Separate Vlans

BobDDstryr · ‎07-21-2011

Hey guys,

I'm running into a bit of trouble with my setup, and hopefully you can help me out. I have a set of Cisco SG-300-10s.

What I would like to have is two separate networks going into the enclosure - one that has dhcp, and one that uses static ip addresses. When I first tried setting things up, I didn't set anything, I just plugged things in - so I was running into problems with bridging, with the staticked machines being accessible from the DHCP network; this isn't what I want, as the staticked machines need to be kept separate.

So here's what I've done so far (on each switch)

Gone to the management tab, and set a static IP address for management with VLAN1.

Created 2 VLANS - one named Coffin8, with the ID 8, and one name 8-Corp, with the ID 1008.

I've then assigned ports 1, 2, 3, 4, and 9 to VLAN8, and ports 5, 6, 7, and 10 to VLAN1008, leaving port 8 on WLAN1 as the default network, in case I need to make additional changes.

For the static network, I have it coming through port1, through the fiber optic, and coming out through port1. This portion seems to be working great.

For the DHCP network, I have it coming through port5, through the fiber optic, and coming out port5. This portion is NOT working, as its not picking up an IP address. If I plug the machine directly into the outer Switch (so its not actually using the fiber optic) it does get an IP address, so it seems to be a problem with my VLAN setup not quite working right between the two switches?

A coworker said that he ran into this same problem in his setup, and solved it using Spanning Trees, but doesn't remember exactly how - something about setting it up on one of the VLANs, and disabling it on the other?

Looking at the Spanning Tree Interfaces tab on the setup inside the enclosure, it says that port8 is ROOT, that ports 1 and 9 are "Designated", and that port 5 is also "Designated", but port10 is "Alternate." Also while all of the other ports that are in use have their port state set to "Forwarding," port10s is set to "Discarding."

I'm obviously missing something - what have I done wrong, and how can I fix it?

Thanks.

-Jason Smith

David Hornstein · ‎07-21-2011

Hi Jason,

Please, I guessing you need to be in layer 3 mode to be able to swith betweebn VLAns at Layer 3.

Step 1.

from the console or telnet window, if you are presented with CLI interface then type menu.

step 2.

Within the menu change the switch mode to layer three mode.

This will reset the switch back to factory defaults.

Step 3.

Go back to the GUI after you discover the swithes new IP address..

Create a a new VLAN for this new VLAN segment you want , but assign a IPv4 address to this VLAN.

This IPv4 address will be the gateway address for PCs that reside within this new vlan.

Step 4.

So if you create vlan 2 within the switch and assign a IPv4 address of 192.168.2.1 mask=255.255.255.0

You will most likely have to setup a static route within your WAN router that points to this network, so that PC's within the default VLAN will be routed back to PC's within the new VLAN.

The route statement in the router will be maybe something like 192.168.2.0 mask=255.255.255.0 gateway=IPv4 address of VLAN1 on the switch.

I hope this is what you want.

regards Dave

BobDDstryr · ‎07-21-2011

I don't think I have access to the WAN router, and I don't know enough to know if your suggestion is what I want, although it doesn't quite sound right to me, because you mention "PCs within the default VLAN being routed back to PCs within the new VLAN" - and I don't want machines on the default VLAN at all.

Basically, what I want is the cisco switch to act as if there are two completely different switches, and I want no traffic going between them.

I'll see if I can do a visual representation of what I want:

------- is Ethernet cables

____ is fiber optic cables

[external] is an external machine outside the setup - it has a static IP

[netgear] is just a netgear 4-port switch

[test] is a test machine - its inside the enclosure, and has a static IP

[corporate] is a connection to the corporate network and internet

[debugger] is an external debugger - it should in the enclosure, but connected to the corporate network

[Cisco switch, outside] [Cisco switch, inside]

[external]------[netgear] --------(port1, VLAN2) (port1, VLAN2)----[netgear]----[test]

(port2, VLAN2) (port2, VLAN2)

(port3, VLAN2) (port3, VLAN2)

(Corporate) (port4, VLAN2) (port4, VLAN2)

(dhcp, from a switch)-----------(port5, VLAN3) (port5, VLAN3)--------[debugger]

(port6, VLAN3) (port6, VLAN3)

(port7, VLAN3) (port7, VLAN3)

(port8, VLAN1) (port8, VLAN1)

(port9, VLAN2)___________(port9, VLAN2)

(port10, VLAN3)__________(port10, VLAN3)

The above is how I would like my setup to work.

VLAN1 is only on port 8 for both switches, and has nothing plugged into it, unless I'm actively changing the configuration.

VLAN2 is a static network where I've manually set everything to be 192.168.0.X, so that my test machines can all talk to each other, and so that I can access them from outside the enclosure - they have no virus protection, however, so I don't want them connected at all to the outside world

VLAN3 is a the corporate network, and has dhcp, and access to the internet - I have an external debugger set up to monitor my test machine - and this connection needs to be able to reach the outside to download things from the Microsoft website.

I never want any traffic going between the different VLANs - I want it to be as if they're completely separate switches.

With the setup as shown above, VLAN2 is working - but VLAN3 isn't - I never get an ip address.

