04-29-2015 10:14 AM
I am setting up a test lab with multiple identical installations of hardware. At each bench installation spot we have an SG200-18 to handle network traffic at this instance. At each instance there is a control PC and a line feeding to our lab network, taking two ports on the SG200. These two ports are on the default VLAN. At each instance there are also two device fixtures, each with multiple independent Ethernet devices connected to each fixture. Each fixture's devices need to be isolated from the other fixture's devices, and also isolated from the lab network (basically two stand-alone networks at each bench location). All addresses are static, no DHCP. In my configuration testing, I have each of these fixtures configured on the SG200 as separate VLANs on the SG200 for the ports each fixture uses, and this works fine for devices connected to each VLAN's ports - they can see each other, but nothing else. Essentially 6 ports are on the default VLAN, 6 are configured for fixture 1, and 6 are for fixture 2.
However, there is also a requirement to have the PC at the instance be able to reach into each VLANs to contact devices within each fixture. The device VLAN should only have visibility to the PC and not the test network itself, and this is where I'm struggling. I cannot seem to get the configuration set right on the SG200 to do this. Is this something that the SG200 can even do?
Basically, on each fixture VLAN, it should only see itself and the control PC, nothing else. On the default VLAN, only the port connected to the PC should have visibility into the fixture VLAN ports and the other 5 ports on on the default VLAN should not be able to see into the VLANs. The default VLAN ports should all be able to see each other. There is no need to have VLAN connectivity outside each bench installation, so each bench installation will have different VLAN numbers that do not need to talk to other VLANs on different SG200's.
I have tried many permutations of Trunk/General modes and Operational VLAN configurations (Tagged, Untagged, etc.) for the PC port to no avail.
Any suggestions / tips are greatly appreciated.
Scott
05-08-2015 07:11 AM
Hi Scott,
The configuration you describe would require a layer 3 device with Access Control Lists or possibly Private VLAN capability. The SG300 series has these features but the SG200 does not. Depending on the type of router you have available you might be able to obtain the desired effect with existing equipment. Otherwise a hardware upgrade would be necessary.
Regards,
Mike.V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide