4

I have one CISCO SG-300-52 switch in Layer3 mode, and 3 x SG-300-52 in Layer 2 mode. Currently they all connected together with spanning tree loops using link aggregation. I am running 192.168.0.0/16 subnet on this setup. There is a DHCP server allocating IP addresses to the clients in this network. Everything works perfectly fine in this Layer2 network.

I want to setup few VLANs across the network, since I want to separate subnets traffic from each other for security reasons. My question:

Is it possible to separate VLANS from each other, but at the same time allow all VLANs to communicate to the server. Also I want to have few admin computers that should be able to communicate with any device in any VLAN. Basically I can summarize it as:

  • VLAN10 - "admin" VLAN. Contains server and admin computers - can talk to any device in the network.

  • VLAN 20 - "regular" VLAN. Contains devices that should not be able to talk to any other VLAN.

  • VLAN 30 - "regular" VLAN. Contains devices that should not be able to talk to any other VLAN.

Also, I would like to make one VLAN with very strict security and not allow devices within that VLAN to even talk to each other - only with "admin" VLAN.

And at the same time I want to keep the DHCP working.

Is it real to set it up?

VL-80
  • 228
  • 4
  • 17

1 Answers1

5

You can (each with a different IP address), attach it to a switch port configured as "trunk" (with the three VLANs you've identified as "allowed" on the port), and the server computer will be able to communicate with clients in each VLAN. Be sure that you don't enable IP forwarding on the Linux machine if you don't want it to route packets between the VLANs on behalf of clients in the VLANs.

VLAN interfaces act as virtual network interfaces. The server will, for all intents and purposes, act as though it has three network interfaces instead of one.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331