How to setup a Guest network on an Cisco SG300-28 layer 3 switch

[oletuv]

You will need to run the ASUS wireless off if you are going to use the ASUS as a front door router. If you want to run the ASUS as a wireless device you need to run it as an access point. The problem I see when run as an access point is there is no SSID support for different VLANs with the ASUS routers.

Just an idea, if I leave the DHCP server on the front door router enabled so that the router assigns IP addresses in the main 192.168.0.0 network, and configure the SG300 DCHP server to provide IP address pools for the 192.168.2.0 and additional subnets, would this imply that the Wi-Fi on the router still can be used as well as devices connected to the router LAN ports will get their IP address from the routers DHCP server?

Oe

 

[coxhaus]

Just an idea, if I leave the DHCP server on the front door router enabled so that the router assigns IP addresses in the main 192.168.0.0 network, and configure the SG300 DCHP server to provide IP address pools for the 192.168.2.0 and additional subnets, would this imply that the Wi-Fi on the router still can be used as well as devices connected to the router LAN ports will get their IP address from the routers DHCP server?

Oe

I cannot answer that as you would still need to use the L3 switch as the default gateway instead of the router to gain the internal switch routing needed between VLANs. Somebody would need to test it.
This will still not solve the original idea where the ASUS will not be able to assign SSIDs to VLANs.

 

[oletuv]

I cannot answer that as you would still need to use the L3 switch as the default gateway instead of the router to gain the internal switch routing needed between VLANs. Somebody would need to test it.
This will still not solve the original idea where the ASUS will not be able to assign SSIDs to VLANs.

I was mostly curious if it would work I think I prefer to follow your suggestions and let all DHCP server work be done by the switch, such that the entire home network with VLANs, IP addressing, access control, QoS etc. is configured and contained at the switch level. I´ve decided to use a Linksys LRT 224 router for Internett access, NAT and firewall, and I´ll add one or two AP with multi SSID and VLAN support to provide Wi-Fi functionality.

I already have a Cisco SG200-08 L2 switch, which I´ll use in the living room with a trunk port to an AP and access ports to TV, Blu-ray player, home cinema system etc. I have ordered a Cisco SG300-10 to use as the main switch in layer 3 mode and the Linksys LRT 224 router. When I receive the SG300 and the LRT next week, I´ll configure the VLANs, the subnets etc. and check out the DCHP server addressing.

Again thank you so much for your excellent guide and various posts regarding the use and benefits of layer 3 switches. I had originally thought of using my L2 SG200-08 as the main switch, but your guide inspired me to set it all up in L3 mode with an SG300.

There is one thing that I´m not able to test until I move in to my apartment. The ISP is providing a fiber installation in the apartment with a fiber box/media-converter and an ONT box. The available services are VoIP, IPTV and Internet. I would like to take control of the streams directly from the fiber box/media-converter and bypass the ISP ONT box. What I´m thinking of doing is to split the ISP stream (VLAN 100 VoIP, VLAN 101 IPTV, VLAN 102 Internet) at the SG300, set up access ports for IPTV and send the VLAN 102 stream to the WAN port of the router as follows:

GE9 General 100TP, 101T, 102T connected to the ISP fiber box/media-converter
GE8 Access 102UP connected to the WAN port of the router
GE7 Access 101UP available for digital TV-decoder
GE6 Access 101UP available for digital TV-decoder
GE1 Access 1UP connected to a LAN port on the router

Do you think this will work? What I´m uncertain about is wether or not the ISP 100, 101, 102 VLANs need explicit IP addresses when the switch is set up in L3 mode? I know that splitting the ISP VLANs like this works fine with a L2 switch.

My private network structure will be something like this:

VLAN 1 Main Home Network 192.168.1.254
VLAN 2 Home Office Network 192.168.2.254
VLAN 3 Guest Network 192.168.3.254

I´ll use the remaining GE2-GE5 interfaces to set up access ports to wired clients and trunk ports to APs as needed.

Ole

 

[coxhaus]

I know that splitting the ISP VLANs like this works fine with a L2 switch.


Ole

My thoughts are use the L2 switch for splitting the ISP VLANs and use the L3 switch for the local core switch since you know how it works on L2. The internet VLAN will feed the router which in turn will feed the L3 switch. Get it working then if you want to migrate each of the other VLANs over to the core switch. The settings between the Cisco SG200 and SG300 should be close as the admin screens are the same just lacking some of the L3 stuff. I would also try to get as much info from the ISP as possible for doing this but since you already have it working you know more than me.

I don't have this option so I don't have a real answer but it looks like fun. When you get it working would you post on some of the general settings as I would like to know and I am sure other people will too. You will probably get a lot of takers. I think this going to be the future for multiple services.

PS
I just googled IPTV and it seems it is multicast data stream. You need to turn on IGMP to join the group. This really looks like fun. Are you using IGMP with your current SG200 switch?

PSS
I also came across a firmware problem in the SG300 switch but it was an older firmware.

 

[oletuv]

I don't have this option so I don't have a real answer but it looks like fun. When you get it working would you post on some of the general settings as I would like to know and I am sure other people will too. You will probably get a lot of takers. I think this going to be the future for multiple services.

Yes, of course, I´ll let you know how things work out and if I´m able to get it working at all. As I told you some time ago, the standard ISP installation and ONT central would be all I´d ever need. I look upon this project as an "adventure" and a lot of "senior citizen" fun.

Ole

 

[oletuv]

PS
I just googled IPTV and it seems it is multicast data stream. You need to turn on IGMP to join the group. This really looks like fun. Are you using IGMP with your current SG200 switch?

I don´t have anything set up with my SG200-08 yet, since my wife and I are partly living at our children´s house in Norway and partly in our second home in Spain, waiting to move into our new home in Norway in April/May 2016.

Are you suggesting that I should enable Multicast and IGMP snooping on the IPTV interface?

 

[oletuv]

PSS
I also came across a firmware problem in the SG300 switch but it was an older firmware.

Thanks, I´ll make sure that I download and install the latest firmware when I receive my SG300 next week.

Ole

 

[coxhaus]

Are you suggesting that I should enable Multicast and IGMP snooping on the IPTV interface?

I am not sure but this is what I googled. Just Google IPTV. You might try IPTV and SG300.

PS
The more I read the more I think you will use ICMP either version 2 or 3. I think you will need to check with your ISP for details. Version 3 seems to have better security so neighbors can not insert streams of data but your ISP would need to support it.

PSS
IGMP proxy may be needed to be implemented to support multiple clients.

PSSS
This is all quite interesting. IGMP proxy may only be supported in the SG500X switches. Let me know what you find out.

 

[oletuv]

I am not sure but this is what I googled. Just Google IPTV. You might try IPTV and SG300.

PS
The more I read the more I think you will use ICMP either version 2 or 3. I think you will need to check with your ISP for details. Version 3 seems to have better security so neighbors can not insert streams of data but your ISP would need to support it.

PSS
IGMP proxy may be needed to be implemented to support multiple clients.

PSSS
This is all quite interesting. IGMP proxy may only be supported in the SG500X switches. Let me know what you find out.

I´m investigating this as well. I know many users of my ISP have got the VLAN splitting working with IPTV directly from access ports on the managed switch. I´m asking now in the relevant Norwegian forum if they needed to enable multicast and IGMP snooping to get the IPTV working. I´ll let you know what I find out.

Ole

 

[oletuv]

I´m investigating this as well. I know many users of my ISP have got the VLAN splitting working with IPTV directly from access ports on the managed switch. I´m asking now in the relevant Norwegian forum if they needed to enable multicast and IGMP snooping to get the IPTV working. I´ll let you know what I find out.

coxhaus,

I haven´t got any answers so far in the Norwegian ISP forum. The wife and I are flying back to Norway from Malaga, Spain tomorrow after three wonderful months in Benahavis, Andalucia. I´ll pick up the SG300-10 switch and the Linksys LRT224 router on Monday when I´m back home. I´ll let you know how things go from there. Take care.

Ole

 

[oletuv]

coxhaus,

I haven´t got any answers so far in the Norwegian ISP forum. The wife and I are flying back to Norway from Malaga, Spain tomorrow after three wonderful months in Benahavis, Andalucia. I´ll pick up the SG300-10 switch and the Linksys LRT224 router on Monday when I´m back home. I´ll let you know how things go from there. Take care.

Ole

I picked up my new Cisco SG-300-10 switch and Linksys LRT224 router yesterday and have done some of the basic configuration today:

- Set up the SG300 in layer 3 mode
- Enabled DHCP server on the switch
- VLAN 1 192.168.1.254 initially no DHCP address pool
- VLAN 2 192.168.2.254 DHCP address pool 192.168.2.100-192.168.2.199
- VLAN 3 192.168.3.254 DHCP address pool 192.168.3.150-192.168.3.199
- Defined default static route with Destination 0.0.0.0 0.0.0.0 and Next Hop Router 192.168.1.1
- Linksys LRT224 basic setup with LAN address 192.168.1.1
- Enabled DHCP server on the router with address pool 192.168.1.100-192.168.1.199
- Defined static routes on the router for the 192.168.2.0 and 192.168.3.0 networks pointing to the 192.168.1.254 default gateway.

Everything seems to work fine in this setup. The DHCP server on the switch assigns IP addresses from the 192.168.2.0 or 192.168.3.0 address pools to clients hooked up to VLAN 2 or VLAN 3 ports. The DHCP server on the router assigns IP addresses from the 192.168.1.0 address pool to clients hooked up to VLAN 1 ports on the switch and LAN ports on the router. So having DHCP servers enabled on both the switch and router works just fine. The advantage with having the DHCP server enabled on the router to provide local addresses to VLAN 1 clients is that the LAN ports on the router are active.

I basically did the above setup to check if having DHCP server enabled on both the switch and router actually would work, which it did. Personally I prefer to have all DHCP work done at the switch level, so I have now disabled the DHCP server on the router and added the 192.168.1.100-192.168.1.199 addresses to the DHCP pool on the switch. The advantage to this approach is that the complete local network configuration is set up and maintained on the switch.

Ole

 

[oletuv]

When all this is working, now is the time to block guest off from the rest of the network. We are going to create an ACL access list to block guest access. Web to the switch under Access Control using IPv4 ACL and create an ACL called guest. Now select guest under IPv4 ACE select add. You want to create deny IP 192.168.2.0 0.0.0.255 192.168.0.9 0.0.0.248 by filling in the web page and at the bottom make sure select the radio button to permit at the bottom. It defaults to deny. This is the permit any any after the deny statement.

coxhaus,

I´m a bit uncertain what you mean by "at the bottom make sure select the radio button to permit at the bottom. It defaults to deny. This is the permit any any after the deny statement."

I´ve defined an ACL called "Gjest" (Guest) with two ACE statements blocking VLAN 3 (Guest) from VLAN 1 and VLAN 2 addresses. I´ve bound the "Gjest" ACL to VLAN 3 (Guest) and selected the "Permit Any" radio button as the default action. Does this look correct?

Ole

 

[coxhaus]

It sounds right. The print is very small to read on the images and I have old eyes. When I get home, as I am still on the road, I can bring up my screens to better read it. In a few days I shall be home.

I guess the real question, Does it work?

I had trouble earlier binding to a VLAN. I ended up binding to the ports. If your works now then I am going to change my config to bind to the VLAN instead of the ports.

 

[oletuv]

It sounds right. The print is very small to read on the images and I have old eyes. When I get home, as I am still on the road, I can bring up my screens to better read it. In a few days I shall be home.

I guess the real question, Does it work?

I had trouble earlier binding to a VLAN. I ended up binding to the ports. If your works now then I am going to change my config to bind to the VLAN instead of the ports.

ACL binding to VLAN seems to work just fine on my SG300-10 with the latest firmware 1.4.1.3. Currently I only have the switch, the router and my MacBook Pro to test with, so what I did was to block VLAN 3 (Guest) from the range of 192.168.1.100 0.0.0.254 VLAN 1 addresses and the full range 192.168.2.0 0.0.0.255 VLAN 2 addresses. I connected my MacBook to a VLAN 3 access port with address 192.168.3.150 given by the DHCP server. Pinging 192.168.1.1 (router) was successful as it should and pinging 192.168.1.254 (switch) failed, also as it should.

Ole

 

[coxhaus]

You locked it pretty tight for sharing with your mask. You are going to need to add some more ACLs if you want to share IPs or ports across VLANs for printers and such. I used a 248 mask so I could share in 1 ACL statement. Of course this requires structure in your network so all the IPs are together but either way will work.

 

[oletuv]

You locked it pretty tight for sharing with your mask. You are going to need to add some more ACLs if you want to share IPs or ports across VLANs for printers and such. I used a 248 mask so I could share in 1 ACL statement. Of course this requires structure in your network so all the IPs are together but either way will work.

I´m not sure how the mask works. Are you saying that the 192.168.1.2-192.168.1.99 range won´t work?

 

[coxhaus]

Those IP addresses should work fine.

Use it for a while. You will discover if you need to modify it after you use it.

 

[oletuv]

Those IP addresses should work fine.

Use it for a while. You will discover if you need to modify it after you use it.

Thanks, I´ll do that. I´m not sure how the network mask work though. When I configured the 192.168.1.100 0.0.0.254 range my intention was to block addresses from 192.168.1.100 and above and leave addresses in the 192.168.1.1-192.168.1.99 range open. Is this how it works, or does the 0.0.0.254 mask mean something else? I also tried 0.0.0.255 as mask, but that blocked all addresses in the 192.168.1.0 network, hence my confusion. I´m sorry for asking these questions instead of testing it myself, but I´m not able to test my configuration properly before I have the network up and running in the new apartment.

Ole

 

[coxhaus]

I thought you had mistyped the 4 and you were using 255 and locking down the guest network without sharing. The 0.0.0.254 is a wildcard mask which I believe blocks all even numbered hosts since you have it assigned to an even host. I have never used it. There is no subnet mask equivalent. So I assume your config does not work very well with a wildcard 0.0.0.254. If you don't understand masks then just add an ACL for each sharing whether it be an IP or IP port.

The best way to test is assign an IP address in the range to block or allow and then ping it from the other device. Over time you will come up with a set of ACLs. After while I come back and try to stream line the ACLs by combining them.

 

[oletuv]

I thought you had mistyped the 4 and you were using 255 and locking down the guest network without sharing. The 0.0.0.254 is a wildcard mask which I believe blocks all even numbered hosts since you have it assigned to an even host. I have never used it. There is no subnet mask equivalent. So I assume your config does not work very well with a wildcard 0.0.0.254. If you don't understand masks then just add an ACL for each sharing whether it be an IP or IP port.

I don´t understand subnet and wildcard masks yet, but I´m trying to learn this stuff. In your own configuration example you used 0.0.0.248 as wildcard mask, what does this mask do? I simply want to leave addresses below 192.168.1.100 unblocked for shared things. Any suggestions how you would write the ACL for that?

Ole