SG-200-26 Access Port Configuration

Logan Kampsnider · ‎11-01-2012

I'm having troubles setting up a separate VLAN for wireless on a SG-200-26. My first question is why did Cisco not make the VLAN setup like they have all their other business class switches? Anyways, the Access and General modes on these SG class switches are throwing me for a loop.

Right now I just have one port (g10) on the SG-200 switch that needs to be in VLAN 6, which is our wireless VLAN. All other ports are in their default VLAN, which is 1.

Here's what I've done...

Configured port G1 (trunk to another switch) as the trunk port and Port G10 (attached to WAP) as a general port. All other ports stayed in their default configuration. This is what it looks like now...

Port Mode PVID Operational VLANs

g1 Trunk 1 1U, 6T

g2 Trunk 1 1U

g3 Trunk 1 1U

g4 Trunk 1 1U

g5 Trunk 1 1U

g6 Trunk 1 1U

g7 Trunk 1 1U

g8 Trunk 1 1U

g9 Trunk 1 1U

g10 General 6 6U

I'm pretty sure port G1 is configured correctly, but I have no idea about what port g10 should look like. Common sense tells me it should be an Access port and assign it to VLAN 6, but apparently you cannot tag the traffic within an Access port on SG switches, which makes it useless because how will other switches recognize what VLAN the packets are in? So the next logical mode would be General mode, which I put in VLAN 6. I switched that port from being 6U (untagged) to 6T (tagged), but neither seemed to work.

I'd be eternally grateful if anyone with familiarity with VLANs on SG switches could explain how port g10 should be configured for VLAN 6 traffic.

Thank you,

Logan

Tom Watts · ‎11-01-2012

Hi Logan, what other equipment is on the LAN? What is the layer 3 device that allows the intervlan communication? What is the DHCP server?

Right now the switch config is correct, but g10 should be vlan 6 untagged, access.

If you'd like to know how the vlans of the switch work I'd recommend to read about 802.1q. As it specifies there must be a native vlan member (untagged) and if you wish multiple vlans across a port, they are tagged. If there are not multiple vlan to the port, the native vlan member is untagged.

Without further information, I'm suspecting you're running in to a problem where 802.1q encapsulation isn't enabled upstream

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Logan Kampsnider · ‎11-02-2012

Thanks Thomas. I think I was looking at it wrong regarding the SG switch saying that access mode ports do not tag traffic. It looks like it's from the viewpoint of how the ingress traffic looks. So, a port in access mode assumes that traffic coming in is untagged. Once that traffic ingresses into the port it is then tagged with the VLAN specified for that port. Does this sound right? It's just confusing how the SG switches describe the access mode ports as the PVID being untagged, when it actually is being tagged after data ingresses into the port.

By the way, the layer 3 device is an ASA 5510, which is also performing DHCP for the VLAN.

As you mentioned, I think my core issue is the upstream trunking configuration, which I'm looking into.

Thanks for your help,

Logan

Tom Watts · ‎11-02-2012

As far as I understand the ASA, the sub interfaces automatically use 802.1q. I also think the interfaces can't have the same security level. This means if your sub interface 0.1 is security-level 90, sub interface 0.2 should be security-level 80. If the interfaces have the sames security level they cannot communicate to each other.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Logan Kampsnider · ‎11-02-2012

Hi Thomas. The ASA actually (with the proper licensing) let's you route between VLANs. You just set up individual VLAN interfaces (no sub-interfaces required) and you can then assign the same security level between VLANs. We have another Adtran switch with an Access Point on the separate VLAN already working just fine.