Cisco SG300-28 VLANs and Routes

We need to configure the interVLAN routing.
Please see page 30 of this manual - Link

Was able to get inter-VLAN communication working except between the management VLAN1.  Maybe that normal so, was going to create another VLAN (VLAN99) just to handle the traffic going to my DLINK router.
Have my router cable plugged into port28 and any ports that are configured as VLAN1 can route traffic back and forth to the router.  Do you have to route each VLAN in my router (which I've tried or maybe have done incorrectly)?  Router IP is 10.168.0.1.      

Also, confused about the PVID settings.......
Here's the config:
config-file-header
CSCO2
v1.2.9.44 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20,30,99
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname CSCO2
line console
no autobaud
exit
line console
speed 9600
exit
username cisco password encrypted 9efdc8d527563682731724691b4fbde146005082 privilege 15
username webcc password encrypted 9efdc8d527563682731724691b4fbde146005082 privilege 15
ip ssh server
clock timezone " " 0 minutes 0
clock summer-time web recurring usa
clock source sntp
ip telnet server
!
interface vlan 1
 ip address 10.168.0.254 255.255.255.0
 no ip address dhcp
!
interface vlan 10
 name Private
 ip address 10.10.5.1 255.255.255.0
!
interface vlan 20
 name Public
 ip address 10.10.6.1 255.255.255.0
!
interface vlan 30
 name Servers
 ip address 10.10.44.1 255.255.255.0
!
interface vlan 99
 name WAN
 ip address 10.168.1.254 255.255.255.0
!
interface gigabitethernet2
 switchport mode access
 switchport general pvid 20
!
interface gigabitethernet3
 switchport mode access
 switchport general pvid 20
!
interface gigabitethernet4
 switchport mode access
 switchport general pvid 20
!
interface gigabitethernet5
 switchport mode access
 switchport general pvid 20
!
interface gigabitethernet6
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet7
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet8
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet9
 switchport mode access
 switchport access vlan 10
 switchport general pvid 10
!
interface gigabitethernet10
 switchport mode access
 switchport access vlan 10
 switchport general pvid 10
!
interface gigabitethernet11
 switchport mode access
 switchport access vlan 20
 switchport general pvid 20
!
interface gigabitethernet12
 switchport mode access
 switchport access vlan 20
 switchport general pvid 20
!
interface gigabitethernet13
 switchport mode access
 switchport access vlan 20
 switchport general pvid 50
!
interface gigabitethernet14
 switchport mode access
 switchport access vlan 20
 switchport general pvid 50
!
interface gigabitethernet15
 switchport mode access
 switchport access vlan 20
 switchport general pvid 50
!
interface gigabitethernet16
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet17
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet18
 switchport mode access
 switchport access vlan 30
 switchport general pvid 30
!
interface gigabitethernet19
 switchport mode access
 switchport access vlan 30
 switchport general pvid 30
!
interface gigabitethernet20
 switchport mode access
 switchport access vlan 30
 switchport general pvid 30
!
interface gigabitethernet21
 switchport mode access
!
interface gigabitethernet22
 switchport mode access
 switchport general pvid 100
!
interface gigabitethernet23
 switchport mode access
 switchport general pvid 100
!
ip route 0.0.0.0 0.0.0.0 10.168.0.1
ip route 10.10.5.0 255.255.255.0 10.168.0.1
ip route 10.10.6.0 255.255.255.0 10.168.0.1
ip route 10.10.44.0 255.255.255.0 10.168.0.1
CSCO2#

Can we configure the the switchports like below

interface gigabitethernet15
 switchport mode access
 switchport access vlan 20
 switchport access vlan 50

Select allOpen in new window

Also remote the static routes, and add a default gateway.

no ip route 0.0.0.0 0.0.0.0 10.168.0.1
no ip route 10.10.5.0 255.255.255.0 10.168.0.1
no ip route 10.10.6.0 255.255.255.0 10.168.0.1
no ip route 10.10.44.0 255.255.255.0 10.168.0.1
ip default-gateway 10.168.0.1

Select allOpen in new window

Could you confirm if devices in different vlan can communicate each other now.

How would I do this from the command line?

Connect to the switch console port or telnet/ssh into the switch. You can use putty or any other terminal emulation program. Backup your existing config please.

We want to remove switch general pvid 50 and the static routes.

Sorry, more specifically what are the commands?
That's strange that only ports 13-15 are set this way.  I can communicate between VLANs fine since I changed to Layer 3.   Problem is routing VLANs to my router.  Setup port 27 as a trunk with VLAN10 untagged, VLAN20 and VLAN30 tagged.  If I don't set a static for specific VLAN addressing it will pull an IP from my router (10.168.0.1) and I can get Internet access. Is this normal?  Thought I would have to setup DHCP scopes for each VLAN....
THanks

If the switch is a layer 3 switch, you don't need to setup a trunk (speaking of which, why would you want VLAN 10 to be untagged?) to connect to your router.  In fact, if the switch is a true layer 3 switch, you may not even need to have a VLAN 99 to connect to your router.  You should be able to configure the port on your switch that connects to the router (port 27?) as a layer 3 port (use the "no switchport" command) and give that port the 10.168.1.254 IP address.  If the switch doesn't support layer 3 ports (it won't accept the "no switchport" command), then keep VLAN 99 the way it is, but put the port that connects to your router in VLAN 99.  Either way should get you routing traffic to your router since you already setup your default route on the switch.  But remember that you still need to be able to route traffic back to your switch.  In order to make that work, you'll need to add static routes on your router (using 10.168.1.254 as the next hop address) for each of your VLAN networks.  And I'd recommend using static IP addresses for now, at least until you get your routing working, before you start messing with DHCP.

I'm a novice at setting up VLANs so, I hope you can bear with me.
The Layer 3 option is global cannot set for a specific port.
Working with just the following to simplify:
VLAN10   =  10.10.5.1   (Private LAN)
VLAN99   =  10.168.1.254  (WAN connection)
VLAN1    =   10.168.0.254  (Management VLAN)
Port 27  =  connection to router (setup as trunk port)
Answer to your question -  It forced me to select at least 1 untagged VLAN.
Have to setup connection to router as a TRUNK and have to add all VLANs that you want to
connect thru this port as TAGGED -  is this assumption correct?

Access thru management VLAN1 works fine,  cannot get VLAN10 to route maybe because I'm not entering route statements correctly.  
Have a DLINK in this case and have tried to enter a static to 10.168.1.0 from WAN address 10.0.5.1.  
Hopefully I'm making sense!

HERE IS THE LATEST ITERATION OF THE SWITCH CONFIG:

CSCO2
v1.2.9.44 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20,30,99
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname CSCO2
line console
no autobaud
exit
line console
speed 9600
exit
username cisco password encrypted 9efdc8d527563682731724691b4fbde146005082 privilege 15
username webcc password encrypted 9efdc8d527563682731724691b4fbde146005082 privilege 15
ip ssh server
clock timezone " " 0 minutes 0
clock summer-time web recurring usa
clock source sntp
ip telnet server
!
interface vlan 1
 ip address 10.168.0.254 255.255.255.0
 no ip address dhcp
!
interface vlan 10
 name Private
 ip address 10.10.5.1 255.255.255.0
!
interface vlan 20
 name Public
 ip address 10.10.6.1 255.255.255.0
!
interface vlan 30
 name Servers
 ip address 10.10.44.1 255.255.255.0
!
interface vlan 99
 name WAN
 ip address 10.168.1.254 255.255.255.0
!
interface gigabitethernet2
 switchport mode access
 switchport access vlan 99
!
interface gigabitethernet3
 switchport mode access
!
interface gigabitethernet4
 switchport mode access
!
interface gigabitethernet5
 switchport mode access
!
interface gigabitethernet6
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet7
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet8
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet9
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet10
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet11
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet12
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet13
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet14
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet15
 switchport mode access
 switchport access vlan 20
!
interface gigabitethernet16
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet17
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet18
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet19
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet20
 switchport mode access
 switchport access vlan 30
!
interface gigabitethernet21
 switchport mode access
!
interface gigabitethernet22
 switchport mode access
!
interface gigabitethernet23
 switchport mode access
!
interface gigabitethernet27
 switchport trunk allowed vlan add 99
!
interface gigabitethernet28
 switchport trunk allowed vlan add 10,20,30
!
ip route 0.0.0.0 0.0.0.0 10.168.0.1
ip route 10.10.44.0 255.255.255.0 10.168.0.1
CSCO2#

Any other suggestions?

Could you please confirm, pc connected to different vlan within the switch can communicate. When we configure vlans in sg300, it does enable intervlan routing automatically. No static routes are required between vlans.

Once intervlan routing is confirmed, we can proceed further with the external access.

Lets say you are connecting it the Switch SG300-28 to a Router R1.

On the switch in Layer3 mode, does automatic routing between VLANs, no static routes necessary. Please save your current config. Let us then remove the static routes from the Switch.

Now, we have created 4 VLANs 1, 10, 20, 30, 99 and configured VLAN interfaces as below

interface vlan 1
 ip address 10.168.0.254 255.255.255.0
 no ip address dhcp
!
interface vlan 10
 name Private
 ip address 10.10.5.1 255.255.255.0
!
interface vlan 20
 name Public
 ip address 10.10.6.1 255.255.255.0
!
interface vlan 30
 name Servers
 ip address 10.10.44.1 255.255.255.0
!
interface vlan 99
 name WAN
 ip address 10.168.1.254 255.255.255.0

We have assigned interfaces to the VLANS

VLAN  1 - Interfaces
VLAN 10 - Interfaces Gi6, Gi7, Gi8, Gi9, Gi10,
VLAN 20 - Interfaces Gi11, Gi12, Gi13, Gi14, Gi15,
VLAN 30 - Interfaces Gi16, Gi17, Gi18, Gi19, Gi20,
VLAN 99 - Interfaces Gi2
Not Assigned interfaces - Gi3, Gi4, Gi5, Gi21, Gi22, Gi23
No infor on - Gi1, Gi24, Gi25, Gi26 -
Trunk - Gi27, Gi28

You are connecting Switch Gi27 to Router Gi01

On the trunk port, let us allow all the VLANs

interface gigabitethernet27
 switchport mode trunk
 switchport trunk native vlan 1


Now on the router, we will create the VLAN interfaces and make the port as trunk

interface vlan 1
 ip address 10.168.0.253 255.255.255.0
 no ip address dhcp
 IP NAT inside
!
interface vlan 10
 name Private
 ip address 10.10.5.2 255.255.255.0
!
interface vlan 20
 name Public
 ip address 10.10.6.2 255.255.255.0
!
interface vlan 30
 name Servers
 ip address 10.10.44.2 255.255.255.0
!
interface vlan 99
 name WAN
 ip address 10.168.1.253 255.255.255.0

 interface fa0/1
 switchport mode trunk
 switchport trunk native vlan 1

(I understand we are doing the interVLAN twice, just for troubleshooting steps.)

Yes inter-VLAN communications is operational without any routes.  The problem is routing VLAN other that VLAN1 to the Internet.  Looks like the DLINK router that I was using does not allow any static routes on the LAN side.  Have a Sonicwall 3060 that has serveral interfaces that I can put in between the SG300 and Dlink router for now to see if I can get things configured correctly.  Will try to setup like the configuration above.  

My trunk port to the Sonicwall will need all VLANs assigned and tagged correct?

If we can simplify this a bit just working with 1 VLAN  and a trunk port.  What about using VLAN99 as just a trunk?  Leaving VLAN1 just as the management and nothing else.
(SG300)
interface vlan 10
 name Staff
 ip address 10.10.5.1 255.255.255.0  

interface vlan 99
 name Trunk
ip address 10.168.1.254 255.255.255.0

interface gigabitethernet27
 switchport mode trunk
 switchport trunk allowed vlan add 10,99

(SONICWALL 3060)
X0      LAN       192.168.2.254       255.255.255.0       Static       100 Mbps full-duplex       
X1      WAN       10.168.0.252       255.255.255.0       Static       100 Mbps full-duplex       
X2      Staff       10.10.5.2       255.255.255.0       Static       100 Mbps full-duplex               
X5      Trunk       10.168.1.1       255.255.255.0       Static

Created 2 Zones -   Staff and Trunk

Now I guess I have to create sub-interfaces.  A little confused how what zone, interface and static IP to use.  Do I use the trunk zone, interface X5 and then set another static for each VLAN according to their respective subnets?
Thanks!

Ok looks like communications seem to be working, just questioning the routing through the trunk port.  Here are the config's.  In order to get it to work this way I have to set the computers on the 10.10.5.0 network to use the IP on the Sonicwall as their D/Gateway, same with subnet 10.10.44.0.  That seems strange thought it should be set to the VLAN IP of the switch i.e., 10.10.5.1 and 10.10.44.1 respectively!

(SONICWALL)
X0      LAN       192.168.2.254       255.255.255.0       Static       No link       Default LAN       
X1      WAN       10.168.0.252       255.255.255.0       Static       100 Mbps full-duplex       
X2       Unassigned       0.0.0.0       0.0.0.0       N/A       No link               Edit this entry
X3       Unassigned       0.0.0.0       0.0.0.0       N/A       No link               Edit this entry
X4       Unassigned       0.0.0.0       0.0.0.0       N/A       No link               Edit this entry
X5      Trunk       192.168.99.2       255.255.255.0       Static       100 Mbps full-duplex       Link to SG300
      X5:V10      Staff       10.10.5.2       255.255.255.0       Static       VLAN Sub-Interface       
      X5:V30      Servers       10.10.44.2       255.255.255.0       Static       VLAN Sub-Interface


(SG-300)
interface vlan 10
 name Public
 ip address 10.10.5.1

interface vlan 30
 name Servers
 ip address 10.10.44.1

interface vlan 99
 name WAN
 ip address 192.168.99.1

interface gigabitethernet27
 negotiation 100f
 spanning-tree portfast
 switchport trunk allowed vlan add 10,30,99
 no cdp enable