Proper VLAN configuration with a Cisco SG200

[Ozymandyus]

Good day folks, I wanted to ask for some help in getting my VLAN configuration right on a new Cisco SG200 switch. I thought I was reasonably wise in configuration, but must humbly admit that I'm finding the configuration options somewhat confusing.

Current hardware is a cable modem providing Internet, connected to a Cisco RV325 router as the firewall, connected by CAT6 to the SG200 switch, with the rest of my devices connecting via wired connections to the SG200. I have all the port assignments cataloged (and even labeled in the SG200 config) so I know what devices go to which port. The devices include computers, printers, IP phones and wireless APs.

My goal is to have the devices segregated into three VLANs: the default one for the majority of devices, one for the telephones, and one for guest devices and wireless activity. Although obviously I don't want devices on those three VLANs sharing traffic, they all do need to be able to access the Internet connection.

Although I imagine this is old hat to most veterans here, I would rather ask the question and be thought an idiot than blow up my network and remove all doubt. If anyone could help me out with some suggestions/instructions, I would be grateful. Thanks!

 

[roguetr]

From memory the sg200 isn't a layer 3 switch so all your VLAN routing will be done by the router.

In it's simplest form you just set the ports as untagged for the port/VLANs required, ensure all the VLANs are assigned to the router port and then the rest comes down to your routing and what networks you allow to communicate with each other and where their default gateway lies.

Sorry, it's been a while and I know cisco don't use the terms tagged vs untagged ... It's more like trunk vs something.

Trying to explain any more might get complicated or confusing so I'll wait and see if any of that actually helped.

Sent from my MI 5 using Tapatalk

 

[Ozymandyus]

From memory the sg200 isn't a layer 3 switch so all your VLAN routing will be done by the router.

In it's simplest form you just set the ports as untagged for the port/VLANs required, ensure all the VLANs are assigned to the router port and then the rest comes down to your routing and what networks you allow to communicate with each other and where their default gateway lies.

Sorry, it's been a while and I know cisco don't use the terms tagged vs untagged ... It's more like trunk vs something.

Trying to explain any more might get complicated or confusing so I'll wait and see if any of that actually helped.

Sent from my MI 5 using Tapatalk

Thanks for the reply, @roguetr . This is indeed a level 3 switch, if the manual can be believed; possibly only static routing though, which I believe is sometimes called level 3 lite? Not sure on that account. You can definitely configure VLANs within it, and there are functions to assign particular ports to a VLAN. There are a great many options however, and I've yet to decipher exactly which ones are the correct combination.

When I'm back in the office in the morning, I can post some screenshots of the configuration options to show you.

 

[coxhaus]

The SG200 switches only do level 2 so your router is needed for level 3. Setup the VLANs on the RV325 router with network IPs and use tagged VLANs. Connect the SG200 switch with a trunk port to the RV325 router with a trunk port. Setup all the same tagged VLANs on the SG200 as the RV325 router. Setup all your PC's switch ports as access ports in the correct VLAN. The RV325 router will handle the DHCP for all VLAN networks.

Ask questions for more help. I know how to do this.

 

[roguetr]

When I said if I remember correctly, I meant I was like 98% sure

I implemented 20 or 30 odd last year but we had them in a stacked configuration.

As suggested by the poster above and myself, I did a quick search to double check and they are indeed only "layer 2". Fyi VLANing is at the packet level.

Again as suggested by the poster above and myself, all layer 3 functionality will occur at the router. They also seem to know your router so they can probably continue from where I left off and assist you more promptly with an appropriate config.

Good luck!

Sent from my MI 5 using Tapatalk

 

[coxhaus]

Here is a little more info.

In the Cisco VLAN setup there will only be 1 untagged VLAN which is usually VLAN1. The untagged VLAN will be the default VLAN. You can only have 1 untagged VLAN because without a tag there is no way to tell which VLAN the packet goes into. So all untagged VLAN traffic will be directed into the default VLAN. It is the catch all VLAN.

When you setup VLAN2 make sure it is a tagged VLAN this way when you group all the VLANs together into a trunk all the packets have tags except for the default VLAN which in our case will be VLAN1. And since you setup the VLANs on the router and the switch the trunk port will flow the VLANs to the appropriate ports based on the tags.

When you setup the router since it is layer 3 you will assign network IPs to each VLAN. Then you will setup DHCP for each network VLAN on the router. When you setup VLANs on the layer 2 switch you define the matching VLANs themselves and not the IPs.

My thinking on Cisco VLANs is you define the port type, then you add the port to the VLAN, and finally you assign an IP network to the VLAN.

Maybe this will help.

 

[Ozymandyus]

The SG200 switches only do level 2 so your router is needed for level 3. Setup the VLANs on the RV325 router with network IPs and use tagged VLANs. Connect the SG200 switch with a trunk port to the RV325 router with a trunk port. Setup all the same tagged VLANs on the SG200 as the RV325 router. Setup all your PC's switch ports as access ports in the correct VLAN. The RV325 router will handle the DHCP for all VLAN networks.

Ask questions for more help. I know how to do this.

Thank you, those instructions are very clear. I eventually reached a point where I could not follow them, so will outline the steps I was able to take. For the testing, I am using a laptop connected wirelessly to my single guest wireless AP, as that gives me a testing environment without disturbing the rest of my network. Steps taken and results:

• Setup the VLANs on the RV325 router with network IPs and use tagged VLANs. Done, there are three VLANs now, 1 (default), 25 (Guest), 100 (Voice). Each has a separate IP and DHCP configuration discrete from the others. VLANs are set as tagged except for the default, on all device ports. The two other possible settings there are "Inter VLAN Routing" set to Disabled, and "Device Management" set to Enabled.
• Connect the SG200 switch with a trunk port to the RV325 router with a trunk port. Partially successful - on the switch the port is set to trunk mode. On the router I can find no option to set a trunk mode on its port.
  
• Setup all the same tagged VLANs on the SG200 as the RV325 router. Done - Default is 1, Guest 25 and Voice 100. "Originators" field shows "Static" for 25 and 100, "Default" for 1. "Link Status SNMP Traps" show as "Enabled".
  
• Setup all your PC's switch ports as access ports in the correct VLAN. Done, for now just on the guest wireless AP port as I test this. The rest are left in default VLAN 1 in trunk mode. Critically however, the switch does not allow me to set the port's mode to "tagged". When trying to join the port to the VLAN, the options for selecting "tagged" or "excluded" are grayed out, with the only options selectable being "untagged" or "forbidden". For now the port is assigned to the Guest VLAN in untagged mode, but that's not our desired outcome methinks.
  
• The RV325 router will handle the DHCP for all VLAN networks. Yes, that's how I have it setup, with separate ranges for all three VLANs.

When I test this, as I would expect the Guest network/VLAN no longer has a connection to the Internet. I presume this is because I'm unable to assign the device port on the switch to the Guest VLAN in tagged mode, so I need to figure out the why of that, correct?

 

[coxhaus]

Here is a video for VLANs on the rv325 router.

My guess is the way to a trunk port is to include all VLANs with Inter-VLAN routing on. Use ACLs to limit access.

My guest network is an ordinary VLAN with ACLs limiting access. I do not use any built-in guest networks as they usually have limitations which I have problems with.

 

[coxhaus]

I found this. This seems right to me, except I would turn on inter-VLAN routing.

 

[Ozymandyus]

All righty, I've discovered the two issues I had. Thank you for the video...although it didn't help me by itself (my RV325 configuration was correct), there was a suggested video on that page that led me to this:

I believe the fellow is speaking Chinese, and his version of the interface is older than mine, but fortunately I could follow along with what he was doing. My first mistake was assigning a port on the switch to a VLAN and trying to make it tagged...when it's an explicit member of that VLAN it should be untagged. The more important bit however was that the uplink port of the switch needed to be in trunk mode, an untagged member of the default VLAN, but also a tagged member of the other VLANs that need Internet access. Once I got that last bit figured out, we were good to go.

My thanks again @coxhaus , it's very gratifying to be able to work this out and I greatly appreciate the assistance.

 

[coxhaus]

I am glade you figured it out. The RV325 router does seem strange for configuring. It is end-of-life support next month. The last image I posted had what I thought was a trunk port where VLAN1 was untagged and VLAN25 and VLAN100 were tagged. The inter-VLAN routing was not set which I would want.

Sorry I confused you proper Cisco order. The order I presented was the way IOS Cisco devices work and the new way I believe the Cisco small business devices are moving to. Some of the older Cisco small business gear seems to have a mind of it's own as far as configuring. I knew we could work it out.

 

[roguetr]

Haha yep, that's how I specified it in my initial response. Untagged = any packet going into the port that is untagged is assigned the VLAN.

It's usually the first problem people have which is why I worded it carefully.

Sent from my MI 5 using Tapatalk