traffic as well. Whatever port connects the DHCP server should as follows
config t
interface fa6
switchport mode trunk
switchport trunk allowed vlan add 2,3
Your access point will also require a trunk port depending what you're doing. If you would like to service all vlans, the port for the AP should also be as follows then the AP of course needs the VLAN ID configured for the SSID.
config t
interface fa7
switchport mode trunk
switchport trunk allowed vlan add 2,3
This should cover everything your network consists for examples. The last part of configuration will be the access lists. Depending where you put devices, and how you want to limit traffic, the best place to apply the access lists will be to the trunk links connecting devices. All requests on a layer 2 network will send the request to the router then the router will forward to the destination.
This means you can apply the access list to the uplink to the router or the link between switches, depending where the resources are. The appropriate placement is very important because all traffic is inspected by the access list.
Once you get the network sorted out, we can iron out a couple access list examples.
07-17-2012 02:56 PM
Thanks Thomas. I will try this set-up and report back with issues.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide