06-04-2019 01:06 AM
I am wondering if someone can help me out as I am having a heck of a time grasping how to get this setup on this Cisco SG350 switch.
I have 2 VLANs 130 & 150 that I would like to segment any type of Layer 2 traffic on each VLAN, one will be part of a Guest WiFi network while the other will be for Guest LAN ports. From what I have gathered I need to use Private VLANs and each would be configured as Isolated an VLAN. I guess I must create a Primary Private VLAN (not understanding the point of this Primary VLAN but I created one) and called this VLAN 120. I also have some other VLANs: VLAN10 (default VLAN), VLAN 99 (Used to manage my WiFi Access Points) & VLAN 100 (used for network devices such as switches and UPS, etc..) these three VLANs are not Private and Layer 2 traffic is required.
On my switch ports are setup as follows:
GE1/4 – Uplink to my router, VLAN 10 Untagged, VLAN 99 & 100 Tagged
GE1/5 – Uplink to my router, VLAN 130 Untagged
GE1/6 – Uplink to my router, VLAN 150 Untagged
GE1/10 – Uplink to my Wireless AP, (Member of LAG #1 - VLAN 99 Untagged, VLAN 130 Tagged)
GE1/11 – Uplink to my Wireless AP, (Member of LAG #1 - VLAN 99 Untagged, VLAN 130 Tagged)
GE1/12 – Guest Port VLAN 150 Untagged
GE1/13 – Guest Port VLAN 150 Untagged
Do I need a separate Primary VLAN for each Isolated VLAN? Am I going to run into issues with GE1/10 & 11 because they need to contain both Private & non-Private VLANs? Will this work having those uplinks to my wireless AP on a LACP LAG?
Hope I make sense!
06-04-2019 06:10 AM - edited 06-04-2019 06:19 AM
Hello,
first of all, the router port has to belong to the primary Vlan only in your case Vlan 120.
For each primary Vlan only one secondary Vlan of type isolated is supported, as there is no need to have more then one as isolated means speaking only to promiscous ports in primary Vlan.
So in your case if you want to keep separate guest WIFI and guest wired access you need :
two separate IP subnets
two primary Vlan like 120,121
For each primary Vlan you can define a secondary isolated Vlan.
Edit:
To verify support of private Vlan we can refer to the user guide
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf
yes full support of Private Vlans is present see pag .202 and following of the user guide linked above.
Hope to help
Giuseppe
06-05-2019 03:22 AM
Here is my issue, I am trying to stop client A from talking to client B. I have Guest Isolation enabled on my UniFi AP’s and it works BUT only when two clients are on the same AP. If I have a client’s connected to two different APs they can talk to each other. I want to setup PVLAN Isolation on my switch to prevent the 2 clients from talking.
The issue I run into is getting my non-private VLAN99 traffic untagged on those wireless AP uplinks. Once I change those ports GE1/15, 16 or 17 from “Trunk” to “Private VLAN – Host” I am unable to add VLAN 99 as anything other than a community VLAN. Not sure what I am doing wrong here. Seems like a common setup, but just can’t get it working a %100.
I essentially need to convert my LAG & GE1/17 to a port which is Private VLAN port with Isolated VLAN410, but also is untagged VLAN99.
Hope this makes sense, thanks in advance!
Here is my horrible network diagram:
Here are my VLAN descriptions:
Here are my switch port descriptions on my Cisco SMB SG350 switch:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide