cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
0
Helpful
15
Replies

Correct network design and config for 1921 with SG200

omarcouri
Level 1
Level 1

Hello,

I have tried searching through the posts for my answer and somehow putting together various posts to achieve this but I'm not an expert and simply end up getting confused.  I hope you can help.

First, the network setup for an apartment block:

Internet --> Cisco 1921 router  --> Cisco SG200 --> Cisco SG200

Each of the SG200 layer 2 switches has 17 apartments attached to them where each apartment has it's own consumer-grade home router providing DHCP within the apartment, and three or four apartments simply have one computer connected directly to the wall port without a router or access point.

VLAN's and DHCP are coming from the SG200's.

The problems:

1. Routers and computers (those not using routers are visible to each other) on the network despite each apartment having it's own VLAN

(almost like everyone sitting on the same VLAN).

.

2. Often everyone loses connection to the internet. This is only resolved if they disconnect the cable from the wall port, restart their own modems and plug the cable back.

The questions:


1. Should the VLAN's be coming from the 1921 or the SG200's?

2. IF the current set-up seems ok to you then what can be changed to provide stability and hide apartments from each other?

I will be very thankful for your help and insight and of course will happily vote/rate all good assistance!

15 Replies 15

omarcouri
Level 1
Level 1

Just a little bump before the weekend starts   I hope someone can give some insight into this.

Thanks.

devils_advocate
Level 7
Level 7

Hi Omar

There are a few more questions which need answering before I can answer the questions you have asked:

As each apartment is on its own VLAN, where do the default gateways for these Vlans sit? i.e on what device?

Can you post the config from one of the SG200s? You can remove the usernames and passwords etc.

I am guessing you do not want each apartment to be able to see each other on the network?

VLANS are a layer 2 concept and by default, one VLAN is unable to send traffic to another Vlan. The only way this is possible is to use a device capable of routing so if the apartments are all able to see each other, the device which hosts the default gateways for each Vlan must be routing between them.

Thanks

Hi devil_advocate and thanks for getting back to me,

The default gateway for all is the 1921 router and then each SG200 switch has a static IP 192.168.1.x from which DHCP is distributed.

Here's the running config from one of the switches:

config-file-header

switchfa5dfe

v1.3.2.02 / R750_NIK_1_32_647_260

CLI v1.0

set system

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

vlan database

vlan 2-17

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

hostname switchfa5dfe

no passwords complexity enable

username x password encrypted x privilege 15

snmp-server location Basement

clock timezone " " 2

clock source browser

!

interface vlan 1

ip address 192.168.1.2 255.255.255.0

no ip address dhcp

!

interface vlan 2

name "58B ST TV"

!

interface vlan 3

name "58B ST TH"

!

interface vlan 4

name "58B 1TV"

!

interface vlan 5

name "58B 1TH"

!

interface vlan 6

name "58B 2TV"

!

interface vlan 7

name "58B 2TH"

!

interface vlan 8

name "58B 3TV"

!

interface vlan 9

name "58B 3TH"

!

interface vlan 10

name "58C ST TV"

!

interface vlan 11

name "58C ST TH"

!

interface vlan 12

name "58C 1TV"

!

interface vlan 13

name "58C 1TH"

!

interface vlan 14

name "58C 2TV"

!

interface vlan 15

name "58C 2TH"

!

interface vlan 16

name "58C 3TV"

!

interface vlan 17

name "58C 3TH"

!

interface gigabitethernet2

switchport trunk allowed vlan add 2

!

interface gigabitethernet3

switchport trunk allowed vlan add 3

!

interface gigabitethernet4

switchport trunk allowed vlan add 4

!

interface gigabitethernet5

switchport trunk allowed vlan add 5

!

interface gigabitethernet6

switchport trunk allowed vlan add 6

!

interface gigabitethernet7

switchport trunk allowed vlan add 7

!

interface gigabitethernet8

switchport trunk allowed vlan add 8

!

interface gigabitethernet9

switchport trunk allowed vlan add 9

!

interface gigabitethernet10

switchport trunk allowed vlan add 10

!

interface gigabitethernet11

switchport trunk allowed vlan add 11

!

interface gigabitethernet12

switchport trunk allowed vlan add 12

!

interface gigabitethernet13

switchport trunk allowed vlan add 13

!

interface gigabitethernet14

switchport trunk allowed vlan add 14

!

interface gigabitethernet15

switchport trunk allowed vlan add 15

!

interface gigabitethernet16

switchport trunk allowed vlan add 16

!

interface gigabitethernet17

switchport trunk allowed vlan add 17

!

interface gigabitethernet25

no qos trust

!

interface gigabitethernet26

no qos trust

!

exit

You're correct, it's important that the apartments cannot see each other on the network.

From your last paragraph I can only assume that they can see each other because the router is not distributing the VLAN's thus the switch is really only acting as a simple-switch.  Am I on the right track?  If so I guess my next question would be how can the 1921 be configured so it knows there are 34 apartments connecting to it via the SG200's who all need their own VLAN.

Please stop me if I'm jumping ahead or in the wrong direction

Thanks!

Hi

Just a little bump as there's been no reply in a while and I am still struggling with this.

Thank you!

On the SG200 within the Port Vlan Membership page can you pick one of the gigabit ports from your above config and see what vlans are allowed on that port.

I know what your config says but could you check.

I think what you have done is create 17 vlans but used the same IP subnet for all the vlans. From your config it looks like each port is only set up for a particular  vlan but i suspect each port is allowing all vlans on it. If it isn't i'm not sure how any communication is working.

I'm not familiar with the SG200 so i may be wrong but could you check.

Jon

Thanks for your reply Jon.

From the PortVlan Membership page the SG200 is setup so that only the allocated vlan is allowed.  The switch itself is a Layer2 switch so it's not possible to manually assign a different IP subnet.  Or am I wrong?

Do you know if all of this should be done via the 1921 router instead?  But then what's the point of the SG200 having vlan's if they're behaving like this?

As already mentioned vlans are a L2 concept not a L3 one. So your SG200 is a L2 switch only. This means you can have multiple vlans and assign ports into different vlans.

Assigning an IP subnet to a vlan is a L3 concept. So you need a L3 device to route between the vlans. The way you have it setup if each company is in a different vlan and routing between the vlans is not setup then they should not be able to communicate with each other but you are saying they can which is confusing to say the least.

So i'm not sure it is acting as it should be.

It is also confusing as to why you have configured each link as a trunk if it only needs to be in one vlan.

In terms of routing between vlans you need a L3 device. You have a router but you would need a subinterface per vlan which means 17 subinterfaces on one physical interface. Ideally you need a L3 switch in your setup to do the inter vlan routing.

The problem is that the SG200 is a Small Business switch and in this forum we primarily deal with Catalyst switches so it's diffcult to say what is happening with this switch.

I would suggest moving this thread to the Small Business switches forum where they might know what is happening here as i'm not sure i do

https://supportforums.cisco.com/community/netpro/small-business/switches?view=discussions

Jon

Thank you Jon! Your explanation is clear and I will certainly move it to the other forum for some more insight.

Perhaps it is the fact that they are all set up as trunks that could be causing issues?

Hi Omar, the problem with the SG200 config is, there is no VLANS assigned to the ports.

"switchport trunk allowed vlan add ...."

This means VLAN 1 is untagged and your other VLANS are tagged. Anything connecting to the SG200 is going through VLAN 1.

You need to change each port to access mode then define the respective VLAN per port. Right now ALL connections are using VLAN 1

Once you configure the VLANS correctly on the Sg200, you will need a trunk uplink tagging every VLAN to that switchport port which goes to your 1921. On the 1921, it will be a sub interface with dot1q encapsulation to allow the VLANS through the router.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom,

I will definitely gie this a try a report back!

Omar

Omar

Just to add to this.

You will need a different IP subnet per vlan ie. you cannot use the same subnet because the router will not let you configure the same subnet on multiple subinterfaces.

In addition you need to plan this because as soon as you put each customer into their own vlan without the routing and possibly NAT etc. setup correctly on the router they will all lose connectivity to the internet.

Jon

Hi Tom and jon,

In theory this makes a lot of sense to me but I'm lost at the point of having to configure the 1921 to do what you advise as I don't have the knowledge to within the OS.  I managed to initially set it up to connect to the ISP by following an example I found but my memory fails me right now.

I can set up the SG200 side of things but not the 1921.

Would you be able to help?

Omar

Thomas_Madsen
Level 1
Level 1

This sounds just like the problem i have had, and with some good help from Tom Watts and some searching i found a nice way to solve it for my part.

Use PVE or proteced ports in combinations with ACE/ACL  :-)

The Private VLAN or Proteced ports will stop the ports from seeing each other unless on same port.

i  used ACE/ACL due to the fact that i wanted the user to be unable to change ip other than the one they have been asinged. If they change no internet, and if i got it right it will not interfer with the other part using the same IP correclty on theire port :-)

Thomas :-)

Hi Thomas,

Thank you for this! Unfortunatelly the SG200 doesn't have ACE/ACL ability   Please correct me if I'm wrong.

Thanks,

Omar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco