How to setup a Guest network on an Cisco SG300-28 layer 3 switch

coxhaus

Part of the Furniture
How to setup a Guest network on an Cisco SG300-28 switch.

I have this working in my house and these are my notes. I hope this helps to save time for other people wanting to do this. This procedure can be used for setting up any number of VLANs. My guest VLAN is just a regular VLAN setup that I call guest.

You start with a factory fresh reset in layer 3 mode. Connect your computer to the switch but do not connect the switch to your network.
I am summing you have already updated the firmware. You connect to the switch by typing in its' IP address in Microsoft Edge in Windows 10. Other browsers may work this is what I am using. The first task is to assign a static IP address. I use 192.168.0.254 255.255.255.0 for VLAN1 the default management VLAN, VLAN1. Reboot so the switch comes up under 192.168.0.254. You need to make sure you do not already have an IP address 192.168.0.254. You do not want any conflicts when plugged into the router network. Reconnect with your web interface again to perform the steps below.

Configure DHCP server with a DHCP pool 75 - 250 for VLAN1 if it not already running. The default gateway for all clients will be the 192.168.0.254 switch IP address for VLAN1 since all devices are on VLAN1.

Now configure enough ports to handle your home network. Configure the ports as access ports say 1 - 9.

Add a static route or default gateway to the switch to point to 192.168.0.1 which will be your router IP address. Using web interface under IP configuration there is a place called IPv4routes. Add the static to point to the router here.

Now we are ready to migrate to DHCP running off the SG300 switch. Connect the SG300 to your router and plug the router into one of the access ports setup earlier. Plug your workstation into one of the access ports also like the router. You will need to start migrating the router network over to the switch by plugging in all devices into access ports on the switch. Once your network is move going into the router and turn off DHCP in the router and assign a static IP address 192.168.0.1 to your router. At this point all the other network devices are getting IP addresses from the switch now. You may have to reboot some of the devices.

Once you are happy everything thing is running we will move on to the guest VLAN. Web into the switch to config. Go to VLAN management. There is a tab called VLAN setting create a VLAN2. Go to IP configuration tab IPv4 interface and assign a static IP address 192.168.2.254 255.255.255.0. Setup a DHCP pool from 50- 250 as above. The default gateway for the pool needs to be 192.168.2.254. The next job is to add ports I used 13 - 18 for VLAN2. Go back to VLAN manage under the web on the left side. There you will find 3 tabs interface setting, port VLAN membership, and port to VLAN. You will use these three screens to move the ports to VLAN2 and to change them to access ports. I don't remember the order. I think I changed the VLAN membership first and then switched the port access. When you have it correct the ports 13 - 18 will show up under port VLAN membership as an access port 2UP. At this point VLAN2 should function and be able to access all network resources. Try pings from within VLAN2 and across VLAN1. Everybody should be able to ping each other. There should also be internet access.

The next step is to add the trunk ports for the wireless network. You need a wireless AP which support VLANs and multiple SSIDs. Port 10 - 13 need to be trunk ports. You need to change them to show trunk 1UP,2T when you look at port VLAN membership. I used Cisco WAP321 wireless units. I added two SSIDs, home and guest. Configuring the WAP321 I assigned home to VLAN1 and I assigned guest to VLAN2. The port on the wireless WAP321 needs to be trunk 1UP,2T. It needs to match the port setting on the SG300 switch port. The wireless WAP321 needs to be plugged into a trunk port just setup above. Now you should have 2 wireless networks where one SSID is in VLAN1 and one SSID is in VLAN2. Test with pings everybody should have access and all pings should work. You should also have internet access.

When all this is working, now is the time to block guest off from the rest of the network. We are going to create an ACL access list to block guest access. Web to the switch under Access Control using IPv4 ACL and create an ACL called guest. Now select guest under IPv4 ACE select add. You want to create deny IP 192.168.2.0 0.0.0.255 192.168.0.9 0.0.0.248 by filling in the web page and at the bottom make sure select the radio button to permit at the bottom. It defaults to deny. This is the permit any any after the deny statement. You now need to bind the guest ACL to the trunk ports and to the VLAN2 access ports. Using the web configurator, Under Access Control using ACL Binding(port) tab bind the ports 13-18 and the trunk ports. At this point your pings will no longer work from the guest network to the home network for any IP addresses 192.168.0.9 and above.

Notes

You can add as many WAP321 as you want. I think the WAP321 will limit you to 4 units. Just add each of them to a trunk port.

The key to all this is to use the switches' VLAN IP address as the default gateway for the PC and clients. This IP address for the client default gateway will vary based on which VLAN the client is in. It should all be automatic by just plugging into a port you should get all the appropriate DHCP information on the client.

I hope I covered all the basic information and did not leave anything out. I have added more VLANs, one for music to isolate my music server which I have not rebuilt yet. I just want to keep this simple and just present a guest VLAN. I think the Cisco SG300-28 is a good little home switch which perform well.

I just though of something is you need to setup routing statements on the router for all networks not directly attached to the switch. So the guest VLAN will need a routing statement for 192.168.2.0 network to point to 192.168.0.254. If you setup more VLANs then they will need a routing statement also.
 
Last edited:

ekhoo

Occasional Visitor
Hi,
This guide is exactly what I plan to do except that I'm using the Netgear FV336G router to create VLANs and DHCP scopes. However, my clients aren't getting to the router. i.e. SSID C uses VLAN 40 so I have a VLAN configured on the Netgear with 192.168.40.x. Router to SG300-28P is a trunk port. Port from SG300 to WAP321 is also trunk. Using a direct cable to the switch also doesn't work (set my Mac to use a new VLAN interface, id 40)... but works when I connect my Mac to the router LAN port....

Details (and diagram) in this thread:
http://www.snbforums.com/threads/help-with-vlans-on-cisco-sg300-with-netgear-fv336g.27666/
 

coxhaus

Part of the Furniture
Two things which come to mind is I am using an access port for the router because the switch handles all VLAN traffic. Using an access port forces the switch to do the routing. The other is the router is the default gateway for the switch but the switch is the default gateway for the DHCP scopes. I believe your problem lies with these issues.

PS
If you end up with only the default LAN working then your problem is you need to setup routing statements for the other networks which point to the L3 switch IP address. Once the L3 switche receives the other network traffic it will be able to route the traffic.
 
Last edited:

ekhoo

Occasional Visitor
If you end up with only the default LAN working then your problem is you need to setup routing statements for the other networks which point to the L3 switch IP address. Once the L3 switche receives the other network traffic it will be able to route the traffic.

Ok, before I move the routing to the switch, this looks like what exactly is happening. I'll try that out on Monday and see how it works. Thanks!
 

coxhaus

Part of the Furniture
I stated use the default gateway for the static switch IP address to be the router. Default gateway is layer 2 switch term. I should have stated use a default route to point to the router which is the layer 3 term.
 
Last edited:

oletuv

Regular Contributor
How to setup a Guest network on an Cisco SG300-28 switch.
Thank you very much for this extremely useful guide.

I just though of something is you need to setup routing statements on the router for all networks not directly attached to the switch. So the guest VLAN will need a routing statement for 192.168.0.2 network to point to 192.168.0.254. If you setup more VLANs then they will need a routing statement also.

I´m a bit confused with the 192.168.0.2 address. Is it a misprint for 192.168.2.0?

Ole
 

oletuv

Regular Contributor
You now need to bind the guest ACL to the trunk ports and to the VLAN2 access ports. Using the web configurator, Under Access Control using ACL Binding(port) tab bind the ports 13-18 and the trunk ports.
Instead of binding the guest ACL to each VLAN2 port using ACL Binding (Port), would binding the ACL to VLAN2 using ACL Binding (VLAN) have the same effect?

Ole
 

coxhaus

Part of the Furniture
Instead of binding the guest ACL to each VLAN2 port using ACL Binding (Port), would binding the ACL to VLAN2 using ACL Binding (VLAN) have the same effect?

Ole
Yes bind to the VLAN instead of the port is the way it is done on the big Cisco switches in the old days. I had trouble when I did this example so I used a port instead. The last firmware upgrade may have fixed this. So either will work.

PS
I hope this example will get out there so people will start using layer 3 because it is a much better way to use switches.
 

oletuv

Regular Contributor
Yes bind to the VLAN instead of the port is the way it is done on the big Cisco switches in the old days. I had trouble when I did this example so I used a port instead. The last firmware upgrade may have fixed this. So either will work.

PS
I hope this example will get out there so people will start using layer 3 because it is a much better way to use switches.
Thanks for answering my questions and making the concept clear to me. I had originally planned to set up my home network with VLANs using a Cisco SG200-08 layer 2 switch (which I already have), but after reading your guide, I´ve decided to set it up using a SG300-10 switch in layer 3 mode.

One additional question. If I use a wireless router, e.g. an Asus RT-AC68U, is it possible to use the Wi-Fi or do I have to turn off the radios?

Ole
 

coxhaus

Part of the Furniture
Layer 3 is a much better way in the long run. Home networks are growing and are now needing structure in them. Layer 2 is too much trouble to maintain maybe easier to setup, but the long run is layer 3 plus having ACLs to control IP addresses at the port level totally blows away layer 2.

You will need to run the ASUS wireless off if you are going to use the ASUS as a front door router. If you want to run the ASUS as a wireless device you need to run it as an access point. The problem I see when run as an access point is there is no SSID support for different VLANs with the ASUS routers.
 

oletuv

Regular Contributor
Layer 3 is a much better way in the long run. Home networks are growing and are now needing structure in them. Layer 2 is too much trouble to maintain maybe easier to setup, but the long run is layer 3 plus having ACLs to control IP addresses at the port level totally blows away layer 2.

You will need to run the ASUS wireless off if you are going to use the ASUS as a front door router. If you want to run the ASUS as a wireless device you need to run it as an access point. The problem I see when run as an access point is there is no SSID support for different VLANs with the ASUS routers.
No, I´ll use access points with support for multi SSID and VLAN mapping. I was thinking of using an ASUS as front door router mainly because of pretty decent hw and fw for a home router and nice features like the TrendMicro AiProtection. No problem switching the radios off, of course. :)

Ole
 

coxhaus

Part of the Furniture
Yes the ASUS should work fine for the front door internet connection. They do have HW acceleration for decent speed.
 

oletuv

Regular Contributor
I just though of something is you need to setup routing statements on the router for all networks not directly attached to the switch. So the guest VLAN will need a routing statement for 192.168.2.0 network to point to 192.168.0.254. If you setup more VLANs then they will need a routing statement also.
Just to make sure I understand this correctly. Does "point to 192.168.0.254" mean that the routing statement has the default gateway set to 192.168.0.254?

IP: 192.168.2.0 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.0.254

Ole
 

oletuv

Regular Contributor
When all this is working, now is the time to block guest off from the rest of the network. We are going to create an ACL access list to block guest access. Web to the switch under Access Control using IPv4 ACL and create an ACL called guest. Now select guest under IPv4 ACE select add. You want to create deny IP 192.168.2.0 0.0.0.255 192.168.0.9 0.0.0.248 by filling in the web page and at the bottom make sure select the radio button to permit at the bottom. It defaults to deny. This is the permit any any after the deny statement. You now need to bind the guest ACL to the trunk ports and to the VLAN2 access ports. Using the web configurator, Under Access Control using ACL Binding(port) tab bind the ports 13-18 and the trunk ports. At this point your pings will no longer work from the guest network to the home network for any IP addresses 192.168.0.9 and above.
Still learning :)

What are the reasons for blocking the guest network from accessing the 192.168.0.9-192.168.0.248 range only and not the complete VLAN1 network except the router address 192.168.0.1?

Ole
 

coxhaus

Part of the Furniture
Still learning :)

What are the reasons for blocking the guest network from accessing the 192.168.0.9-192.168.0.248 range only and not the complete VLAN1 network except the router address 192.168.0.1?

Ole

I left a few IP addresses open to share a printer and stuff. My TV is in the guest network so I need to share for it also.

PS
I guess I should state don't assign the lower IP addresses to anything you don't want shared with the guest network. If you only want to share with one machine or port you add an another ACL access list to specify 2 machines instead of using "any". You want to put the more specific ACLs first because they are processed in order.
 
Last edited:

coxhaus

Part of the Furniture
Just to make sure I understand this correctly. Does "point to 192.168.0.254" mean that the routing statement has the default gateway set to 192.168.0.254?

IP: 192.168.2.0 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.0.254

Ole

Yes. The switch knows how to route the traffic for all VLANs on the switch but the only connection from the router to the switch is 192.168.0.254 so it is the default gateway.
 

oletuv

Regular Contributor
Add a static route or default gateway to the switch to point to 192.168.0.1 which will be your router IP address. Using web interface under IP configuration there is a place called IPv4routes. Add the static to point to the router here.
I´m not sure how to define this static route. I don´t own a SG300 switch yet, but I have downloaded the SG300 Series Administration Guide. The definition of static routes is described on page 287. Could you please fill in the field values for the static route in your example:

Destination IP Prefix:
Network Mask:
Route Type:
Next Hop Router IP Address:
Metric:

In particular, the meaning of the "Next Hop Router IP Address" and "Metric" fields is very unclear to me.

TIA
Ole
 

Attachments

  • Static route Cisco SG300.png
    Static route Cisco SG300.png
    261.8 KB · Views: 847

coxhaus

Part of the Furniture
The static route goes on your router pointing to your switch. Make sure your router is in routing mode not gateway mode if it makes a difference on your router. I have seen the screen on a ASUS router when someone posted it wondering if it was for static DNS entries.

The entry on the router is defining additional networks to the router ,192.168.2.0, because that network is not directly connected to the router and the router does not know where the packets go so you are telling the router to send all the network packets destined for network 192.168.2.0 to the IP address 192.168.0.254 on the switch. So the router knows when packets come in for 192.168.2.0 to route them to 192.168.0.254. And of course the switch knows how to route the packets because the networks are defined on the switch.

The only route which goes on the switch is the default route pointing to the router's IP address which would be in my example 192.168.0.1

PS
I am out of town right now for Thanksgiving. I don't remember all the setting or screens for the default route on the SG300 switches. I will look and try to give a more detailed description when I get back. Somebody else on this site might know and post here.
Basically you are routing 0.0.0.0 to 192.168.0.1. The mask is 255.255.255.0
 
Last edited:

oletuv

Regular Contributor
PS
I am out of town right now for Thanksgiving. I don't remember all the setting or screens for the default route on the SG300 switches. I will look and try to give a more detailed description when I get back. Somebody else on this site might know and post here.
Basically you are routing 0.0.0.0 to 192.168.0.1. The mask is 255.255.255.0
Thanks a lot, coxhaus. Enjoy your Thanksgiving weekend!

Best regards,
Ole
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top