SMB Cisco SG350 Switch VLAN Mode Types
Updated: Feb 8, 2021
Small-Medium Business (SMB) and home network gear have stripped down feature sets when compared against enterprise level equipment for a multitude of reasons. However, sometimes you really need that enterprise functionality in a home lab, and SMB hardware tries to bridge that gap. The problem is, there's not much out there in terms of clear documentation of SMB implementations of 'enterprise+home' functions, so in this article I'll explain the differences between VLAN modes you'll find in Cisco SMB switches (specifically the SG350 series).
VLAN MODE TYPES
Trunk enforces and assumes a VLAN-enabled network and peer (which is why you need to enable TRUNK mode on both sides of whatever connection you have enabled trunked mode on), so it's not useful if the rest of your switches and primary router are not VLAN-enabled or capable. Without the ability to recognize and tag VLAN traffic, a trunk port just denies everything that isn't on its native/PVID.
Access can be used for traffic isolation over the local switch it is on, and is useful for preventing traffic requests that are not on that subnet from even touching that physical port (reducing broadcast domain saturation). Otherwise, it's pretty much the same thing as layer 3 isolation that subnets enable... only on layer 2 (isolating traffic at the MAC/physical level, before it even gets to the IP level).
General is pretty much a specialty mode meant for networks like mine that are in consumer or maybe small business environments that don't have enterprise-level features like VLAN/managed switches fully outfitted across the network topology. It strips away the VLAN requirements and allows a layer 3 switch to essentially just use the sub-interfaces you assign as the VLAN gateway addresses on the local switch, to direct traffic as if they were sub-interfaces you would usually create on a router without even getting into VLAN configurations.
Below is an explanation of the VLAN port mode types you'll have available to you in a Cisco SG350 series (or similar) switch, in an example ESXi environment. Imagine you've got 2 VLANs (192.168.1.x and 192.168.2.x), and have a port assigned to VLAN 2 that you also want to see all the devices on VLAN 1.
Switchport ACCESS VLAN 2 for a hypervisor NIC assigned to VM's of mixed IP ranges (or any host with multiple IP's piping to the same physical switchport) does NOT WORK. Only the IP's on the right VLAN IP range will make it to the port (aka for VLAN 2, you can talk to 192.168.2.x, but any IP's, even off the same physical machine like the iDRAC sub interface, if on 192.168.1.x, is inaccessible).
Switchport TRUNK for a hypervisor (or any host with multiple IP's to the same port) does NOT WORK. Only the IP's on the PVID (native/primary) VLAN IP range will make it to the port (aka for VLAN 2, you can talk to 192.168.2.x, but any IP's, even off the same physical machine like the iDRAC sub interface, if on 192.168.1.x, is inaccessible). The difference here is that it WILL allow non-PVID VLANs to access it, but only if TAGGED. The only untagged traffic allowed is the PVID (native) VLAN ID. So in a network like mine with no VLAN tagging, the trunk port essentially acts exactly the same as an ACCESS port.
Switchport GENERAL for a hyper or any host with multiple IP's to the same port) DOES WORK. You MUST set the membership settings to allow both VLAN 1 and VLAN 2 at UNTAGGED traffic. This essentially just opens up the port to allow any traffic from those IP ranges in and out of that port. This is exactly what you need.
It's also no wonder 'General' isn't an industry recognizable term, because in enterprise environments you don't have hardware with consumer level constraints.