cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6119
Views
16
Helpful
9
Replies

Restricted Inter-VLAN routing with SG200-26 and SG300-10

mschubert1990
Level 1
Level 1

Hello All,

My apologies if this has been covered somewhere else.

My organization wishes to host a LAN gaming event. The setup I have in mind involves a 24-port switch for connecting all the player computers and having that switch connected to a smaller "core" switch which has the the game server and router connected to it. I'd like to know if I can set things up as follows...

SG200-26 with ports 1-24 on seperate VLANs  so they cannot talk to eachother. I'd then like ports 25 and 26 to be an  aggregated (for bandwidth and redundancy) trunk port to carry all 24  VLANs plus an additional management VLAN (ex. VLAN 100) that will be used for accessing  the switch. I'd like those aggregated trunk ports to connect to an SG300-10 "core" switch which will be connected to the game server  and to a router for internet access.

I'd like the ability to have two  network connections from the game server to the switch, one on the  management VLAN and one on a different VLAN (ex. VLAN 50) that will be accessed by the  players (ports 1-24 on the SG200-26). The core switch needs the  ability to perform restricted inter-VLAN routing, in that it doesn't  allow VLANs 1-24 to talk to eachother but they can talk to the server's  VLAN but only through specific service ports (ex. port 12345, 12346). Is this possible?

Furthermore how would I configure the SG300-10 to allow VLANs 1-24 to talk to VLAN 50, but not themselves or VLAN 100. As well, I'll probably have the router on it's own VLAN (ex. VLAN 60) and allow VLANs 1-24 to access it but only through HTTP port 80 for web access.

What do you think?

Thank you.

1 Accepted Solution

Accepted Solutions

Hi Marc, The default gateway of the computers will be the SVI of the switch.

Router -> SG300 layer 3 -> SG300 layer 2

router is 192.168.1.1

Vlan 1 on SG 300 is 192.168.1.100

Vlan 2 on SG 300 is 192.168.2.1

SG300 layer 2 has a trunk 1u,2t.

My computer connecting to an access port 2 untagged on the layer 2 SG300.

I am able to ping 192.168.2.1

I am able to ping 192.168.1.100

I cannot pnig 192.168.1.1

The reason being the router has no idea about that subnet therefore can't send the packet back to the source 192.168.2.x subnet.

The  ACL and basic connection are 2 different animals. The ACL is to prevent  intervlan communication. The basic connection will either need trunk  and vlan tags or static routes.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

9 Replies 9

Tom Watts
VIP Alumni
VIP Alumni

Hi Marc, what does your router support? If you want to restrict inter-vlan routing on the SG300 the switch would have to be layer 3 and access list applied on every interface. Additionally, if your router did not support vlans, you would require static routes on the router to point to the switch interface to be able to route traffic out to the internet. This would ultimately make network performance suffer.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hey Tom,

Thanks for your reply!

I will use a router that's VLAN aware such as the RV220W. What I mainly would like to know is if what I propose in my first post is possible with those switches (SG200-26 and SG300-10). Also with that many different VLANS and ACL's will my network performance suffer? Will the SG300-10 be able to keep up?

Thank you.

Hi Marc, the RV220W supports 16 active vlans. You would have to double up a couple vlans. If you keep the 300 series switch in layer 2, you can get away with making 1 ACL on the trunk link that connects the 300 switch to the RV220W for intervlan communication or you can try to limit that using the features of the RV220W.

The 1 acl on the 300 switch wouldn't impact network performance much if any at all.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Again, thank you for the assistance.

Yea I missed that "16 active VLAN's" in the specs...

I'm curious now. If the router is on it's own VLAN (ex. VLAN 60) then it only needs to have one active VLAN running on it? It doesn't need to be aware of the other VLANs because The SG300-10 will handle packets routing from the other VLANs to the router's VLAN right?

Furthermore I'm pretty sure that on the RV220W you can only set whether a VLAN is able to communicate with other VLANs or not... Inter-VLAN routing for each VLAN can only be enabled or disabled. I don't believe you can set ACLs to control traffic between VLANs, only between LAN<->WAN afaik.

I have a couple 2600 routers that I got for cheap and am using to practise for CCNA, would I be able to use one of those? I would imagine that it would depend on the IOS version? What version would I need to support that many VLANS?

Thank you

I'm  curious now. If the router is on it's own VLAN (ex. VLAN 60) then it  only needs to have one active VLAN running on it? It doesn't need to be  aware of the other VLANs because The SG300-10 will handle packets  routing from the other VLANs to the router's VLAN right?

A layer 2 device can't handle any routing functions. If you want this from the 300 series, you would have to make the switch layer 3 then create an ACL for each interface restricting traffic between the different vlans.

Furthermore  I'm pretty sure that on the RV220W you can only set whether a VLAN is  able to communicate with other VLANs or not... Inter-VLAN routing for  each VLAN can only be enabled or disabled. I don't believe you can set  ACLs to control traffic between VLANs, only between LAN<->WAN  afaik.

The RV220W supports inter-vlan routing enable/disable per vlan. It also supports lan to lan (intervlan) access rules.

I  have a couple 2600 routers that I got for cheap and am using to  practise for CCNA, would I be able to use one of those? I would imagine  that it would depend on the IOS version? What version would I need to  support that many VLANS?

I don't know.

Thank you

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I intended on purchasing the SG300-10 for it's layer 3 capabilities. So it sounds like it can do what I need it to do... And again, do you think having all those VLANs and access rules on each interface would effect performance?

I didn't realize the RV220W could do LAN<->LAN ACLs, good to know.

From what I got from this thread, what I'm proposing is possible. I need to configure the SG300-10 to operate in layer 3 mode, configure the 27 VLANs and setup ACLs for VLAN's 1-24... Hopefully I can copy and paste somehow lol

Thank you.

Hi Marc, yes it is possible. I do believe the ACL's will have an effect on the performance. But also because you are going to need some static routes to the RV220W since that router won't support the 24 vlans. Additionally for any internet connectivity, it's going to be a shared bandwidth. Unless you've got a heck of a download/upload that will bottle neck anyway.

If you're making a LAN party that does not rely on internet connectivity then you should be fine. I don't think there is any game really out there that will even touch 100 mbps anyway none the less 1 gbps.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hey Tom,

Yes the game server will be connected to the core switch and therefore the majority of traffic will be local. The only reason I'm providing internet access is for web browsing and so players can login to Steam and have their stats uploaded to the cloud which shouldn't require very much bandwidth...

So I will have to setup static routes on the router for every VLAN and have them all point to the interface the core switch is connected to? And then on that core switch do I need to create static routes for all VLANs to point to the router?

What I'm unsure about is say one of the players on VLAN 12 for example wants to navigate to a web page... The HTTP packet leaving their computer will hit the SG200-26 switch which will tag the packet as VLAN 12 and then because it's not destined for local address it'll forward to the trunk port to the SG300-10. When the SG300-10 receives the packet the ACL will check to make sure it's allowed and will see that it's not destined for a local address so it will then forward it to the VLAN the router is on and then the switch will check and see that it's not local to that VLAN network so will forward to default gateway which will be the router??? Or is the default gateway for all VLANs the SG300-10 switch? And then I have to setup a static route that if it isn't on the local network then forward to interface x which is connected to the router... Do I even need a seperate VLAN for the router.... maybe it could be on the same VLAN as the game server...

Thanks again, I do appreciate your insight!

Hi Marc, The default gateway of the computers will be the SVI of the switch.

Router -> SG300 layer 3 -> SG300 layer 2

router is 192.168.1.1

Vlan 1 on SG 300 is 192.168.1.100

Vlan 2 on SG 300 is 192.168.2.1

SG300 layer 2 has a trunk 1u,2t.

My computer connecting to an access port 2 untagged on the layer 2 SG300.

I am able to ping 192.168.2.1

I am able to ping 192.168.1.100

I cannot pnig 192.168.1.1

The reason being the router has no idea about that subnet therefore can't send the packet back to the source 192.168.2.x subnet.

The  ACL and basic connection are 2 different animals. The ACL is to prevent  intervlan communication. The basic connection will either need trunk  and vlan tags or static routes.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/