However if I swap cables, and plug the corporate network and the debugger into port 1, and the external machine and test machines into port 5 - then VLAN2 does work, and debugger correctly gets the ip address from dhcp - but my static ip address machines can no longer talk to each other, so VLAN3 again isn't working. This makes me think that its not a matter of the DHCP failing - but that for some reason VLAN3 is broken, and not sending any traffic.

To recap, removing useless ports:

VLAN2 is static, and works; VLAN3 is dhcp, and doesn't:

[Cisco switch, outside] [Cisco switch, inside]

[external]------[netgear]---------(port1, VLAN2) (port1, VLAN2)----[netgear]----[test]

(Corporate)-------------------------(port5, VLAN3) (port5, VLAN3)--------[debugger]

(port8, VLAN1) (port8, VLAN1)

(port9, VLAN2)___________(port9, VLAN2)

(port10, VLAN3)__________(port10, VLAN3)

VLAN2 is dhcp, and works; VLAN3 is static, and doesn't:

[Cisco switch, outside] [Cisco switch, inside]

(Corporate)-------------------------(port1, VLAN2) (port1, VLAN2)--------[debugger]

[external]------[netgear]---------(port5, VLAN3) (port5,VLAN3)------[netgear]----[test]

(port8, VLAN1) (port8, VLAN1)

(port9, VLAN2)___________(port9, VLAN2)

(port10, VLAN3)__________(port10, VLAN3)

VLAN2 is static, and works; VLAN3 is dhcp, and debugger gets an IP address and works - because the outside connection is working, but the inside seeming isn't):

[Cisco switch, outside] [Cisco switch, inside]

[external]------[netgear]---------(port1, VLAN2) (port1, VLAN2)----[netgear]----[test]

(Corporate)-------------------------(port5, VLAN3) (port5, VLAN3)

[debugger]--------------(port6, VLAN3) (port6, VLAN3)

(port8, VLAN1) (port8, VLAN1)

(port9, VLAN2)___________(port9, VLAN2)

(port10, VLAN3)__________(port10, VLAN3)

*Edited to try to make examples fit. Message was edited by: Jason Smith

David Hornstein · ‎07-22-2011

Hi Jason,.

Yeah, your dead right my idea helps to route between VLANs something you don't want to happen.

gotta admit your "visual representation" above needs some slight work.

Can you please humour me and try something for me;

You basically have an identical configuration on both machines, except for the management IP address in VLAN1, which will be different on both machines.

I wont touch that on my configuration below, so modify the IP addresses to suit your needs on both switches and the host name on the second switch to maybe SG300-2..

Just connect to two switches together via Gig port 10, a single ethernet cable. We will make use of VLAN technology to separate the VLANs so they don't 'talk' to eachother.

Basically I used the VLAN section of the GUI to;

make ports 1-4 untagged in VLAN 8

make port 10 tagged in VLAN 8

make ports 5-7 untagged in vlan 1008

make port 10 tagged in VLAN 1008

It left ports 8 and 9 still in the default vlan 1.

by clicking the save button at the top right hand side of the screen.

You may try if you wish, a copy and paste the configuration into your switches.

Just remember to use only Gig port 10 to connect the two switches together.

You could try pasting the following in blue into the 300 series switch , by putting the console into configuration mode, with the keyword config.

Gotta admit the GUI is easier

User Name:dave

Password:******

SG300-10#conf

SG300-10(config)#

interface gi10

spanning-tree link-type point-to-point

exit

vlan database

vlan 8,1008

exit

interface vlan 1

ip address 192.168.20.10 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 192.168.20.1

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname SG300-1

no passwords complexity enable

ip telnet server

interface gigabitethernet1

switchport trunk native vlan 8

exit

interface gigabitethernet2

switchport trunk native vlan 8

exit

interface gigabitethernet3

switchport trunk native vlan 8

exit

interface gigabitethernet4

switchport trunk native vlan 8

exit

interface gigabitethernet5

switchport trunk native vlan 1008

exit

interface gigabitethernet6

switchport trunk native vlan 1008

exit

interface gigabitethernet7

switchport trunk native vlan 1008

exit

interface gigabitethernet10

switchport trunk allowed vlan add 8,1008

exit

interface vlan 8

name Coffin8

exit

interface vlan 1008

name 8-Corp

exit

SG300-1#write (saves the configuration)

Overwrite file [startup-config] ?[Yes/press any key for no]....yes

The configuration makes use of port 10 to transport untagged VLAN1 frames, tagged VLAN 8 and VLAN 1008 frames.

What do you reckon, worth a try ?

let me know how you went.

regards dave

MarkDeibert1 · ‎09-10-2012

VLAN 1

Interface: VLAN 1

IP Address Type: Static

IP Address: 172.26.0.192

Mask: 255.255.0.0

Status: Valid

VLAN 2

Interface: VLAN 2

IP Address Type: Static

IP Address: 172.27.0.1

Mask: 255.255.0.0

Status: Valid

The default gateway is 172.26.0.252.

David Hornstein · ‎09-16-2012

Hi Mark,

I am only guessimating what your question may be

The router at 172.26.0.252 must also know where the 172.27.0.0. network is, so the router knows where this network is and can send responses back to that network.

The router will have to have a static route entry maybe like, and i'll verbalize the route statement it needs;

To get to the ip network =172.27.0.0 with a netmask of 255.255.0.0 the nexthop will be 172.26.0.192

dave