How to setup a Guest network on an Cisco SG300-28 switch.
I have this working in my house and these are my notes. I hope this helps to save time for other people wanting to do this. This procedure can be used for setting up any number of VLANs. My guest VLAN is just a regular VLAN setup that I call guest.
You start with a factory fresh reset in layer 3 mode. Connect your computer to the switch but do not connect the switch to your network.
I am summing you have already updated the firmware. You connect to the switch by typing in its' IP address in Microsoft Edge in Windows 10. Other browsers may work this is what I am using. The first task is to assign a static IP address. I use 192.168.0.254 255.255.255.0 for VLAN1 the default management VLAN, VLAN1. Reboot so the switch comes up under 192.168.0.254. You need to make sure you do not already have an IP address 192.168.0.254. You do not want any conflicts when plugged into the router network. Reconnect with your web interface again to perform the steps below.
Configure DHCP server with a DHCP pool 75 - 250 for VLAN1 if it not already running. The default gateway for all clients will be the 192.168.0.254 switch IP address for VLAN1 since all devices are on VLAN1.
Now configure enough ports to handle your home network. Configure the ports as access ports say 1 - 9.
Add a static route or default gateway to the switch to point to 192.168.0.1 which will be your router IP address. Using web interface under IP configuration there is a place called IPv4routes. Add the static to point to the router here.
Now we are ready to migrate to DHCP running off the SG300 switch. Connect the SG300 to your router and plug the router into one of the access ports setup earlier. Plug your workstation into one of the access ports also like the router. You will need to start migrating the router network over to the switch by plugging in all devices into access ports on the switch. Once your network is move going into the router and turn off DHCP in the router and assign a static IP address 192.168.0.1 to your router. At this point all the other network devices are getting IP addresses from the switch now. You may have to reboot some of the devices.
Once you are happy everything thing is running we will move on to the guest VLAN. Web into the switch to config. Go to VLAN management. There is a tab called VLAN setting create a VLAN2. Go to IP configuration tab IPv4 interface and assign a static IP address 192.168.2.254 255.255.255.0. Setup a DHCP pool from 50- 250 as above. The default gateway for the pool needs to be 192.168.2.254. The next job is to add ports I used 13 - 18 for VLAN2. Go back to VLAN manage under the web on the left side. There you will find 3 tabs interface setting, port VLAN membership, and port to VLAN. You will use these three screens to move the ports to VLAN2 and to change them to access ports. I don't remember the order. I think I changed the VLAN membership first and then switched the port access. When you have it correct the ports 13 - 18 will show up under port VLAN membership as an access port 2UP. At this point VLAN2 should function and be able to access all network resources. Try pings from within VLAN2 and across VLAN1. Everybody should be able to ping each other. There should also be internet access.
The next step is to add the trunk ports for the wireless network. You need a wireless AP which support VLANs and multiple SSIDs. Port 10 - 13 need to be trunk ports. You need to change them to show trunk 1UP,2T when you look at port VLAN membership. I used Cisco WAP321 wireless units. I added two SSIDs, home and guest. Configuring the WAP321 I assigned home to VLAN1 and I assigned guest to VLAN2. The port on the wireless WAP321 needs to be trunk 1UP,2T. It needs to match the port setting on the SG300 switch port. The wireless WAP321 needs to be plugged into a trunk port just setup above. Now you should have 2 wireless networks where one SSID is in VLAN1 and one SSID is in VLAN2. Test with pings everybody should have access and all pings should work. You should also have internet access.
When all this is working, now is the time to block guest off from the rest of the network. We are going to create an ACL access list to block guest access. Web to the switch under Access Control using IPv4 ACL and create an ACL called guest. Now select guest under IPv4 ACE select add. You want to create deny IP 192.168.2.0 0.0.0.255 192.168.0.9 0.0.0.248 by filling in the web page and at the bottom make sure select the radio button to permit at the bottom. It defaults to deny. This is the permit any any after the deny statement. You now need to bind the guest ACL to the trunk ports and to the VLAN2 access ports. Using the web configurator, Under Access Control using ACL Binding(port) tab bind the ports 13-18 and the trunk ports. At this point your pings will no longer work from the guest network to the home network for any IP addresses 192.168.0.9 and above.
Notes
You can add as many WAP321 as you want. I think the WAP321 will limit you to 4 units. Just add each of them to a trunk port.
The key to all this is to use the switches' VLAN IP address as the default gateway for the PC and clients. This IP address for the client default gateway will vary based on which VLAN the client is in. It should all be automatic by just plugging into a port you should get all the appropriate DHCP information on the client.
I hope I covered all the basic information and did not leave anything out. I have added more VLANs, one for music to isolate my music server which I have not rebuilt yet. I just want to keep this simple and just present a guest VLAN. I think the Cisco SG300-28 is a good little home switch which perform well.
I just though of something is you need to setup routing statements on the router for all networks not directly attached to the switch. So the guest VLAN will need a routing statement for 192.168.2.0 network to point to 192.168.0.254. If you setup more VLANs then they will need a routing statement also.
I have this working in my house and these are my notes. I hope this helps to save time for other people wanting to do this. This procedure can be used for setting up any number of VLANs. My guest VLAN is just a regular VLAN setup that I call guest.
You start with a factory fresh reset in layer 3 mode. Connect your computer to the switch but do not connect the switch to your network.
I am summing you have already updated the firmware. You connect to the switch by typing in its' IP address in Microsoft Edge in Windows 10. Other browsers may work this is what I am using. The first task is to assign a static IP address. I use 192.168.0.254 255.255.255.0 for VLAN1 the default management VLAN, VLAN1. Reboot so the switch comes up under 192.168.0.254. You need to make sure you do not already have an IP address 192.168.0.254. You do not want any conflicts when plugged into the router network. Reconnect with your web interface again to perform the steps below.
Configure DHCP server with a DHCP pool 75 - 250 for VLAN1 if it not already running. The default gateway for all clients will be the 192.168.0.254 switch IP address for VLAN1 since all devices are on VLAN1.
Now configure enough ports to handle your home network. Configure the ports as access ports say 1 - 9.
Add a static route or default gateway to the switch to point to 192.168.0.1 which will be your router IP address. Using web interface under IP configuration there is a place called IPv4routes. Add the static to point to the router here.
Now we are ready to migrate to DHCP running off the SG300 switch. Connect the SG300 to your router and plug the router into one of the access ports setup earlier. Plug your workstation into one of the access ports also like the router. You will need to start migrating the router network over to the switch by plugging in all devices into access ports on the switch. Once your network is move going into the router and turn off DHCP in the router and assign a static IP address 192.168.0.1 to your router. At this point all the other network devices are getting IP addresses from the switch now. You may have to reboot some of the devices.
Once you are happy everything thing is running we will move on to the guest VLAN. Web into the switch to config. Go to VLAN management. There is a tab called VLAN setting create a VLAN2. Go to IP configuration tab IPv4 interface and assign a static IP address 192.168.2.254 255.255.255.0. Setup a DHCP pool from 50- 250 as above. The default gateway for the pool needs to be 192.168.2.254. The next job is to add ports I used 13 - 18 for VLAN2. Go back to VLAN manage under the web on the left side. There you will find 3 tabs interface setting, port VLAN membership, and port to VLAN. You will use these three screens to move the ports to VLAN2 and to change them to access ports. I don't remember the order. I think I changed the VLAN membership first and then switched the port access. When you have it correct the ports 13 - 18 will show up under port VLAN membership as an access port 2UP. At this point VLAN2 should function and be able to access all network resources. Try pings from within VLAN2 and across VLAN1. Everybody should be able to ping each other. There should also be internet access.
The next step is to add the trunk ports for the wireless network. You need a wireless AP which support VLANs and multiple SSIDs. Port 10 - 13 need to be trunk ports. You need to change them to show trunk 1UP,2T when you look at port VLAN membership. I used Cisco WAP321 wireless units. I added two SSIDs, home and guest. Configuring the WAP321 I assigned home to VLAN1 and I assigned guest to VLAN2. The port on the wireless WAP321 needs to be trunk 1UP,2T. It needs to match the port setting on the SG300 switch port. The wireless WAP321 needs to be plugged into a trunk port just setup above. Now you should have 2 wireless networks where one SSID is in VLAN1 and one SSID is in VLAN2. Test with pings everybody should have access and all pings should work. You should also have internet access.
When all this is working, now is the time to block guest off from the rest of the network. We are going to create an ACL access list to block guest access. Web to the switch under Access Control using IPv4 ACL and create an ACL called guest. Now select guest under IPv4 ACE select add. You want to create deny IP 192.168.2.0 0.0.0.255 192.168.0.9 0.0.0.248 by filling in the web page and at the bottom make sure select the radio button to permit at the bottom. It defaults to deny. This is the permit any any after the deny statement. You now need to bind the guest ACL to the trunk ports and to the VLAN2 access ports. Using the web configurator, Under Access Control using ACL Binding(port) tab bind the ports 13-18 and the trunk ports. At this point your pings will no longer work from the guest network to the home network for any IP addresses 192.168.0.9 and above.
Notes
You can add as many WAP321 as you want. I think the WAP321 will limit you to 4 units. Just add each of them to a trunk port.
The key to all this is to use the switches' VLAN IP address as the default gateway for the PC and clients. This IP address for the client default gateway will vary based on which VLAN the client is in. It should all be automatic by just plugging into a port you should get all the appropriate DHCP information on the client.
I hope I covered all the basic information and did not leave anything out. I have added more VLANs, one for music to isolate my music server which I have not rebuilt yet. I just want to keep this simple and just present a guest VLAN. I think the Cisco SG300-28 is a good little home switch which perform well.
I just though of something is you need to setup routing statements on the router for all networks not directly attached to the switch. So the guest VLAN will need a routing statement for 192.168.2.0 network to point to 192.168.0.254. If you setup more VLANs then they will need a routing statement also.
Last edited:
