VLAN Tagging with a Cisco SG200 series switch

Hi,

do you have an IP address assigned to the physical port on the XG that you are using for there VLAN interface?

Ian

Absolutely. The XG wouldn't let me set up my VLANs without it.

My port setup in the XG is:

Port 1: 192.168.101.1
Port 1.3: 192.168.1.1
Port 1.4: 192.168.2.1
Port 1.5: 192.168.5.1

Interface port on SG200: Trunk with four VLANs configured on it - ID 1 (untagged), IDs 3, 4 and 5 (tagged)

What other details would help with this? I understand from a post of yours a few months ago that you have this working with four VLANs on your Netgear switch. Is your Netgear set up similar to mine, in that PCs and other non-tagging type devices are set up on Access ports? To save you from seeking out more information on the SG200 switch, it is just a layer 2 managed switch, which helped keep things nice and simple when I put all this together with the old SRX appliance.

Here is my VoIP outgoing firewall rule.

Thank you for your screenshots. Looks like our firewalls are very similar, with the major difference in my case being that I haven't applied any DSCP value at the moment. Otherwise, agreed, I have not set up any gateways in the Firewall rules for anything that doesn't go to WAN.

You mentioned that routes also need to be set up. This is probably what is missing and where my ignorance is at.

So are you saying that I need to set up static routes? I did give that a shot but the problem was that with the static routes, it asks me to set up a gateway IP and that can't be the same as the interface IP.

So, for example, if I attempt to set up a static route for 192.168.2.0/24, it is pointed to interface Port 1.4 (being VLAN 4 for the .2 subnet) but then on its insistence for the gateway IP, I can't set that to be the interface itself (being 192.168.2.1). Is this where I should be setting up those routes you're referring to? Or are you talking about Policy Based Routes?

Hi Tony,

no, you do not need routes, I was wondering if you had set them up if you expected to be able to send traffic out of your other VLANs eg you are connected to VLAN2 but you want to use VLAN3's gateway. If VLAN3's gateway was a different external interface then yes I could see that , but you would use a firewall rule to allow specific traffic out VLAN3's gateway when you are connected to VLAN2.

I access my other VLANs, but only the internal devices, I do not try to use their gateway.

Ian

Thank goodness for that, as that was the initial impression I was under from the tutorial videos I have looked up.

OK, so with no routes and only firewall policies which are similarly set up to yours, your Netgear switch seems to be happy with your XG whereas my Cisco SG200 is not. How have you configured your Netgear? Are your ports for non-VLAN aware devices simply configured as Access ports, pointing to the respective PVID?

Hi Tony,

you assume correctly.

The below are two od the VLAN screens shots from the main Netgear managed switch.

22 is basically infrastructure (most of it)

100 is general LAN devices

111 is VoIP network

1023 is IoT network.

Ian

I'm at a complete loss then. It seems I'm doing everything exactly the same as you, albeit on a different make and model switch, which works just fine with my old Juniper.

I might have to see if I can borrow another managed switch from someone to determine what is going on.

Hi Tony,

I see part of your problem when i reread you regional post in detail is with the way you are testing. Port 3 on the XG will need a seperate address range not part of VLAN 3 range. You will need a firewall rule to allow the traffic from port 3 to VLAN3.

Ian

Thing is, I'm only using Port 3 as a means of accessing the XG management, not so much to use it to communicate through to the other networks. The fact that it is able to ping through to the other VLANs is strange behaviour though, since I haven't set up any rules for that to happen.

Oddly enough, where I know that I can get the XG's built-in ping test to perform tests from specified interfaces, it doesn't seem to work at all. I attempted to perform a ping test from Port 1.5 in the interface list, since I know my VLAN-aware device on VLAN5 can access it, and the ping test to the WAN failed (even to 8.8.8.8). Yet, my VLAN-aware device actually does get through.

Something doesn't seem right with that XG tool. Same goes with the Policy Test tool, of which none of my tests register a hit with any of my firewall rules.

This is becoming a disappointing exercise so far, in that it's either showing my lack of intelligence or this product is just not as intuitive as it was purported to be.

Hi Tony,

the XG is far from intuitive, we are all hoping v18 will improve that.

Ping, I am unable to ping 8.8.8.8 from any of my internal interface, VLAN or physical.

Is your switch a level 2 or level 3 VLAN?

Ian

What a mission! In the end, I decided to factory reset and start fresh, taking it all one step at a time, as opposed to preparing it all offline before plugging it in to test.

Set it up exactly the same way as I had it in the beginning of this saga and kept an eye on the network with each step, from setting up the VLANs through to establishing the firewall rules. We're all good now. I'm once again impressed with the XG, now that I'm beginning to learn the quirks.

Case closed. Thanks for your help, rf.

What a mission! In the end, I decided to factory reset and start fresh, taking it all one step at a time, as opposed to preparing it all offline before plugging it in to test.

Set it up exactly the same way as I had it in the beginning of this saga and kept an eye on the network with each step, from setting up the VLANs through to establishing the firewall rules. We're all good now. I'm once again impressed with the XG, now that I'm beginning to learn the quirks.

Case closed. Thanks for your help, rf.