cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
0
Helpful
2
Replies

Private VLAN - Cisco SG350

icehckyplyr22
Level 1
Level 1

I am wondering if someone can help me out as I am having a heck of a time grasping how to get this setup on this Cisco SG350 switch.

 

I have 2 VLANs 130 & 150 that I would like to segment any type of Layer 2 traffic on each VLAN, one will be part of a Guest WiFi network while the other will be for Guest LAN ports. From what I have gathered I need to use Private VLANs and each would be configured as Isolated an VLAN. I guess I must create a Primary Private VLAN (not understanding the point of this Primary VLAN but I created one) and called this VLAN 120. I also have some other VLANs: VLAN10 (default VLAN), VLAN 99 (Used to manage my WiFi Access Points) & VLAN 100 (used for network devices such as switches and UPS, etc..) these three VLANs are not Private and Layer 2 traffic is required.

On my switch ports are setup as follows:

GE1/4 – Uplink to my router, VLAN 10 Untagged, VLAN 99 & 100 Tagged

GE1/5 – Uplink to my router, VLAN 130 Untagged

GE1/6 – Uplink to my router, VLAN 150 Untagged

 

GE1/10 – Uplink to my Wireless AP, (Member of LAG #1 - VLAN 99 Untagged, VLAN 130 Tagged)

GE1/11 – Uplink to my Wireless AP, (Member of LAG #1 - VLAN 99 Untagged, VLAN 130 Tagged)

GE1/12 – Guest Port VLAN 150 Untagged

GE1/13 – Guest Port VLAN 150 Untagged

 

Do I need a separate Primary VLAN for each Isolated VLAN? Am I going to run into issues with GE1/10 & 11 because they need to contain both Private & non-Private VLANs? Will this work having those uplinks to my wireless AP on a LACP LAG?

 

Hope I make sense!

 

 

 

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

first of all, the router port has to belong to the primary Vlan only in your case Vlan 120.

For each primary Vlan only one secondary Vlan of type isolated is supported, as there is no need to have more then one as isolated means speaking only to promiscous ports in primary Vlan.

 

So in your case if you want to keep separate guest WIFI and guest wired access you need :

two separate IP subnets

two primary Vlan like 120,121

For each primary Vlan you can define a secondary isolated Vlan.

 

Edit:

To verify support of private Vlan we can refer to the user guide

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf

 

yes full support of Private Vlans is present see pag .202 and following of the user guide linked above.

 

Hope to help

Giuseppe

 

Here is my issue, I am trying to stop client A from talking to client B. I have Guest Isolation enabled on my UniFi AP’s and it works BUT only when two clients are on the same AP. If I have a client’s connected to two different APs they can talk to each other. I want to setup PVLAN Isolation on my switch to prevent the 2 clients from talking.

 

The issue I run into is getting my non-private VLAN99 traffic untagged on those wireless AP uplinks. Once I change those ports GE1/15, 16 or 17 from “Trunk” to “Private VLAN – Host” I am unable to add VLAN 99 as anything other than a community VLAN. Not sure what I am doing wrong here. Seems like a common setup, but just can’t get it working a %100.

 

I essentially need to convert my LAG & GE1/17 to a port which is Private VLAN port with Isolated VLAN410, but also is untagged VLAN99.

 

Hope this makes sense, thanks in advance!

 

Here is my horrible network diagram: 

 

Here are my VLAN descriptions:

  • VLAN 10 – Default VLAN, connected to X0 on SonicWALL
  • VLAN 99 – Wireless Access Point Management VLAN, connected to sub interface on X0. This VLAN needs to allow devices on it to communicate with each other and need to be able to connect to the internet.
  • VLAN 100 – Network Management VLAN, connected to sub interface on X0. This VLAN needs to allow devices on it to communicate with each other and need to be able to connect to the internet.
  • VLAN 400 – Primary Private VLAN for my isolated VLAN 410
  • VLAN 410 – Private Isolated VLAN - Guest Wireless VLAN, connected to X2 on my SonicWALL. Devices on this VLAN need access to the internet only, they should not be able to talk to any device on their own VLAN or any other VLAN. Essentially, I would just like these devices to access the X2 SonicWALL Gateway IP
  • VLAN 500 - Primary Private VLAN for my isolated VLAN 510
  • VLAN 510- Private Isolated VLAN - Guest Wired VLAN, connected to X3 on my SonicWALL. Devices on this VLAN need access to the internet only, they should not be able to talk to any device on their own VLAN or any other VLAN. Essentially, I would just like these devices to access the X3 SonicWALL Gateway IP

 

Here are my switch port descriptions on my Cisco SMB SG350 switch:

  • GE1/3 – Uplink to SonicWALL X0 interface & 2 x SonicWALL Virtual Interface VI:99 & VI:100. Trunk port, VLAN 10 UnTagged, VLANs 99/100 Tagged
  • GE1/4- Uplink to SonicWALL X2 interface – Private VLAN Promiscuous port, Primary PVLAN 400, Isolated VLAN 410
  • GE1/5- Uplink to SonicWALL X3 interface – Private VLAN Promiscuous port, Primary PVLAN 500, Isolated VLAN 510
  • GE1/15 – Uplink to UniFi HD wireless access point – member of LACP LAG#1. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410
  • GE1/16 – Uplink to UniFi HD wireless access point – member of LACP LAG#1. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410
  • GE1/17 – Uplink to UniFi AP Pro wireless access point. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: