Best Layer 3 Switch for Home

coxhaus said:

Yes that would work. I really had not figured out whether they would be separate switches or not. You can run multiple networks on the same physical switch. DHCP is the only issue. It would probably be a hybrid of the 2 above. I have a wireless device which still needs a trunk vlan so their are still a few details to work out. I think if I get the core to work the rest will fall in place over time.

Click to expand...

DHCP shouldn't be an issue at all.
Most routers that can support multiple VLAN interfaces will be able to push DHCP out on each interface.
The wifi running off a trunk port is just something that the L2 switch ought to provide.

Cloud200 said:

DHCP shouldn't be an issue at all.
Most routers that can support multiple VLAN interfaces will be able to push DHCP out on each interface.
The wifi running off a trunk port is just something that the L2 switch ought to provide.

Click to expand...

You are so right. I was only thinking if I end up with a router, don't know if it will have L2 capability. I think the CCR1009 has some. I don't know which is wire speed (switch fabric) and which is CPU on the router speed. And what the CPU capability is? Maybe enough L2 CPU power for wireless trunk but not a fully switched network.

I have been looking and thinking about the SG500 and SG500X switches. Can you create a IP DHCP server and create multiple DHCP pools (scopes) for the different VLANS on the switch? Is this a CLI feature? I am just looking for someone using SG500 switches. The DHCP server commands are available on bigger Cisco switches. I just don’t know if this carries down to the SG500 series.


If not this is going to require me to run Microsoft DHCP with scopes. I am not sure whether WHS 2001 supports DHCP. Something else I may need to work out.

I want the switch to do the VLAN routing so the clients would have their default gateway being the switch rather than pass the routing to the slower front door firewall router. And the switch would have the router as the default gateway. This is kind of a gateway of last resort to find the internet.

I know I got the sg300's dhcp server working about a year ago. The issue was it was kinda buggy when it came to static leases. The sg500 shares most of the same code and this may apply as well.
Anyone else have one that is more current?

Yes I bought a SG300-28 switch and a SG200-8 to put in my media center. I have DHCP running in my switch for each VLAN but I had to set it up with an XP machine and then upgrade the firmware. I could not create DHCP pools with latest firmware. I still can’t add static leases. The latest firmware for SG300 seems buggy to me. I have my switch in layer 3 mode with VLANs setup and all routing is done in the switch and only routed traffic is passed to the router. This means I am not trunking to the slower router to route all the VLANs. They are routing in the faster switch. I plan to extend the guest VLAN out to the SG200 switch so I can put my directTV box in the guest network.

The SG300-28 does not meet all my specs for the best home router but it will work and I bought it used for $200 off eBay. Someone had messed up the bootloader code. I fixed it all and now it seems to work OK except for the latest firmware. I hope a new version will come out soon.

OK. I have it all working. I had to start from scratch and not use the lastest firmware version. It is too buggy for me. I have layer 3 working. I have DHCP pools and static addresses. I assigned a different IP network to each VLAN with DHCP running on every VLAN including static IP addresses in each VLAN where needed. Now I will see how it runs. Next I am going to assign ACLs for the guest network to exclude traffic from the main network.

Nice once you are finished mind exporting the sanitized running config?

Cloud200 said:

Nice once you are finished mind exporting the sanitized running config?

Click to expand...

+1 - I have the SG300-28pp on the way - more than willing to get my hands dirty but looking for a similar config.

Curious if there would be a way to force all outgoing/incoming traffic from a particular vlan to my work vpn? or does that have to be done at the actual home ISP router?

Cloud200 said:

Nice once you are finished mind exporting the sanitized running config?

Click to expand...

I can do it. I wish my kepspan USA-19HS would work with the console. It worked a couple of years ago and it now just quit. I even tried my old Cisco 2600 router and could not bring up the console. This had worked a few years ago. I loaded the new Triplight driver and still does not work. I may have to call them Monday.

johnny2678 said:

+1 - I have the SG300-28pp on the way - more than willing to get my hands dirty but looking for a similar config.

Curious if there would be a way to force all outgoing/incoming traffic from a particular vlan to my work vpn? or does that have to be done at the actual home ISP router?

Click to expand...

My setup has a IP network aligned to each VLAN so you could route the VLAN to your VPN router. Would that help?

coxhaus said:

My setup has a IP network addigned to each VLAN so you could route the VLAN to your VPN router. Would that help?

Click to expand...

Ahh, good point... I've got a couple spare Cisco E3000's lying around. I could setup the VPN connection on one of the routers and route all outbound traffic from the work devices grouped in a work vlan through that router.

So no way to setup VPN directly on the sg300?

johnny2678 said:

Ahh, good point... I've got a couple spare Cisco E3000's lying around. I could setup the VPN connection on one of the routers and route all outbound traffic from the work devices grouped in a work vlan through that router.

So no way to setup VPN directly on the sg300?

Click to expand...

No VPN support in the SG300.

coxhaus said:

No VPN support in the SG300.

Click to expand...

That's ok, I can set up on a separate router through Tomato or DDWRT.

More interested in how you set up DHCP.

Thanks for the info, btw.

I had a break through with the console cable. It turns out the blue Cisco cables do not work with the business switches or the SG300 for sure. The SG300 switches take a straight through serial cable which I guess are included with the new switches and I did not receive it buying used. So I ended up using 2 Cisco DB9 connectors included with the Cisco blue console cable. I just connected the 2 DB9 connectors with a CAT5e patch cable and my console now works. I also had to load the latest’s Keyspan drivers. I tried a web backup but you cannot read it. It will probably work for loading the config but not good for looking at. So I have included the console run config.

This config is based on 3 VLAN networks. Each VLAN network has been assigned an IP network

V0 is network 192.168.0.0 /24 default VLAN

V2 is network 192.168.2.0/24

V3 is network 192.168.3.0/24

I assigned 4 ports to each network

V0 has ports 1-4

V2 has ports 13-16

V3 has ports 19=22

The extra ports can be assigned as needed.

There is DHCP for each VLAN and static entries can be made. DNS is AT&T. You may need to change.

All of the VLANs are being routed by the layer 3 switch at wire speed with the uplink port being 1. You will need to add static routes on your router pointing back to 192.168.0.254. When this works all VLANs will have internet access.

Just a note. I also run Untangle as my second firewall and I had to add static routes in Untangle as well as my router.

The password is password lower case. User is cisco lower case.

I don’t know what else to say other than the version of software on the switch required me to use an XP machine as there is a problem with the newer IE. Maybe firefox will work I don’t know. If someone tries it and it works let me know. I read on the internet “which must be true” is that Chrome will not work but I have not tried it.

What is left is to add the ACL for the guest network so guests will be isolated.

So here is the config.

User Name:cisco

Password:********

switchdaad1a#sh run

config-file-header

switchdaad1a

v1.3.7.18 / R750_NIK_1_35_647_358

CLI v1.0

set system mode router


file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

vlan database

vlan 2-3

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

ip dhcp server

ip dhcp pool host printer

address 192.168.0.40 255.255.255.0 client-identifier 08:00:37:32:46:eb

default-router 192.168.0.254

dns-server 68.94.156.1

exit

ip dhcp pool network V0

address low 192.168.0.75 high 192.168.0.240 255.255.255.0

lease 7

default-router 192.168.0.254

dns-server 68.94.156.1

exit

ip dhcp pool network V2

address low 192.168.2.1 high 192.168.2.254 255.255.255.0

default-router 192.168.2.254

dns-server 68.94.156.1

exit

ip dhcp pool network V3

address low 192.168.3.1 high 192.168.3.254 255.255.255.0

default-router 192.168.3.254

dns-server 68.94.156.1

exit

bonjour interface range vlan 1

ip access-list extended guest

exit

hostname switchdaad1a

line console

no autobaud

exit

no passwords complexity enable

username cisco password encrypted

username cisco password encrypted 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 privi

lege 15

!

