problems setting up public/private vlans on sg300-52 switches

jfmalouin · ‎03-26-2013

A real beginner here with a problem on how to setup 3 SG300-52 (in L2 mode) as per this diagram:

Port 1 on all switches should be able to talk to each other and access the blob at the right.

The ports 25 on the other hand should only be able to talk among themselves in their own

private vlan. They are to carry sensitive traffic.

So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666

with the intent of segratating vlan 10 from vlan 78.

My attempts so far have failed.

ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following

cli output (excerpts of the startup config):

vlan database

vlan 10,78,666

exit

interface vlan 1

ip address 172.16.10.11 255.255.255.0

no ip address dhcp

!

interface gigabitethernet1

switchport mode access

switchport access vlan 78

!

interface gigabitethernet25

switchport mode access

switchport access vlan 10

!

interface gigabitethernet49

switchport trunk allowed vlan add 10,78

switchport trunk native vlan 666

switchport default-vlan tagged

!

interface gigabitethernet50

switchport trunk allowed vlan add 10,78

switchport trunk native vlan 666

switchport default-vlan tagged

!

interface gigabitethernet51

switchport mode access

switchport access vlan 78

!

Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove

the access links to the blob they can! Obviously, at that point port gi1 lose access.

Is such a topology feasable or even advisable?

Thanks,

jf

Tom Watts · ‎03-26-2013

Hi Jean, if you have 3 switches in layer 2 mode, by default those vlans will not communicate to one another without a routing device.

One problem may be this, if you have a common trunk link which looks like it is port 49 and 50 then you have other links carrying the same vlan on different ports. Whatever the blob is seems like spanning-tree is shutting down a port. So if port 49 and 50 carry all vlans between them and you have another link carrying one vlan but that same vlan is on your trunk after, spanning tree will have a port blocking. 802.1q specifies there is only 1 spanning tree interfaces regardless of the different vlans.

The one thing you may want to do is get full inter-vlan communication and then build an ACL to prevent whichever subnets you do not want to communicate across the vlans.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

jfmalouin · ‎03-27-2013

Thank you Tom for the answer,

Can you be a little more explicite on your last remark 'get full inter-vlan communication and then build an ACL'.

How would I go to do that?

Regards,

jf

Tom Watts · ‎03-27-2013

Hi Jean, what is the blob exactly? What is your router? How are the vlans communicating to each other at this time? Give me an idea of exactly what you'd like and I can probably write a template for you.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

jfmalouin · ‎03-28-2013

Hi again Tom,

The blob on the right of the diagram is a Cisco C3750 switch which I have no management access.

It's an edge switch connected to a router somewhere in the building, again I have no access to that either.

The goal is to have 2 vlans on the SG300s, one for public traffic that will make it to the blob, and another

one that will carry private traffic for management and monitoring. It should be restricted to the SG300s only,

ie it should not go out to the blob.

Hope this makes sense,

jf

Tom Watts · ‎03-28-2013

Hi Jean,

Here's a pretty picture

Now I will explain.

The layer 3 switch is going to service as your core switch.

Vlan 78 looks like your BLOB connection.

Vlan 10 and 666 look like they don't belong on the BLOB.

So how to configure this-

You will want to configure the switch that connects directly to the BLOB as the layer 3 switch depicted in my diagram.

Layer 3 switch, follow this document

https://supportforums.cisco.com/docs/DOC-27038

Bear with me, I am making up random numbers since I don't know what you want or will use.

So VLAN 78 looks like the BLOB and 10 and 666 are staying out of the BLOB.

config t

vlan database

vlan 10, 78, 666

int vlan 1

ip address 192.168.1.254 /24

int vlan 10

ip address 192.168.2.254 /24

int vlan 78

ip address 192.168.3.254 /24

int vlan 666

ip address 192.168.4.254 /24

Configure the port you want to go to the BLOB, I am assuming vlan 78.

config t

int gi01

switchport mode access

switchport access vlan 78 (that 3750, what is the native vlan of the port it is connecting to??)

Next, configure the downlink port to connect the layer 2 switch

config t

int gi0/2

switchport mode trunk

switchport trunk allowed vlan add 10, 78, 666 (this will make the port native vlan 1 untagged, rest ports tagged)

On the downstream switch you need to configure an uplink and downlink with the respective vlans. It will remain layer 2 mode.

config t

vlan database

vlan 10, 78, 666

int gi0/1

switchport mode trunk

switchport trunk allowed vlan add 10, 78, 666

int gi0/2

switchport mode trunk

switchport trunk allowed vlan add 10, 78, 666

Same thing for the last switch, it will remain layer 2 mode

config t

vlan database

vlan 10, 78, 666

int gi0/1

switchport mode trunk

switchport trunk allowed vlan add 10, 78, 666

int gi0/2

switchport mode trunk

switchport trunk allowed vlan add 10, 78, 666

Let me know if this works out or if it is not logical for you.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

jfmalouin · ‎04-02-2013

Hi Tom,

I must admit I'm not too keen on your proposed solution above. I'll have a go at it tomorrow but for the moment let's go back at my initial config as I'm curious to know why is it that multiple spanning-tree (mst) blocks port 51

in sw-1 and sw-2 in this physical topology (same as my initial graph):

I thought it was what mstp was designed for...The red links ( trunk) carry VLAN 1,10, while the green ones only carry VLAN 78. I have defined the mst config exactly like the following on all 3 switches:

config t

spanning-tree mode mst

spanning-tree mst configuration

name region1

revision 1

instance 1 vlan 78

instance 2 vlan 1,10

!

Ports in vlan 78 (port 1-24, 51) are configured like:

interface giX

spanning-tree mst 1 cost 200000000

switchport mode access

switchport access vlan 78

!

For those in vlan 10 (ports 25-36 in access mode and 49,50 in trunk mode)

interface giX

spanning-tree mst 2 cost 200000000

switchport mode access

switchport access vlan 10

!

interface gi49

spanning-tree mst 2 cost 20000000

switchport mode trunk

switchport access vlan 10

!

Tom Watts · ‎04-02-2013

A very simple interpretation of MSTP is as such-

port 1 is vlan 1 port 1 connects to another port somewhere else on vlan 1

port 2 is vlan 2 port 2 connects to another port somewhere else on vlan 2

Now, lets say you add a 3rd link that is a trunk 1u2t, one of the ports are going into blocking.

802.1q specifies there is only 1 spanning-tree instance regardless of vlans. MSTP overcomes this limitation. However, within this overcoming, the limitation remains if you have 2 links that are not bonded spanning-tree will block one of them because it is redundant on the same vlan.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/