New User Working To Implement VLANs Correctly.

Ross Mccullough · ‎08-09-2012

Hey group, looking for your input on what I am attempting to implement on the the Cisco equipment we have purchased for a small shop. I know the value of implementing VLANs to seperate network traffic and confine traffic to it so I am trying to expand my knowledge of such. So I have a few questions and looking for the experts input on what I have missed, messed up or overlooked. Our layout currently:

SA540 --> 172.16.8.1

Cisco Switch --> 172.16.8.2 (Linked to LAN Port 1 on SA540 and SFP to SG300-20, Operational Gateway 172.16.8.1)

Cisco Switch SG300-20 --> 172.16.8.5 (Operational Gateway 172.16.8.1 Uplinked through 172.16.8.2 SFP to SA540)

Based on an exercise I saw online I am working to duplicate the setup.

VLAN 1 --> 172.16.8.x/24

VLAN 2 --> 10.0.2.x/24 Workstations

VLAN12 --> 10.0.12.x/24 Management

VLAN13 --> 10.0.13.x/24 Servers

VLAN14 --> 10.0.14.x/24 Servers

VLAN15--> 10.0.15.x/24 DMZ

I have put these VLANs into the SA540 and enabled InterVAN routing.

My understanding currently:

Tagged Ports = packets are tagged with VLAN information when running multiple VLANs through the same port. 802.1Q

Untagged = only the default VLAN or one VLAN's traffic pass through the port. By default all traffic is untagged because all running out of the gate on VLAN1.

Access Port: untagged / Default VLAN traffic / one VLAN passing through only.

Trunk: Port tagged with multiple VLAN traffic passing through such as the port I am using to uplink to the other switch.

General: ??? I'm unclear on this one.

Guest: ??? Ditto on unclear

PVID: Port VLAN Id: Assigns an access port or trunk port to a designated default VLAN ID when one isn't defined "tagged"?. Also a trunk port is assigned to a default VLAN if a VLAN isn't tagged on it.

So based on this my question. I have created the VLANS inside the SA540 and enabled InterVLAN routing. Do the routes only become active when a device is sitting on that segment?

Do I still need to put static routes in the router or will the "InterVLAN" routing establish those routes when they become active?

I have created the VLAN routes inside the switch as well, how do I tell the switch to forward the packets to the router? I didn't' see an option to make the router the next hop on the journey. As it stands I have not added the routes to the upstream switch that sits between the SG300-20 and the SA540. Does it simply pass through one switch or does every switch need to be aware of the static routes?

Currently on the SA540 under Port to VLAN (Port 1) the mode is "Access", PVID =1 and VLAN Membership =1. I assume Port 1 needs to go to "Trunk" PVID=1 and VLAN Membership would be 1,2,12,13,14,15.

Thanks guys I know it's alot but this helps my understanding. Apprecitate the time and the feedback.

Tom Watts · ‎08-09-2012

Hello Ross,

The access port may be a single member of a vlan untag. The trunk port may be a member of multiple vlan. Ingress filtering may NOT be disabled on an access or trunk port.

The general port is an 802.1 port which may specify tag or untag and the ingress filtering may be disabled.

Ingress filtering is a feature, that if the ingress port receives an unknown vlan tag, it will discard the packet.

There is not a guest port, there is a guest VLAN. The smart port for Guest makes the port untag member of the native vlan. The guest vlan does not authenticate against the 802.1x when specified.

There is a customer port, which is a service provider configuration for QinQ tunneling.

The port connecting between router and switch should be either trunk or general and all vlan you want to pass between devices should be specified on the ports.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/