VLAN's Cisco SF 300-24

Answered Question
May 6th, 2011

I need create vlans in Cisco SF 300-24 Switch.

Ports 1 to 6 are available for other ports (from 7 to 24).
For examples:
port 7 is
available for ports from 1 to 6 but is not available for ports from 8 to 24,
port 8 is available for ports from 1 to 6 but is not available for ports from 9 to 24 and 7,

port 9 is available for ports from 1 to 6 but is not available for ports from 10 to 24 and 7 and 8,
.....(to port 24)


How I can do it?

When I add ports from 1 to 6 to VLAN 12, the ports was automatically removed with VLAN 11(in attachment).

I have this problem too.
0 votes
Correct Answer by David Hornstein about 2 years 11 months ago

Hi Dominik,

Here are the rules for VLANs ..

When you set the switch port  interface to  access mode, a switch port can be only a member of one untagged VLAN

When you set the switch port  interface to trunk mode, a switch  port can be a member of only one untagged VLAN but also a  member of many Tagged VLANs.

But what you seem to be trying to achieve is use ports 1-7 as  unprotected or open  ports  for  ports 8-24 within the switch.

Really seems like something called  Priveate Vlan Edge PVE, whereby protected ports will only forward packets to unprotected ports and not other protected ports. .

Here is the definition found in the help text from within the switch.

  • Protected Port—Select to make this a protected port. (A protected port is also referred as a Private VLAN Edge (PVE).) The features of a protected port are as follows:
    • Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
    • Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
    • Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
    • Both ports and LAGs can be defined as protected or unprotected. Protected LAGs are described in the Configuring Link Aggregation section.

  • So my steps were
    • So I am wondering if you really need to configure alot of vlans.
    • make ports 8-24 protected port
    • Save the configuration

Clicked to tick the option to protect switch port 8.

That's what we end up with , port 8 is now protected.

Now lets copy the settings from port 8 to ports 9-24, see the circled area below.

now will in the ports you also wish to protect.

Now ports 8-24 are protected ports.

Hosts on these ports will only be able to communicate with hosts on ports 1-7 or  switch port 24 onwards, in the case of my switch.

Make sure you save your configuration.

I hope this is what you want.

regards dave

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
jcejka@raytheon... Thu, 05/19/2011 - 12:35

Dave,

I found this and it may solve my problem, just need some additional clarification.

I have an SG300-20 and an SG300-52, for all intensive purposes right now I have them chained together : Firewall to Switch 1(20por) to Switch2 (52 port).

To reduce the number of physical ports I rely on from the firewall, for physical lans, I want to go to VLAN TAGing, such that I consoliidate my firewall configuration from 4 physical interfaces to 1 and have the 4 vlans taged on that one interface.

So, by default, all ports are set to trunked mode.  Assuming I create the vlans on both switchs and leave port 20 and 52 set to trunk and then change the access ports to access mode for the individual ports on the switch to computer, will leaving the last ports in TRUNK mode work like VTP?

So from Firewall to Switch1(port 19) I configure for all vlan memberships set to trunk mode

Switch1(port20) member of all vlans, set to trunk mode

Switch2(port52) member to all vlans, trunk mode

Switch1(ports 1-10) access mode - vlan 1

Switch1(ports 2-5) access mode - vlan 3 (802.1Q)Tagged

Etc for switch2

Im just trying to figure out how to connect these two switchs up to allow the 4 vlans to work between the 2 switchs.

David Hornstein Thu, 05/19/2011 - 12:52

Hi jeremy,

Wish i had 10 minutes in a webex to demonstrate... It's a fun switch and easy switch to configure when you get the jist of it.

All ports are in trunking mode by default.

But Vlan1 is untagged on each port, otherwise your vlan un-aware  PC would never work.

For ports 20 and 52  just make sure that you add your other vlans  as tagged vlans  to these ports.

So and they will propogate  those vlans between switches.

In the example below, you have already created your VLANs I guess.

I would select menu item  VLAN MANAGMENT  > port to vlan

Select  the VLAN  ID number as shown below of interest and then press GO

This then  would bring up the port list showing me how VLAN ID=3 was attached to the ports.

Most likely it would be excluded from all ports  by default.

I would alter the table by clicking the tagged radio button for all ports that need to be tagged for that VLAN (even uplink ports)

then press apply.   Select another VLAN ID  and then select "GO" again.

make changes as required.

Make sure you save your configuration changes, see the extra circled area that says "save'

Copy the running copnfiguration to the startup configuration   and that should do it.

regards Dave

alegalle Thu, 05/19/2011 - 13:08

I will let Dave finish this asnwer but I just wanted to clarify a little.

You only need to trunk from switch to switch or from switch to Router. All devices need to agree on the default VLAN (this is not always a must have but...). We are going to say that VLAN 1 is the default accross all your devices.

From router:

Lets say port 4 is what we will use to connect all of our switches. Port 4 will need to be configured as a trunk. The catch is, this will depend on the manufacturer and what features are allowed on your router. Typically on a Cisco router we would configure this interface like this:

int 4.1

int 4.2

int 4.3 and so on... then we add 'dot1q encap'

So now this interface becomes the gateway for all our VLANs.

From switch 1:

So port 52 here will be a trunk and we will tag all VLANs you want to "route". You will not be able to tag the default VLAN as it is always un-tagged. For the rest of the ports they will be configured as access ports if the device attached to said port needs to belong to a single VLAN. Access ports always carry un-tagged traffic.

