Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2094
Views
0
Helpful
3
Replies

Need help setting up MAC based VLANs

aseem1234
Level 1
Level 1

‎12-13-2016 07:59 PM - edited ‎03-08-2019 08:33 AM

Hi,

I'm pretty new to Cisco switches, so please bear with me while I ask fairly stupid questions. Firstly, I have a Cisco SG300-10 switch that I purchased so that I can create some VLANs at home. 

The switch resides in my basement and is connected directly behind my firewall device, which in turn connects directly to my ISP connection. Because the switch is in the  basement and my house has two more floors, I have cable runs going from the switch to a wall outlet in the basement, 1st floor and second floor. 

These are normal unmanaged switches. What I am trying to avoid, but I think will fail, is buying three more Cisco switches for the other locations. Is there any possible way to create a VLAN based on MAC address without all the switches being Cisco switches?

If not that, I'm guessing it's still possible to have each port on the switch be in its own VLAN, which would basically force me to have all devices on each floor in their separate VLANs, correct? Again, this is assuming I don't buy more Cisco switches. 

If I wanted to do this second option, can someone give me some guidance. I went to VLAN Management and then VLAN Settings and create a second VLAN. Then I went to Interface Settings and picked my port, but was confused as to which VLAN mode to pick: General, Access, Trunk, Customer, Private, etc!? In my test, I tried Access mode. 

I then went to Port to VLAN and filtered on VLAN 2. Then I changed GE6, which is the port I want to edit, to Untagged. So VLAN mode was Access and Membership Type was Untagged. 

FInally, I went to Port VLAN Membership and I joined the GE6 port to VLAN 2, but I was confused as to whether I should leave 1UP in the box or not. Also, I chose Untagged. 

When I did all of this, all devices connected to that GE6 port stopped working. I couldn't connect to any other device or the Internet. In order to get Internet access for a VLAN, do I have to add the default gateway (my pfSense firewall) to the new VLAN I am creating? 

I have attached screenshots of the various screens and a network diagram of my switches. 

Basically, I want to know firstly if I can create VLANs based solely on MAC addresses with just this one switch and if not, how can I get each port on a separate VLAN, but still allow each VLAN to communicate with the Internet. At this point, I don't want the VLANs to communicate with each other. 

Thanks!

AK

Labels:
Preview file
52 KB
Preview file
119 KB
Preview file
42 KB
Preview file
55 KB
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎12-14-2016 12:42 AM

Hello,

the first thing you need to do on your SG300 is to change the system mode to layer 3:

Administration > System Settings > System Mode > L3

This will allow the VLANs you have created to communicate with each other. You need to reboot the switch for this change to take effect.

Then, configure all your ports except the uplink port that connects to the firewall as Protected Port. This will effectively provide layer 2 isolation between the ports:

Port Management > Port Settings > Protected Port

Check Chapter 9 > Step 5 in the user guide linked below, as this might be a bit hard to find:

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

0 Helpful

aseem1234
Level 1
Level 1
In response to Georg Pauwen

‎12-14-2016 09:26 AM

Hi gpauwen ,

Thanks for your help. I have gone ahead and enabled L3 mode and changed all the other ports except for the one going to my firewall to Protected ports. 

Now what should I do? At this point, what exactly have I done? All devices can still communicate with each other if they are all on VLAN 1?

At this point, how do I get different devices into different VLANs? Also, what if I only want certain devices to be able to communicate with another VLAN, but not other devices?

Thanks!


AK

0 Helpful

Georg Pauwen
VIP
VIP
In response to aseem1234

‎12-15-2016 01:16 AM

Hello Aseem,

once your configure the port as a protected port, it should not be able to talk to any other protected port, even if both are in the same VLAN. Have you applied the settings ?

In order to assign a port to a VLAN, go to VLAN Management > Port to VLAN. (page 203/Chapter 13 in the User Manual).

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card