VLAN Tagging with a Cisco SG200 series switch

Hi,

do you have an IP address assigned to the physical port on the XG that you are using for there VLAN interface?

Ian

Hi,

do you have an IP address assigned to the physical port on the XG that you are using for there VLAN interface?

Ian

Absolutely. The XG wouldn't let me set up my VLANs without it.

My port setup in the XG is:

Port 1: 192.168.101.1
Port 1.3: 192.168.1.1
Port 1.4: 192.168.2.1
Port 1.5: 192.168.5.1

Interface port on SG200: Trunk with four VLANs configured on it - ID 1 (untagged), IDs 3, 4 and 5 (tagged)

What other details would help with this? I understand from a post of yours a few months ago that you have this working with four VLANs on your Netgear switch. Is your Netgear set up similar to mine, in that PCs and other non-tagging type devices are set up on Access ports? To save you from seeking out more information on the SG200 switch, it is just a layer 2 managed switch, which helped keep things nice and simple when I put all this together with the old SRX appliance.

Hi Tony,

the XG is a layer 3 switch.

I have an AP with 4 VLANs providing connection for various devices over wifi as well as physical connections. The APs have to be on tagged ports if you have them setup to work VLANs.

M physical devices connect through untagged ports.

Ian

Oh, so you're no longer going through the Netgear then. Four ports on the XG isn't quite going to be enough for me and I'm not about to do away with the SG200 unnecessarily, just to get an L3 switch that can manage those three VLANs for me instead of the XG86. The whole point of getting the XG86 was that it is a UTM device just like my old SRX110 and one would think that it can do a decent job of handling VLANs.

Oh well, the troubleshooting (and community assistance) continues then. I might have a word to my vendor as well, in case they can suggest a few things worth trying or if they can test it out on any of their own switches.

Hi,

I don't know what makes you think I am not using the Netgear switch?

I am actually using two netgear switches, a 16 port and an 8 port.

I have the APs on tagged ports for the hardware IP addresses and VLANs. I have 4 VLANS working over APs and physical ports.

The XG provides the IP addressing for each VLAN/SSID.

I have firewall rules associated with each VLAN and user type.

Ian

Sorry, I misread your last post, thinking that you had plugged in directly into the XG rather than via the Netgear. Apologies.

But there you go though, you have tagged ports for the APs because they can handle tagging. Clearly that works for me too, with only my Siemens Gigaset VoIP phone working because I can configure it with the VLAN ID 5.

Here is one of my firewalls which is the one that works for the VoIP phone:

I have replicated that for my trusted LAN to access the internet but it doesn't ping through to 8.8.8.8, etc. I could not understand for the life of me why this was the case and I concluded the only difference was that my VLAN5 device supports tagging while my VLAN3 devices (PCs, etc) do not.

Here is one of my firewalls configured for allowing me to access my untrusted LAN but not allowing the untrusted devices to initiate contact with my trusted LAN.

I can't even ping the gateway of the untrusted LAN from my trusted LAN (i.e. ping 192.168.2.1 from 192.168.1.x). Even the Diagnostic on the web GUI is incapable of pinging 192.168.2.1 (Port 1.4) from Port 1.3.

None of it is making any sense to me. Hopefully someone here will see what I might be potentially missing from my firewall config that could be preventing the interVLAN routing.

Hi,

I am at a loss to understand how you can ping 8.8.8.8 through your other VLAN gateway, there is nothing unless you have enabled a route (not firewall rule) to do that and all your traffic would go through that gateway.

I have firewall rules allowing me to access devices on my various VLANs, they are for selected devices to access things like managed switch interfaces, IoT devices, VoIP VLAN. You do not need a gateway in your interVLAN rules.

 The above are the rule for my access to my VoIP VLAN from my main VLAN.

Ian

Here is my VoIP outgoing firewall rule.

Thank you for your screenshots. Looks like our firewalls are very similar, with the major difference in my case being that I haven't applied any DSCP value at the moment. Otherwise, agreed, I have not set up any gateways in the Firewall rules for anything that doesn't go to WAN.

You mentioned that routes also need to be set up. This is probably what is missing and where my ignorance is at.

So are you saying that I need to set up static routes? I did give that a shot but the problem was that with the static routes, it asks me to set up a gateway IP and that can't be the same as the interface IP.

So, for example, if I attempt to set up a static route for 192.168.2.0/24, it is pointed to interface Port 1.4 (being VLAN 4 for the .2 subnet) but then on its insistence for the gateway IP, I can't set that to be the interface itself (being 192.168.2.1). Is this where I should be setting up those routes you're referring to? Or are you talking about Policy Based Routes?

Hi Tony,

no, you do not need routes, I was wondering if you had set them up if you expected to be able to send traffic out of your other VLANs eg you are connected to VLAN2 but you want to use VLAN3's gateway. If VLAN3's gateway was a different external interface then yes I could see that , but you would use a firewall rule to allow specific traffic out VLAN3's gateway when you are connected to VLAN2.

I access my other VLANs, but only the internal devices, I do not try to use their gateway.

Ian

Thank goodness for that, as that was the initial impression I was under from the tutorial videos I have looked up.

OK, so with no routes and only firewall policies which are similarly set up to yours, your Netgear switch seems to be happy with your XG whereas my Cisco SG200 is not. How have you configured your Netgear? Are your ports for non-VLAN aware devices simply configured as Access ports, pointing to the respective PVID?