Setup VLANs on SG200 & SG300 switches
I have a network that is a /24, all on VLAN1. The /24 address space is 90% used up and sometimes we run into issues with running out of IPs.
We are working on segmenting this network now into 4 VLANS. VLAN 12 is the first step in this segmentation process, this will remove about 40 devices from VLAN1.
The network consists of three switches:
-SG200 "A" (access)
-SG300 (core, L2 only)
-SG200 "B" (access)
-Cyberoam firewall (router on a stick config, DHCP relay agents)
-M$ DHCP server
I have added VLAN 12 to all of the switches. I have created the sub-interface on the Cyberoam. I have created the DHCP relay agent on the cyberoam. I have created the new DHCP pool on the M$ server for this VLAN.
On SG200 "A", I have a test machine setup to try these changes on before rolling them out to all other workstations. SG200 "A" is trunked back to the core (SG300) switch with a LAG. The LAG has a PVID = 1, tagged = 12. The SG300 trunk to the firewall has the same settings, PVID = 1, tagged = 12.
On SG200 "A", on the port the test workstation is connected to I have PVID = 12, untagged = 12. With this configuration, I am unable to get the workstation to grab a new IP from VLAN12.
For testing purposes, I have changed the port the test machine is connected to from:
PVID = 12, untagged = 12
to:
PVID = 1, untagged = 1, tagged = 12
Then I went onto the workstation and manually changed the VLAN ID in the NIC's properties to VLAN 12. When I did this, the workstation pulled a new IP from VLAN 12 and everything worked as I expected.
My goal is to get this setup to work, but I do not want to have to designate the VLAN 12 ID in the workstations NIC properties.
What am I missing? I have been "adjusting" settings and testing these adjustments for about 3 hours but have been unable to find a combination of settings that will allow this to work.
We are working on segmenting this network now into 4 VLANS. VLAN 12 is the first step in this segmentation process, this will remove about 40 devices from VLAN1.
The network consists of three switches:
-SG200 "A" (access)
-SG300 (core, L2 only)
-SG200 "B" (access)
-Cyberoam firewall (router on a stick config, DHCP relay agents)
-M$ DHCP server
I have added VLAN 12 to all of the switches. I have created the sub-interface on the Cyberoam. I have created the DHCP relay agent on the cyberoam. I have created the new DHCP pool on the M$ server for this VLAN.
On SG200 "A", I have a test machine setup to try these changes on before rolling them out to all other workstations. SG200 "A" is trunked back to the core (SG300) switch with a LAG. The LAG has a PVID = 1, tagged = 12. The SG300 trunk to the firewall has the same settings, PVID = 1, tagged = 12.
On SG200 "A", on the port the test workstation is connected to I have PVID = 12, untagged = 12. With this configuration, I am unable to get the workstation to grab a new IP from VLAN12.
For testing purposes, I have changed the port the test machine is connected to from:
PVID = 12, untagged = 12
to:
PVID = 1, untagged = 1, tagged = 12
Then I went onto the workstation and manually changed the VLAN ID in the NIC's properties to VLAN 12. When I did this, the workstation pulled a new IP from VLAN 12 and everything worked as I expected.
My goal is to get this setup to work, but I do not want to have to designate the VLAN 12 ID in the workstations NIC properties.
What am I missing? I have been "adjusting" settings and testing these adjustments for about 3 hours but have been unable to find a combination of settings that will allow this to work.
ASKER
I have done this, but I am unable to pull a DHCP address nor am I able to set a static address that would fall into that VLAN/sub.
If I put the port into vlan 12, then go into the workstations NIC > Properties > configure > VLAN and set the VLAN to 12 then the workstation starts pulling an address in vlan12.
If I put the port into vlan 12, then go into the workstations NIC > Properties > configure > VLAN and set the VLAN to 12 then the workstation starts pulling an address in vlan12.
Something does not add up
If you're unable to set static IP on the workstation, then there is something wrong on the workstation
The other puzzle - let's assume the WS is okay, this would then mean your dhcp relay is not working or configured correctly on the switch
Lastly, can you ping the dhcp server from the switch.
Just checking, by dhcp relay, I will assume you are configuring the IP of the dhcp server?
If you're unable to set static IP on the workstation, then there is something wrong on the workstation
The other puzzle - let's assume the WS is okay, this would then mean your dhcp relay is not working or configured correctly on the switch
Lastly, can you ping the dhcp server from the switch.
Just checking, by dhcp relay, I will assume you are configuring the IP of the dhcp server?
ASKER
Sorry I should have been clear: I can set a static address on the workstation, but doing so does not give it access to the VLAN (if I had a DHCP relay issue, I would expect this step to show it).