So if you make a port an access port you cannot add another VLAN to that port unless you tag the VLAN. But the only way to tag the VLAN is to change the port to a trunk port.

Which leads us to connecting to your second switch. Since you want to route all of your VLANs port 51 will be a trunk port just like port 52. And just like these two ports, on Switch 2 port 52 will also be a trunk port configured just like port 51 & 52 on switch 1.

Your devices will most likely be attached to an access port which is configured for a single VLAN. There are exception like if you have a phone, but we will save that for later.

Do not worry about VTP as it is really not needed when you only have two switches and a couple of VLANs.

jcejka@raytheon... Thu, 05/19/2011 - 13:51

I am using pfsense firewall software to do the logic vlan'n

Just a brief summary to point out the setup

VLAN's are setup for a defined interface,

So i have VLAN8 VLAN16 VLAN170, number is indicative of the tag #

LAN is not a vlan but descrete on the same interface.

I would assume that when connecting the two dots

F/W                    Switchs               - VLAN
LAN   192.168.3            -   Untagged ports   - Default

VLAN8  192.168.8        -    TAG                    - VLANID 8

VLAN16   192.168.16     -    TAG                    - VLANID 16

VLAN170  192.168.170    -    TAG                    - VLANID 170

No port wil be a member of more than 1 vlan.

" /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

So port 52 here will be a trunk and we will tag all VLANs you want to "route". You will not be able to tag the default VLAN as it is always un-tagged. For the rest of the ports they will be configured as access ports if the device attached to said port needs to belong to a single VLAN. Access ports always carry un-tagged traffic.

So if you make a port an access port you cannot add another VLAN to that port unless you tag the VLAN. But the only way to tag the VLAN is to change the port to a trunk port.

Which leads us to connecting to your second switch. Since you want to route all of your VLANs port 51 will be a trunk port just like port 52. And just like these two ports, on Switch 2 port 52 will also be a trunk port configured just like port 51 & 52 on switch 1.

"

Since I am a newbie, Im just clarifying what your directions indicate, please correct me if I am wrong.

Switch 1

Port 51 Trunk,

Port 52 < dito>

Switch 2,

Same as switch 1.

Now for individual port vlan membership, assume ports 1 - 5 need access to only the LAN subnet so its memberships would only be to the default lan.

Ports 6-10 need access to the 8 subnet, so they would be a member of only the 8, (does this mean to remove membershp to the default and set the pvid to 8, or do all ports have to belong to the default) If this is the case should i make my lan configuration a vlan definitation as well and create a vLAN ID for the switchs?

alegalle Thu, 05/19/2011 - 17:54
"so they would be a member of only the 8,... "

Exactly! Lets say port 6 on switch 1 is a printer with an IP address for the 8 subnet, since it belongs to that subnet and nothing else port 6 will give "access" to the printer. So the printer's port is an access port for subnet 8.

Since switch 1 needs to give access to all VLANs on port 51; remember we have another switch attached on this port not an end device, it needs to be a trunk so it knows to separate or "tag" the traffic that belongs in the appropriate subnet. Since each switch (typically) have an ip address on VLAN1 there is no need to tag it (you can't tag the native VLAN any way ).

Now when you make a port an access port you will notice that the PVID changed to reflect the VLAN assignment so there is nothing to do. Your "LAN" from what you stated is VLAN1 so you don't need to worry about it really. Just remember that an access port belongs to ONE subnet and a trunk allows us to pass ALL subnets you define. And NO, all ports will not belong to VLAN1 or the NATIVE VLAN what ever the number may be.

Correct Answer
David Hornstein Fri, 05/06/2011 - 11:30

Hi Dominik,

Here are the rules for VLANs ..

When you set the switch port  interface to  access mode, a switch port can be only a member of one untagged VLAN

When you set the switch port  interface to trunk mode, a switch  port can be a member of only one untagged VLAN but also a  member of many Tagged VLANs.

But what you seem to be trying to achieve is use ports 1-7 as  unprotected or open  ports  for  ports 8-24 within the switch.

Really seems like something called  Priveate Vlan Edge PVE, whereby protected ports will only forward packets to unprotected ports and not other protected ports. .

Here is the definition found in the help text from within the switch.

  • Protected Port—Select to make this a protected port. (A protected port is also referred as a Private VLAN Edge (PVE).) The features of a protected port are as follows:
    • Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
    • Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
    • Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
    • Both ports and LAGs can be defined as protected or unprotected. Protected LAGs are described in the Configuring Link Aggregation section.

  • So my steps were
    • So I am wondering if you really need to configure alot of vlans.
    • make ports 8-24 protected port
    • Save the configuration

Clicked to tick the option to protect switch port 8.

That's what we end up with , port 8 is now protected.

Now lets copy the settings from port 8 to ports 9-24, see the circled area below.

now will in the ports you also wish to protect.

Now ports 8-24 are protected ports.

Hosts on these ports will only be able to communicate with hosts on ports 1-7 or  switch port 24 onwards, in the case of my switch.

Make sure you save your configuration.

I hope this is what you want.

regards dave

Actions

Login or Register to take actions

This Discussion

Posted May 6, 2011 at 8:45 AM
Stats:
Replies:7 Avg. Rating:5
Views:31005 Votes:0
Shares:0

Related Content

Discussions Leaderboard