Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3486
Views
0
Helpful
5
Replies

Separate Vlans

BobDDstryr
Level 1
Level 1

‎07-21-2011 03:23 PM

Hey guys,

I'm running into a bit of trouble with my setup, and hopefully you can help me out.  I have a set of Cisco SG-300-10s.

What I would like to have is two separate networks going into the enclosure - one that has dhcp, and one that uses static ip addresses.  When I first tried setting things up, I didn't set anything, I just plugged things in - so I was running into problems with bridging, with the staticked machines being accessible from the DHCP network; this isn't what I want, as the staticked machines need to be kept separate.

So here's what I've done so far (on each switch)

Gone to the management tab, and set a static IP address for management with VLAN1.

Created 2 VLANS - one named Coffin8, with the ID 8, and one name 8-Corp, with the ID 1008.

I've then assigned ports 1, 2, 3, 4, and 9 to VLAN8, and ports 5, 6, 7, and 10 to VLAN1008, leaving port 8 on WLAN1 as the default network, in case I need to make additional changes.

For the static network, I have it coming through port1, through the fiber optic, and coming out through port1.  This portion seems to be working great.

For the DHCP network, I have it coming through port5, through the fiber optic, and coming out port5.  This portion is NOT working, as its not picking up an IP address.  If I plug the machine directly into the outer Switch (so its not actually using the fiber optic) it does get an IP address, so it seems to be a problem with my VLAN setup not quite working right between the two switches?

A coworker said that he ran into this same problem in his setup, and solved it using Spanning Trees, but doesn't remember exactly how - something about setting it up on one of the VLANs, and disabling it on the other?

Looking at the Spanning Tree Interfaces tab on the setup inside the enclosure, it says that port8 is ROOT, that ports 1 and 9 are "Designated", and that port 5 is also "Designated", but port10 is "Alternate."  Also while all of the other ports that are in use have their port state set to "Forwarding," port10s is set to "Discarding." 

I'm obviously missing something - what have I done wrong, and how can I fix it?

Thanks.

-Jason Smith

Labels:
0 Helpful
5 Replies 5

David Hornstein
Level 7
Level 7

‎07-21-2011 06:50 PM

Hi Jason,

Please, I guessing you need to be in layer 3 mode to be able to swith betweebn VLAns at Layer 3.

Step 1.

from the console or telnet window, if you are presented with CLI interface then type menu.

step 2.

Within the  menu  change the switch mode to layer three mode.

This will reset the switch back to factory defaults.

Step 3.

Go back to the GUI after you discover the swithes new IP address..

Create a a new VLAN for this new VLAN segment you want , but assign a IPv4 address to this VLAN.

This IPv4 address will be the gateway address for PCs that reside within this new vlan.

Step 4.

So if you create vlan 2 within the switch and assign a IPv4 address of 192.168.2.1 mask=255.255.255.0

You will most likely have to setup a static route within your WAN router that points to this network, so that PC's within the  default VLAN will be routed back to PC's within the new VLAN.

The route statement in the router will be maybe something like  192.168.2.0 mask=255.255.255.0 gateway=IPv4 address of VLAN1 on the switch.

I hope this is what you want.

regards Dave

0 Helpful

BobDDstryr
Level 1
Level 1
In response to David Hornstein

‎07-21-2011 08:13 PM

I don't think I have access to the WAN router, and I don't know enough to know if your suggestion is what I want, although it doesn't quite sound right to me, because you mention "PCs within the default VLAN being routed back to PCs within the new VLAN" - and I don't want machines on the default VLAN at all.

Basically, what I want is the cisco switch to act as if there are two completely different switches, and I want no traffic going between them.

I'll see if I can do a visual representation of what I want:

-------   is Ethernet cables

____  is fiber optic cables

[external] is an external machine outside the setup - it has a static IP

[netgear] is just a netgear 4-port switch

[test] is a test machine - its inside the enclosure, and has a static IP

[corporate] is a connection to the corporate network and internet

[debugger] is an external debugger - it should in the enclosure, but connected to the corporate network

                                      [Cisco switch, outside]      [Cisco switch, inside]

[external]------[netgear] --------(port1, VLAN2)                   (port1, VLAN2)----[netgear]----[test]

                                         (port2, VLAN2)                   (port2, VLAN2)                  

                                         (port3, VLAN2)                   (port3, VLAN2)

(Corporate)                         (port4, VLAN2)                   (port4, VLAN2)

(dhcp, from a switch)-----------(port5, VLAN3)                   (port5, VLAN3)--------[debugger]

                                         (port6, VLAN3)                   (port6, VLAN3)

                                         (port7, VLAN3)                   (port7, VLAN3)

                                          (port8, VLAN1)                   (port8, VLAN1)

                                          (port9, VLAN2)___________(port9, VLAN2)

                                          (port10, VLAN3)__________(port10, VLAN3)

The above is how I would like my setup to work.

VLAN1 is only on port 8 for both switches, and has nothing plugged into it, unless I'm actively changing the configuration.

VLAN2 is a static network where I've manually set everything to be 192.168.0.X, so that my test machines can all talk to each other, and so that I can access them from outside the enclosure - they have no virus protection, however, so I don't want them connected at all to the outside world

VLAN3 is a the corporate network, and has dhcp, and access to the internet - I have an external debugger set up to monitor my test machine - and this connection needs to be able to reach the outside to download things from the Microsoft website.

I never want any traffic going between the different VLANs - I want it to be as if they're completely separate switches. 

With the setup as shown above, VLAN2 is working - but VLAN3 isn't - I never get an ip address.

However if I swap cables, and plug the corporate network and the debugger into port 1, and the external machine and test machines into port 5 - then VLAN2 does work, and debugger correctly gets the ip address from dhcp - but my static ip address machines can no longer talk to each other, so VLAN3 again isn't working.  This makes me think that its not a matter of the DHCP failing - but that for some reason VLAN3  is broken, and not sending any traffic.

To recap, removing useless ports:

VLAN2 is static, and works; VLAN3 is dhcp, and doesn't:

                                     [Cisco switch, outside]      [Cisco switch, inside]

[external]------[netgear]---------(port1, VLAN2)                   (port1, VLAN2)----[netgear]----[test]

(Corporate)-------------------------(port5, VLAN3)                   (port5, VLAN3)--------[debugger]

                                         (port8, VLAN1)                   (port8, VLAN1)

                                         (port9, VLAN2)___________(port9, VLAN2)

                                         (port10, VLAN3)__________(port10, VLAN3)

VLAN2 is dhcp, and works; VLAN3 is static, and doesn't:

                                                     [Cisco switch, outside]      [Cisco switch, inside]

(Corporate)-------------------------(port1, VLAN2)                   (port1, VLAN2)--------[debugger]

[external]------[netgear]---------(port5, VLAN3)                   (port5,VLAN3)------[netgear]----[test]

                                         (port8, VLAN1)                   (port8, VLAN1)

                                         (port9, VLAN2)___________(port9, VLAN2)

                                         (port10, VLAN3)__________(port10, VLAN3)

VLAN2 is static, and works; VLAN3 is dhcp, and debugger gets an IP address and works - because the outside connection is working, but the inside seeming isn't):

                                                     [Cisco switch, outside]      [Cisco switch, inside]

[external]------[netgear]---------(port1, VLAN2)                   (port1, VLAN2)----[netgear]----[test]

(Corporate)-------------------------(port5, VLAN3)                   (port5, VLAN3)

            [debugger]--------------(port6, VLAN3)                   (port6, VLAN3)

                                         (port8, VLAN1)                   (port8, VLAN1)

                                         (port9, VLAN2)___________(port9, VLAN2)

                                         (port10, VLAN3)__________(port10, VLAN3)

*Edited to try to make examples fit. Message was edited by: Jason Smith

0 Helpful

David Hornstein
Level 7
Level 7
In response to BobDDstryr

‎07-22-2011 07:10 AM

Hi Jason,.

Yeah, your dead right my idea helps to route between VLANs   something you don't want to happen.

gotta admit your "visual representation"  above needs some slight  work.

Can you please humour me and try something for me;

You basically have an identical configuration on both machines, except for the  management IP address in VLAN1, which will be different on both machines.

I wont touch  that on my configuration below, so modify the IP addresses to suit your needs on both switches and the host name on the second switch to maybe SG300-2..

Just connect to two switches together via Gig port 10, a single ethernet cable.  We will make use of VLAN technology to separate the VLANs so they don't 'talk' to eachother.

Basically I used the VLAN section of the GUI to;

make ports 1-4 untagged in VLAN 8

make port 10 tagged in VLAN 8

make ports 5-7 untagged in vlan 1008

make port 10 tagged in VLAN 1008

It left ports 8 and 9 still in the default vlan 1.

  by clicking the save button at the top right hand side of the screen. 

You may try if you wish, a  copy and paste the configuration into your switches. 

Just remember to use only Gig port 10 to connect the two switches together.

You could try pasting the following in blue  into the 300 series switch , by putting the console into  configuration mode, with the keyword config.

Gotta admit the GUI is easier

User Name:dave

Password:******

SG300-10#conf

SG300-10(config)#

interface  gi10

spanning-tree link-type point-to-point

exit


vlan database

vlan 8,1008

exit


interface vlan 1

ip address 192.168.20.10 255.255.255.0

exit


ip route 0.0.0.0 0.0.0.0 192.168.20.1

interface vlan 1

no ip address dhcp

exit


bonjour interface range vlan 1

hostname SG300-1

no passwords complexity enable

ip telnet server

interface gigabitethernet1

switchport trunk native vlan 8

exit

interface gigabitethernet2

switchport trunk native vlan 8

exit

interface gigabitethernet3

switchport trunk native vlan 8

exit

interface gigabitethernet4

switchport trunk native vlan 8

exit

interface gigabitethernet5

switchport trunk native vlan 1008

exit

interface gigabitethernet6

switchport trunk native vlan 1008

exit

interface gigabitethernet7

switchport trunk native vlan 1008

exit

interface gigabitethernet10

switchport trunk allowed vlan add 8,1008

exit


interface vlan 8

name Coffin8

exit


interface vlan 1008

name 8-Corp

exit

SG300-1#write     (saves the configuration)

Overwrite file [startup-config] ?[Yes/press any key for no]....yes

The configuration makes use of port 10 to transport untagged VLAN1 frames, tagged VLAN 8 and VLAN 1008 frames.

What do you reckon, worth a try ?

let me know how you went.

regards dave

0 Helpful

MarkDeibert1
Level 1
Level 1
In response to David Hornstein

‎09-10-2012 01:21 PM

VLAN 1

Interface: VLAN 1

IP Address Type: Static

IP Address: 172.26.0.192

Mask: 255.255.0.0

Status: Valid

VLAN 2

Interface: VLAN 2

IP Address Type: Static

IP Address: 172.27.0.1

Mask: 255.255.0.0

Status: Valid

The default gateway is 172.26.0.252.

0 Helpful

David Hornstein
Level 7
Level 7
In response to MarkDeibert1

‎09-16-2012 08:48 PM

Hi Mark,

I am only guessimating  what your question   may be

The router  at 172.26.0.252 must also know where the 172.27.0.0. network is, so the router knows where this network is and can send responses back to that network.

The router will have to have  a static route entry  maybe like, and i'll verbalize the route statement it needs;

To get to the ip network =172.27.0.0  with a netmask of 255.255.0.0 the nexthop will be 172.26.0.192

dave

0 Helpful
Customers Also Viewed These Support Documents