I have tried searching through the posts for my answer and somehow putting together various posts to achieve this but I'm not an expert and simply end up getting confused. I hope you can help.
First, the network setup for an apartment block:
Internet --> Cisco 1921 router --> Cisco SG200 --> Cisco SG200
Each of the SG200 layer 2 switches has 17 apartments attached to them where each apartment has it's own consumer-grade home router providing DHCP within the apartment, and three or four apartments simply have one computer connected directly to the wall port without a router or access point.
VLAN's and DHCP are coming from the SG200's.
1. Routers and computers (those not using routers are visible to each other) on the network despite each apartment having it's own VLAN
(almost like everyone sitting on the same VLAN).
2. Often everyone loses connection to the internet. This is only resolved if they disconnect the cable from the wall port, restart their own modems and plug the cable back.
1. Should the VLAN's be coming from the 1921 or the SG200's?
2. IF the current set-up seems ok to you then what can be changed to provide stability and hide apartments from each other?
I will be very thankful for your help and insight and of course will happily vote/rate all good assistance!
There are a few more questions which need answering before I can answer the questions you have asked:
As each apartment is on its own VLAN, where do the default gateways for these Vlans sit? i.e on what device?
Can you post the config from one of the SG200s? You can remove the usernames and passwords etc.
I am guessing you do not want each apartment to be able to see each other on the network?
VLANS are a layer 2 concept and by default, one VLAN is unable to send traffic to another Vlan. The only way this is possible is to use a device capable of routing so if the apartments are all able to see each other, the device which hosts the default gateways for each Vlan must be routing between them.
Hi devil_advocate and thanks for getting back to me,
The default gateway for all is the 1921 router and then each SG200 switch has a static IP 192.168.1.x from which DHCP is distributed.
Here's the running config from one of the switches:
v1.3.2.02 / R750_NIK_1_32_647_260
file SSD indicator encrypted
ssd file passphrase control unrestricted
no ssd file integrity control
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
no passwords complexity enable
username x password encrypted x privilege 15
snmp-server location Basement
clock timezone " " 2
clock source browser
interface vlan 1
ip address 192.168.1.2 255.255.255.0
no ip address dhcp
interface vlan 2
name "58B ST TV"
interface vlan 3
name "58B ST TH"
interface vlan 4
name "58B 1TV"
interface vlan 5
name "58B 1TH"
interface vlan 6
name "58B 2TV"
interface vlan 7
name "58B 2TH"
interface vlan 8
name "58B 3TV"
interface vlan 9
name "58B 3TH"
interface vlan 10
name "58C ST TV"
interface vlan 11
name "58C ST TH"
interface vlan 12
name "58C 1TV"
interface vlan 13
name "58C 1TH"
interface vlan 14
name "58C 2TV"
interface vlan 15
name "58C 2TH"
interface vlan 16
name "58C 3TV"
interface vlan 17
name "58C 3TH"
switchport trunk allowed vlan add 2
switchport trunk allowed vlan add 3
switchport trunk allowed vlan add 4
switchport trunk allowed vlan add 5
switchport trunk allowed vlan add 6
switchport trunk allowed vlan add 7
switchport trunk allowed vlan add 8
switchport trunk allowed vlan add 9
switchport trunk allowed vlan add 10
switchport trunk allowed vlan add 11
switchport trunk allowed vlan add 12
switchport trunk allowed vlan add 13
switchport trunk allowed vlan add 14
switchport trunk allowed vlan add 15
switchport trunk allowed vlan add 16
switchport trunk allowed vlan add 17
no qos trust
no qos trust
You're correct, it's important that the apartments cannot see each other on the network.
From your last paragraph I can only assume that they can see each other because the router is not distributing the VLAN's thus the switch is really only acting as a simple-switch. Am I on the right track? If so I guess my next question would be how can the 1921 be configured so it knows there are 34 apartments connecting to it via the SG200's who all need their own VLAN.
Please stop me if I'm jumping ahead or in the wrong direction
On the SG200 within the Port Vlan Membership page can you pick one of the gigabit ports from your above config and see what vlans are allowed on that port.
I know what your config says but could you check.
I think what you have done is create 17 vlans but used the same IP subnet for all the vlans. From your config it looks like each port is only set up for a particular vlan but i suspect each port is allowing all vlans on it. If it isn't i'm not sure how any communication is working.
I'm not familiar with the SG200 so i may be wrong but could you check.
Thanks for your reply Jon.
From the PortVlan Membership page the SG200 is setup so that only the allocated vlan is allowed. The switch itself is a Layer2 switch so it's not possible to manually assign a different IP subnet. Or am I wrong?
Do you know if all of this should be done via the 1921 router instead? But then what's the point of the SG200 having vlan's if they're behaving like this?
As already mentioned vlans are a L2 concept not a L3 one. So your SG200 is a L2 switch only. This means you can have multiple vlans and assign ports into different vlans.
Assigning an IP subnet to a vlan is a L3 concept. So you need a L3 device to route between the vlans. The way you have it setup if each company is in a different vlan and routing between the vlans is not setup then they should not be able to communicate with each other but you are saying they can which is confusing to say the least.
So i'm not sure it is acting as it should be.
It is also confusing as to why you have configured each link as a trunk if it only needs to be in one vlan.
In terms of routing between vlans you need a L3 device. You have a router but you would need a subinterface per vlan which means 17 subinterfaces on one physical interface. Ideally you need a L3 switch in your setup to do the inter vlan routing.
The problem is that the SG200 is a Small Business switch and in this forum we primarily deal with Catalyst switches so it's diffcult to say what is happening with this switch.
I would suggest moving this thread to the Small Business switches forum where they might know what is happening here as i'm not sure i do
Thank you Jon! Your explanation is clear and I will certainly move it to the other forum for some more insight.
Perhaps it is the fact that they are all set up as trunks that could be causing issues?
Hi Omar, the problem with the SG200 config is, there is no VLANS assigned to the ports.
"switchport trunk allowed vlan add ...."
This means VLAN 1 is untagged and your other VLANS are tagged. Anything connecting to the SG200 is going through VLAN 1.
You need to change each port to access mode then define the respective VLAN per port. Right now ALL connections are using VLAN 1
Once you configure the VLANS correctly on the Sg200, you will need a trunk uplink tagging every VLAN to that switchport port which goes to your 1921. On the 1921, it will be a sub interface with dot1q encapsulation to allow the VLANS through the router.
Please mark answered for helpful posts
Just to add to this.
You will need a different IP subnet per vlan ie. you cannot use the same subnet because the router will not let you configure the same subnet on multiple subinterfaces.
In addition you need to plan this because as soon as you put each customer into their own vlan without the routing and possibly NAT etc. setup correctly on the router they will all lose connectivity to the internet.
Hi Tom and jon,
In theory this makes a lot of sense to me but I'm lost at the point of having to configure the 1921 to do what you advise as I don't have the knowledge to within the OS. I managed to initially set it up to connect to the ISP by following an example I found but my memory fails me right now.
I can set up the SG200 side of things but not the 1921.
Would you be able to help?
This sounds just like the problem i have had, and with some good help from Tom Watts and some searching i found a nice way to solve it for my part.
Use PVE or proteced ports in combinations with ACE/ACL :-)
The Private VLAN or Proteced ports will stop the ports from seeing each other unless on same port.
i used ACE/ACL due to the fact that i wanted the user to be unable to change ip other than the one they have been asinged. If they change no internet, and if i got it right it will not interfer with the other part using the same IP correclty on theire port :-)
Thank you for this! Unfortunatelly the SG200 doesn't have ACE/ACL ability Please correct me if I'm wrong.