RHSelf
asked on
VLAN Question
Hello,
I want to configure a VLAN on my switch. The switch is not a Catalyst so i do not have Cisco IOS.
I am working with a Cisco SG 300-52. The main issue I have is that i want to seperate some users in a vlan on my switch.
However, I still want them to be able to access my servers for storage, dhcp, etc. We are a small shop so I only have the one switch.
I have left the default VLAN 1 in place and that is where all of my machines are sitting. Then I created VLAN 2 and added the machines i want seperated form the other traffic.
I am facing 2 issues. First, the switch I have is not running Cisco IOS, so the configuration is actually more confusing to me with the GUI.
Second, I don't have a spare card in my router (Cisco 1841) to be able to do Router-on-a-stick.
Is there a way to achieve this on the model switch i am using?
Am I going to have to purchase an Ethernet WIC for my router?
Any help would be appreciated. :)
I want to configure a VLAN on my switch. The switch is not a Catalyst so i do not have Cisco IOS.
I am working with a Cisco SG 300-52. The main issue I have is that i want to seperate some users in a vlan on my switch.
However, I still want them to be able to access my servers for storage, dhcp, etc. We are a small shop so I only have the one switch.
I have left the default VLAN 1 in place and that is where all of my machines are sitting. Then I created VLAN 2 and added the machines i want seperated form the other traffic.
I am facing 2 issues. First, the switch I have is not running Cisco IOS, so the configuration is actually more confusing to me with the GUI.
Second, I don't have a spare card in my router (Cisco 1841) to be able to do Router-on-a-stick.
Is there a way to achieve this on the model switch i am using?
Am I going to have to purchase an Ethernet WIC for my router?
Any help would be appreciated. :)
Huh, I just looked it up and I found no mention of IOS for it... intereresting.
If you want to seperate traffic from some users to other users in the same VLAN, I would recommend creating a VLAN ACL... but somehow I doubt you can do that.
You could also create some mac ACLs... basically the point is all you need to do is fiilter traffic, you don't need to create two seperate networks. :)
You could also create some mac ACLs... basically the point is all you need to do is fiilter traffic, you don't need to create two seperate networks. :)
The only other options would be to create two networks/vlans as you mentioned, and create SVIs (VLAN interfaces) to act as a gateway for each VLAN: interVLAN routing.
If you can't configure that on your switch, then you will need the ethernet module for your router so you can perform interVLAN routing (router on a stick) using the external router.
If you can't configure that on your switch, then you will need the ethernet module for your router so you can perform interVLAN routing (router on a stick) using the external router.
The last thing I said about the ethernet module is me assuming that your router has only 1 ethernet port...
for a reference for configureing your switch have a look at this link: http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
When you say you don't have a spare card on your router so you can't do a router on a stick, do you mean port? If this is the only switch in your setup isn't it already connected to the router? all you need to do is trunk that connection.
When you say you don't have a spare card on your router so you can't do a router on a stick, do you mean port? If this is the only switch in your setup isn't it already connected to the router? all you need to do is trunk that connection.
Well,
Assuming (there I go assuming again) that he knows what router on a stick is, his router must have any ethernet ports...
If your router has 1 ethernet port, you can perform interVLAN routing (router on a stick). If that's all you need router router for, then great.
Most router have at least 1 ethernet port though, so I'm assuming you are already using it, and that is why you need another ethernet module.
Assuming (there I go assuming again) that he knows what router on a stick is, his router must have any ethernet ports...
If your router has 1 ethernet port, you can perform interVLAN routing (router on a stick). If that's all you need router router for, then great.
Most router have at least 1 ethernet port though, so I'm assuming you are already using it, and that is why you need another ethernet module.
The easiest thing for you to do would be to create some MAC ACLs
Keep in mind, if you make two distinct networks, all hosts will still be able to talk to each other, and you will still have to configure filters
ASKER
Well I was wondering that too. If establishing a VLAN for a couple of computers that i want to be inaccessible from other machines was overkill. I could just use the MAC ACL's and allow traffic from my servers set., but deny traffice from other machines?
actually you would deny traffic first
and then permit everything else
and then permit everything else
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Easy way to do this is to create 3 vlans - Example:
- Server/servers go in Vlan 1
- user group A goes in Vlan 2
- User group B goes in Valn 3
1. Setup inter Vlan Routing from Vlan 2 to Vlan 1 giving users group A access to the server
2. SEtup inter vlan router from Vlan 3 into Vlan 1 giving users in group B access to the server
3. Don't setup vlan routing between vlan 2 and 3
you may need to use more vlans then are shown in this example, but this should get you headed in the right direction.
- Server/servers go in Vlan 1
- user group A goes in Vlan 2
- User group B goes in Valn 3
1. Setup inter Vlan Routing from Vlan 2 to Vlan 1 giving users group A access to the server
2. SEtup inter vlan router from Vlan 3 into Vlan 1 giving users in group B access to the server
3. Don't setup vlan routing between vlan 2 and 3
you may need to use more vlans then are shown in this example, but this should get you headed in the right direction.
Please don't listen to Tekyguy, as we already went over this, thanks.
No offence Tekyguy, but you should read the entire thread before posting, thanks.
No offence Tekyguy, but you should read the entire thread before posting, thanks.
No offence JoshuaJE, but noone can read your tiny writing.
Tekyguy,
I would never recommend to someone a solution that involves incomplete configuration.
That's why filters were created, to not only filter, but to also document what is being done within the configuration.
You are bound to run into problems in the future by not completing your routing configuration, if someone else looks at it they will think you messed up.
At least with ACLs it's straight forward.
So you see, your proposed solution isn't really a solution at all, anyone who looked at it would think you don't know what you are doing, even though it may actually work... It's kind of like destroying the Golden Gate Bridge instead of constructing a toll booth to filter out those who can't pay...
Not only that, you have to also understand that he does not need to create multiple VLANs, and doing so would be a waste of time... all he wants to do is filter a few hosts from eaching certain areas.
If you read my post with the embedded image, you will see that I said you should download it to read it. Good day, SIR! LOL
I would never recommend to someone a solution that involves incomplete configuration.
That's why filters were created, to not only filter, but to also document what is being done within the configuration.
You are bound to run into problems in the future by not completing your routing configuration, if someone else looks at it they will think you messed up.
At least with ACLs it's straight forward.
So you see, your proposed solution isn't really a solution at all, anyone who looked at it would think you don't know what you are doing, even though it may actually work... It's kind of like destroying the Golden Gate Bridge instead of constructing a toll booth to filter out those who can't pay...
Not only that, you have to also understand that he does not need to create multiple VLANs, and doing so would be a waste of time... all he wants to do is filter a few hosts from eaching certain areas.
If you read my post with the embedded image, you will see that I said you should download it to read it. Good day, SIR! LOL
Come to think of it, you wouldn't even be able configure this "broken bridge" approach anyway, as connected routes are automatically generated anyway when a L3 interface is configured and brought up.
I've never run into a cisco switch that wasn't running IOS, unless it was running CatOS instead...
try going to a dos prompt and telnetting into it.