Thats why the native VLAN 10 has not internet access because this only comes from the Barracuda and since its travelling on a VLAN PORT of the Barracuda, the Barracuda drops all untagged VLAN traffic or undefined VLANS on PORT 4 of my Barracuda, only VLANS that I define in Barracuda , say VLAN 100 for example, are allowed to pass. So I don’t need to tag every access port from what I see, it all works fine.
I thought the Native VLAN needed WAN access because the other VLANs like 100,200 would try to access the WAN through 0.0.0.0 which is the native VLAN. If the native VLAN has not internet then nothing can get out unless it has its OWN gateway. So with Static IP on the VLANS this worked fine.
Hi Bron,
I was referring to tagging VLAN 10 on the trunk to the barracuda (in case you need internet access on VLAN 10). The barracuda (according to their docs) ignores frames that are not tagged on its trunk.
The interfaces to your hosts and such should remain access ports (never tag these).
By default, VLAN 1 is the “native VLAN” which is used for management protocols like CDP or STP.
Rene
Each VLAN is a separate layer 2 broadcast domain, the native VLAN is only used for management protocols normally. The only thing you require is an IP address on the barracuda for each VLAN that can be used as the default gateway, that’s it.
So sounds you like got it working correctly 
Hi Rene
Hit a brick wall it seems.
Right now the only way I can get my VLANs working is a UNTAGGED access ports or Untagged (UP) General Ports.
Ie
100UP - is the only way the port works
If for example I change this to
100T
Then no traffic works on it anymore. I cannot figure out why and I spent 2 hours with Cisco Tech support they have no idea either. Their only guess was that the network card was not sending tagged traffic. Have you ever seen this or any ideas why only untagged ports can send traffic.
PORT 1 TRUNK - 10UP , 100T
PORT 20 ACCESS - 100UP
PORT 30 GENERAL - 100T - no traffic
PORT 31 GENERAL - 100UP - traffic
PORT 22 TRUNK - 10UP - 100T - no traffic
As you can see tagging anything but the PORT its on = no traffic, I have ports which have more then 1 VLAN on them via a SDN. For example PORT 22 connects to an Intel 10GBE NIC which has 3 VLANS on it, 100,101.102
Any clues as to where / why tagging would fail or how to debug it?
Hi Bron,
Probably one of the two sides is not tagging your VLANs. I’m guessing your NIC since there’s not that much you can configure the switch. Does port 22 not work for both VLANs? vlan 10 should be untagged, 100 tagged.
You could try wireshark, see if you can see the VLAN tags. This doesn’t always work though since some NICs strip the VLAN tag before forwarding it…it’s possible that frames are tagged while they don’t show up on wireshark.
Do you have any other network devices that you can use to test your tagging? An old cisco router or switch is enough.
Rene
The CISCO seems to be able to tag because it tags the TRUNK port traffic on a single cable to the Firewall and the firewall receives TAGGED traffic and can process it. So I know the CISCO can tag based on PORT and send it on, that works.
So I thought maybe the Cisco was stripping the NIC tags out and replacing with PORT tags? Is that possible, if not then yeah maybe the NICs are not tagging properly.
The only form of tagging that appears to be present/working is the PORT -> VLAN tagging done on the Cisco Switch. If I rely on the NIC to tag - then I see nothing.
Should I be removing all the VLANS from the Cisco , is the PORT based VLAN conflicting with the NIC VLAN tagging?
Hi Bron,
I think it’s probably your NIC that isn’t tagging properly. The switch will only add a tag on frames that are sent, not on any frames it receives. The only protocol it uses is 802.1Q for tagging. Your switching is probably tagging things fine but your NIC isn’t looking at the tags when it receives them and not tagging any frames that it sends…
Rene
Hi Rene,
I hope I’m in the right place here…
I have been following through your example here and I think is the closest example I’ve found to what I’m trying to do, but I think I’m missing a few things
…like where do the different IP’s & ranges get set for each VLAN, and can those separate VLAN’s be setup to do the DCHP assignments for the devices in each VLAN?
Here’s briefly what I’m trying to accomplish…
I have a network on a Comcast fiber with public static IP’s I have a cisco router 1941 up front, then a cisco SG300 switch to handle traffic connections between my internal network of computers behind firewall, the VoIP phone system, and another 3rd party data network…these pieces are all functioning just fine…
Now I need to add Wireless “guest” network to the mix, separate and outside of the firewall.
Were going to be using (5x) Cisco WAP321’s POE …each location has been cabled with a home run back to patch panel. I want to use another Cisco SG300-10 to be the central switch and power supply for the WAP’s …following the login of your example what I thought perhaps I could do is have 1 VLAN across 5 ports of the SG300, handle the DCHP for the WAP’s (to simplify WAP setup, since they all be hanging 12+ ft on the walls) and be my power source and my gateway. I will use 1 one the public static IP’s we have for SG300 and point it to the Cisco 1941 as the network gateway.
Do you think you can point me in the right direction here? I feel I’m close, but still a bit new to some of these devices, and seem to be missing couple of key pieces.
fyi I currently changed this SG300 setup as L3 (as router)
George
Well your right, it ended up that it was not the VLANS at all, the NIC was not tagging them because the software was not even trying! I find out now that they changed the software in the last version to use OSPF instead.
I removed the extra VLANS and now its 95% working, all except ONE Subnet, always something but thats for another section LOL. Thanks
Good to hear that you figured it out
Hi George,
Your SG300 has some L3 (router) capabilities which allows it to do things like DHCP or inter-VLAN routing. In your scenario, you could configure DHCP for the VLANs on your SG300 or on the 1941. I would start by checking which device they used for the computer and voip VLANs…did they configure the 1941 or the SG300 for this?
If they use the 1941 for this then there should be a trunk between the SG300 and 1941. If the SG300 is doing is used for DHCP then there will be a subnet in between the SG300 and 1941 and you will find some static routes on the 1941 pointing to the SG300 (one for each VLAN).
To keep it simple, make sure you use one device for DHCP for all VLANs.
About the wireless access points, I would use 2 VLANs for this:
- Management VLAN
- Wireless users VLAN (you can have up to 4 of these, one for each SSID).
The management VLAN is used so you can connect to each wireless access point so you can configure them, the wireless users VLAN only contains traffic from the wireless users.
This means your network will look like this:
WAP–SG300A–SG300B–1941
- Between the WAP and SG300, you’ll need a trunk for the management VLAN and wireless users VLAN.
- Between the first and second SG300 you’ll also need a trunk for the management and wireless users VLAN.
- What you need between SG300B and the 1941 depends whether you use DHCP on the SG300 or 1941.
- On the 1941, you should create an additional NAT rule that translates traffic from your wireless users subnet to the public IP address you want to use:
Let me know if you need some more help on this!
Rene
Hi Rene, thanks for your reply, but I think I definitely need a bit more…
First I’ve been thinking about this a bunch and wondering if I’m over complicating this…
So yes I have 1941 SG300#1 (to fw, phone & data app using 3 ports w/public ip’s) …and add, SG300#2 to my WAP’s
I can use another public IP for SG300#2 (but not enough for WAPs), so SG300#2 can be like xx.yyy.76.30 and can point it to my GW xx.yyy.76.1 and I have that working but when I plug my laptop into SG#2 I get a DCHP IP but in my xx.yyy.76.range…my thought was to have a DHCP to assign IPs in 192.168.60.zz range to devices plugged into the ports on SG#2, but can’t quite make that happen. Since this switch will only be for “outside” traffic and to power up the PoE WAP, will this concept work for me? If so I’m still confused how to program this?
Thank You, George
Hi George,
I’ll send you an email about this, that will be easier…
Rene
Great Thank you so much! Please check to see you got my latest notes back to you (at 1:15 AM EST)
George
Question, I’m trying to get an existing network set up as two separate vlans and am having some problems. The existing network uses 10.1.2.0/24 with a gateway to the internet of 10.1.2.8, I’ve set up two SG300-10 switches to have two vlans, the first 4 ports are 10.1.2.0/24, the next 4 are 10.1.1.0/24 and the final 2 were set to connect to another switch like in this lesson. When I plug in two laptops set to the same ip address range into either switch matching ports I have no problem seeing each other and when I connect a laptop with the 10.1.2.0/24 ip range to the corresponding port on a switch and then connect the gateway to the same switch on a neighbor port I can see the internet. The problem is that when I connect the same laptop to the other switch’s corresponding port I have no internet. I thought the port I set to forward everything, like the lesson shows, would send everything coming in on the 10.1.2.0/24 ports across through the interconnecting port to the other switch and out the 10.1.2.0/24 ports on it. What am I missing?
Hi William,
On the second switch you don’t have Internet but are you able to ping devices in the 10.1.2.0/24 or 10.1.1.0/24 subnet on the other switch? If so, your trunk is working correctly.
Keep in mind your switch also requires a default route to your router or it doesn’t know where to forward internet traffic to.
Rene
Hi Rene
Im Actually Using a 24 Port Switch and try to make 4 VLANs which work quite well, but now i need a administrator Access on the LAN which can access all the 4 VLANs, is that somehow possible?
BR
Hi Matthias,
When you have enabled IP routing on the switch then it will automatically route between the VLANs. You’ll have to restrict this per VLAN using access-lists.
Rene