How to setup a Guest network on an Cisco SG300-28 layer 3 switch

[coxhaus]

The 248 mask allows 8 hosts unblocked. Every subnetwork loses 2 IP addresses. One for the network IP address and one for the broadcast IP address.

The 192.168.1.100 does not fit well to a mask. If you need that many unblocked IP addresses I would use a 192 mask or 128 mask. The 192 mask would have 64 hosts. The 128 mask would have 128 hosts. If your DHCP starts at 100 and you are worried about it then you can just adjust the DHCP starting IP address to fit a mask. I am not sure why you would want a 100 unblocked IP addresses.

You can google all the standard subnets of a class C address.

 

[oletuv]

The 248 mask allows 8 hosts unblocked. Every subnetwork loses 2 IP addresses. One for the network IP address and one for the broadcast IP address.

The 192.168.1.100 does not fit well to a mask. If you need that many unblocked IP addresses I would use a 192 mask or 128 mask. The 192 mask would have 64 hosts. The 128 mask would have 128 hosts. If your DHCP starts at 100 and you are worried about it then you can just adjust the DHCP starting IP address to fit a mask. I am not sure why you would want a 100 unblocked IP addresses.

You can google all the standard subnets of a class C address.

coxhaus,

Thanks for the clarification, I have a much better understanding of how subnet and wildcard masks work now. I don´t need many unblocked IP addresses at all. The reason I used the 192.168.1.100 address was because it´s the DHCP start address and I did not understand the wildcard mask, my intention was to block all addresses from 192.168.1.100 and above.

I need just a few unblocked addresses for shared stuff, so what I´ve done now is defining 5 Permit statements in the range 192.168.1.11-192.168.1.15 and then blocking the full 192.168.1.0 and 192.168.2.0 networks. This approach works fine with ACL binding to VLAN 3 (Guest).

Again, thank you so much for all your valuable input. While I´m an experienced computer user, I´ve never bothered to learn networking until now. It´s a fun activity in my senior days.

Ole

 

[coxhaus]

I am home now. It's good to be home after a few weeks. I am glad you have it tested and working now.

A couple of things on masks. The mask is applied based on the start IP address if you used .1 for the start IP address, then the mask applies to the beginning of the IP address range. If you want to apply the mask to the upper IP address range then the start IP address needs to be in the upper portion of the IP range.
Some devices require the inverse of the mask. It depends on the device.

 

[oletuv]

I´m investigating this as well. I know many users of my ISP have got the VLAN splitting working with IPTV directly from access ports on the managed switch. I´m asking now in the relevant Norwegian forum if they needed to enable multicast and IGMP snooping to get the IPTV working. I´ll let you know what I find out.

I´ve now got information from an experienced user in the Norwegian forum. He is trunking the ISP VLANs directly from the fiber box to the SFP port on a Linksys LGS318 managed switch and switching VLAN 101 IPTV from an untagged port on the LGS318 to the TV-decoder. Works flawlessly without multicast or snooping tweaks.

I am home now. It's good to be home after a few weeks. I am glad you have it tested and working now.

Yes, it is always nice to be back home after being away for a while. My wife and I live partly in Norway and partly in Spain. Even if we love Spain and enjoy living there during the autumn and winter months, it is always good to be back home in Norway. We are in Norway now for Christmas and New Year celebrations with our family and friends. Going back to Spain early January.

Take care.

Ole

 

[oletuv]

Cox,

I have one question regarding accessing shared resources (e.g. printers) with IP addresses in the main/default VLAN from another subnet/VLAN (e.g. Guest VLAN). In your setup, can an iPhone connected to the Guest subnet (VLAN 2) discover a printer (with an unblocked IP address) connected to VLAN 1? Our family and friends mostly use IOS devices (iPhones and iPads), some use Android devices. I´m not sure if AirPlay works across routable subnets or will only discover devices in the same network (VLAN), and I´m not able to check it out myself until I have my home network up and running in April/May.

Ole

 

[coxhaus]

Cox,

I have one question regarding accessing shared resources (e.g. printers) with IP addresses in the main/default VLAN from another subnet/VLAN (e.g. Guest VLAN). In your setup, can an iPhone connected to the Guest subnet (VLAN 2) discover a printer (with an unblocked IP address) connected to VLAN 1? Our family and friends mostly use IOS devices (iPhones and iPads), some use Android devices. I´m not sure if AirPlay works across routable subnets or will only discover devices in the same network (VLAN), and I´m not able to check it out myself until I have my home network up and running in April/May.

Ole

I have trouble with Apple protocols. If anybody knows how to share Apple stuff across networks I would like to know. I would probably move the printer to the guest network and let the LAN PCs share to the guest network. This way all the Apple devices are in one network.

 

[sfx2000]

I have trouble with Apple protocols. If anybody knows how to share Apple stuff across networks I would like to know. I would probably move the printer to the guest network and let the LAN PCs share to the guest network. This way all the Apple devices are in one network.

AirPlay/AirPrint tend to be specific to same sub-nets, if that helps...

But one has to question - why a separate network inside your own lan?

 

[coxhaus]

It all started with my guest network because my music server became infected from a friend bringing over a broken computer. After I created my guest network I decided to run the less trusted devices in the guest network like the Apple TV, the internet TV and Blu-ray player. This cascaded to using the Apple devices like iPhone and iPad because of Apple protocols not working across networks. As I thought about it I decided the Apple devices like iPhones and iPad go offsite which made them less trusted in my eyes so I just went with it.

I then figured out I could create a totally isolated VLAN for my router with only the router being in the VLAN. This would isolate all other chatty network local communication between workstations and devices from the router waiting on this comunication. Examples would be Windows machines talking to each other and holding elections for primary workstations and DHCP communicating for renewals. There is all kinds of local inter communication between devices. So now I have 4 separate VLANs one being strictly for my music server. So now all traffic destined for the internet is switched by the layer 3 switch straight to the router VLAN and the router talks out to the internet without waiting for any local layer 2 traffic. I think I have picked up more bandwidth buy reducing response time with the router using this configuration.

I do wish I could route Apple protocols. I do run Bonjour service in my switches on every network. Will it help with the Apple devices finding printers across networks? My printer is an old color laser and does not have Airprint so I cannot test it.

PS
I was reading a little and it looks like there is something called Wide Area Boujour. I guess it requires a local DNS server. Would this help with Airprint across networks?

 

[ekhoo]

Hi Coxhaus,

I'm in another state right now and trying to configure the same thing (SG300-28PP) with 3 VLANs and router. For some reason, VLAN 2 and VLAN 10 can't get on the internet. VLAN 1 is fine. Switch is giving IPs.

Router 192.168.0.1
Switches are on 192.168.0.254, 192.168.2.254 and 192.168.10.254. Default router for 192.168.2.0 is 192.168..2.254. There is a default route on the switch : 0.0.0.0 --> 192.168.0.1

Router has 192.168.0.0 --> 192.168.0.254, 192.168.2.0 --> 192.168.2.254 and 192.168.10.0 192.168.10.254

Won't have access to that previous switch I configured for a while as it's now deployed in production. Anything I missed?

Thanks!

 

[coxhaus]

I noticed you are using VLAN10 but I am assuming the router is plugged into an access port on VLAN1 since you state the router IP is 192.168.0.1. All clients are plugged into an access port for the appropriate VLAN.

A couple of things to check are
1. The static routes on the router for 192.168.2.0 point to 192.168.0.254 and 192.168.10.0 point to 192.168.0.254.

2. The default gateway for the clients PCs on 192.168.2.0 point to 192.168.2.254 and for PC on 192.168.10.0 point to 192.168.10.254

Can you ping outside on the internet? I had a DNS problem right at first when I moved my router. Can you ping the router?

PS
I think I see it. Your static routes on the router are wrong. Look at number 1.

 

[ekhoo]

Ah-hah. My bad. Typo'ed the default roues on router. The client (DHCP on switch) default route is correct.

3pm not a very time to configure switches and routers in a cramp closet.... now on to the ACLs!

Thanks!!