interface vlan 1

ip address 192.168.0.254 255.255.255.0

no ip address dhcp

!

interface vlan 2

name "vlan2"

ip address 192.168.2.254 255.255.255.0

!

interface vlan 3

name "vlan3"

ip address 192.168.3.254 255.255.255.0

!

interface gigabitethernet1

switchport mode access

!

interface gigabitethernet2

switchport mode access

!

interface gigabitethernet3

switchport mode access

!

interface gigabitethernet4

switchport mode access

!

interface gigabitethernet13

switchport mode access

switchport access vlan 2

!

interface gigabitethernet14

switchport mode access

switchport access vlan 2

!

interface gigabitethernet15

switchport mode access

switchport access vlan 2

!

interface gigabitethernet16

switchport mode access

switchport access vlan 2

!

interface gigabitethernet19

switchport mode access

switchport access vlan 3

!

interface gigabitethernet20

switchport mode access

switchport access vlan 3

!

interface gigabitethernet21

switchport mode access

switchport access vlan 3

!

interface gigabitethernet22

switchport mode access

switchport access vlan 3

!

exit

ip default-gateway 192.168.0.1

switchdaad1a#

Wow, thanks for posting. Mine arrives Weds and we move into a new house on Fri so it will take me a bit of time to get set up but I will report back. Thanks for giving me a starting point.

mikrotik routerOS has various routing protocols including the ones use for prototyping. The CCR has L2 obviously. The way L2 works for routerOS is that CPU based L2 always has more features than switch base and if it is fast enough to do wirespeed routing (All CCRs do wirespeed routing) they are faster at switching when using the CPU.

System Error Message said:

mikrotik routerOS has various routing protocols including the ones use for prototyping. The CCR has L2 obviously. The way L2 works for routerOS is that CPU based L2 always has more features than switch base and if it is fast enough to do wirespeed routing (All CCRs do wirespeed routing) they are faster at switching when using the CPU.

Click to expand...

That has nothing to do with the topic though.
Will the CRS do L3 switching at wirespeed non-blocking? That was the original question.

I have extended the guest network which is vlan2 out to my SG200 switch where one of my Cisco WAP321 contains 2 SSIDs, one for guest and one for the LAN setup with single point to my second Cisco WAP321. The second Cisco WAP321 now lives off this SG300 switch where I setup a trunk port to handle the 2 SSIDs in the 2 different VLANs. So I added 2 trunk ports to this SG300 layer 3 switch. One trunk port handles the downstream SG200 switch that contains one WAP321 trunked. The other trunk port handles the other WAP321. The SG300 layer 3 switch provides all DHCP services and routing for the different VLANs across these trunks.
PS
The trunks stated here are VLAN trunks.

coxhaus said:

I have extended the guest network which is vlan2 out to my SG200 switch where one of my Cisco WAP321 contains 2 SSIDs, one for guest and one for the LAN setup with single point to my second Cisco WAP321. The second Cisco WAP321 now lives off this SG300 switch where I setup a trunk port to handle the 2 SSIDs in the 2 different VLANs. So I added 2 trunk ports to this SG300 layer 3 switch. One trunk port handles the downstream SG200 switch that contains one WAP321 trunked. The other trunk port handles the other WAP321. The SG300 layer 3 switch provides all DHCP services and routing for the different VLANs across these trunks.

Click to expand...

Oh how I hate the word Trunk when it comes to networking.
Can be anything from "EtherChannel" and LACP to VLAN ports with Tagging
Which reminds me . . . Set up LACP on the SG200 trunk! XD

Cloud200 said:

Oh how I hate the word Trunk when it comes to networking.
Can be anything from "EtherChannel" and LACP to VLAN ports with Tagging
Which reminds me . . . Set up LACP on the SG200 trunk! XD

Click to expand...

I would like to but this is an old house and just getting CAT5e is going to be real hard. I am running the trunk across Netgear’s XAVB5101 Powerline 500 Nano adapters. These powerline adapters seem to handle the trunk and VLAN tags fine.