The workstation is currently on VLAN 1. From the workstation, I can ping VLAN 12s default gateway (10.1.12.1). For this reason, I feel comfortable assuming the intervlan routing portion is working.
From what I can see, I am unable to telnet/ssh into this switch as it only offers http/https access. For this reason I am unable to test ping from the switch to the DHCP, but I can ping the DHCP server from workstations attached to the switch (FWIW).
The workstation is currently on VLAN 1. From the workstation, I can ping VLAN 12s default gateway (10.1.12.1). For this reason, I feel comfortable assuming the intervlan routing portion is working.
From what I can see, I am unable to telnet/ssh into this switch as it only offers http/https access. For this reason I am unable to test ping from the switch to the DHCP, but I can ping the DHCP server from workstations attached to the switch (FWIW).
but doing so does not give it access to the VLAN
VLAN is a sort of grouping by IP Address. It does not matter if it is set manually or assigned by DHCP
eg VLAN 1 = 192.168.1.0 /24 = 192.168.1.1 - 192.168.1.254
Any address within the range above belongs to VLAN 1
What is the ip scope of vlan 1 and vlan 12
The workstation is currently on VLAN 1. From the workstation, I can ping VLAN 12s default gateway (10.1.12.1)This looks to me the switchport is set to VLAN 1 or is set as trunk, or VLAN 1 is still the native VLAN.
Something definitely does not add up
ASKER
Posting from my phone...
Your last section hit the nail on the head. The switchport has vlan1 as its native clan. If I change this to vlan 12 as native I am unable to make it work. If I change it to vlan1 native and vlan12 tagged then force the workstation to tag its frames as vlan12 it works.
I'm going to try and set this vlan up on the core switch to see this problem has something to do with the trunk not properly passing the vlan12 frames.
The sg200 lacks proper logging, its very difficult to see what is going on without a CLI!
Vlan1=10.1.10.x /24
Vlan12=10.1.12.x /24
Your last section hit the nail on the head. The switchport has vlan1 as its native clan. If I change this to vlan 12 as native I am unable to make it work. If I change it to vlan1 native and vlan12 tagged then force the workstation to tag its frames as vlan12 it works.
I'm going to try and set this vlan up on the core switch to see this problem has something to do with the trunk not properly passing the vlan12 frames.
The sg200 lacks proper logging, its very difficult to see what is going on without a CLI!
Vlan1=10.1.10.x /24
Vlan12=10.1.12.x /24
If you plan changing the native vlan, only change it for the individual switchport and not the trunkport unless you plan to change it for all the switches. This would avoid Native VLAN mismatch errors between switches.
Rather than changing Native VLANs, I would suggest investigating why the switchport assignments are not working
Please post your configs if possible
You can enable telnet or SSH if you desire
http://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=1be547f0d91a4a1ab807d2b56cb6b046_Enable_Telnet_Service_on_300_Series_Managed_Switches.xml&pid=2&converted=0
Rather than changing Native VLANs, I would suggest investigating why the switchport assignments are not working
Please post your configs if possible
You can enable telnet or SSH if you desire
http://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=1be547f0d91a4a1ab807d2b56cb6b046_Enable_Telnet_Service_on_300_Series_Managed_Switches.xml&pid=2&converted=0
ASKER
Thanks for the link, but that is in reference to the SG300s. As far as I can tell, the SG200s (firmware v 1.1.1.8) does not allow CLI access:
As a test, I setup a spare SG300 to replace the SG200 that I am working on here.
On the SG300, when I configure it the same as the SG200 I can get this setup to work great. I put a switchport into a vlan(11), that switchport serves up an IP address from the correct vlan and I am able to work normally but this time in the new vlan. In short, it works with the SG300 in place of the SG200 with the same config.
Both SG300's are in L2 mode.
For this reason I think the issue lies with the SG200s and not the config, would this be a safe assumption?
I am planning on upgrading the firmware on the SG200s to see if this resolves the issue. If it does not, I will be replacing the pair of SG200s with SG300s since I know that will work.
As a test, I setup a spare SG300 to replace the SG200 that I am working on here.
On the SG300, when I configure it the same as the SG200 I can get this setup to work great. I put a switchport into a vlan(11), that switchport serves up an IP address from the correct vlan and I am able to work normally but this time in the new vlan. In short, it works with the SG300 in place of the SG200 with the same config.
Both SG300's are in L2 mode.
For this reason I think the issue lies with the SG200s and not the config, would this be a safe assumption?
I am planning on upgrading the firmware on the SG200s to see if this resolves the issue. If it does not, I will be replacing the pair of SG200s with SG300s since I know that will work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Eg if workstation designated for vlan 12 is connected to port g1/0/5 on switch A
Console or telnet into switch A and assign port g1/0/5 to vlan 12