Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Problems setting up Guest VLAN on Cisco SG 300-28
I am primarely enquiring whether the setup I have explained below is actually possible, and if so then how I can set this up. I know it isn't the easiest configuration and I need to set this up without purchasing any more equipment if at all possible.
I have a Cisco SG 300-28 setup with three VLAN's
VLAN1 (Business) - 192.168.10.0 - Switch IP 192.168.10.254
VLAN2 (VOIP) - 192.168.20.0 - Switch IP - 192.168.20.1
VLAN3 (Guest) - 192.168.30.0 - Switch IP - 192.168.30.1
Default Gateway is 192.168.10.1 (Netgear Router)
I have a Wireless network setup (Netgear WMS and 2 WAP's) configured with the TWO VLAN's (1 and 3). These go into ports on the Cisco SG 300-28 which are tagged on both VLAN's. The Business wireless worked fine but the guest network didn't reout out to the internet.
After some troubleshooting I realised the reason the guest wasn't working was because there was no route back from the internet to the router.
The router I have isn't really ideal, it is a Netgear DGN2200, but I managed to create a static route to 192.168.30.1 with a metric of 2, with 192,168,10.254 being the hop.
Success, the connection worked, the only problem is that now my guest network can see my business network because the business network is using the static route on my router to route back over to the guest network (due to the limitations of this device I can't do anything about that)
So basically, what I have is
Guest network can connect to Business VLAN via switch. I am assuming this is because the router is on the Business VLAN and the default gateway is the router. As they are on the same network the Guest network can inevetably see the business server and network.
The Business network can get back to the Guest network via the router using my static route I created. The static route is really basic and I can't create a firewall rule on the router to prevent the Business network speaking to guest network because it only has a LAN - WAN firewall and this connection is LAN - LAN.
What I need is...
to somehow stop any traffic from the 192.168.30.0 network routing to anything on the 192.168.10.0 network, appart from the router on 192.168.10.1.
Is this possible? I have this setup on a number of different site, the only difference is I have a CIsco Security Router on these with the VLAN's configured so I don't have this problem. Because I have a rather limited Netgear DGN2200 I am unable to setup the VLAN's correctly and as such I need to see if I can do this on the switch in any way.
Any assistance would be much appreciated.
This is my first post by the way so if I missed anything out that would help anybody then please let me know.
Why not apply a access list to filter incoming traffic into the SG300 switch such as, via command line or GUI.
Here is an example below, by no means complete, just an example
Just remember, we are using reverse masking in the ACE;
ip access-list extended restrictGuest
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 www deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 telnet deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
service-acl input restrictGuest
Don't forget to save the configuration with the following command and respond to the prompt.
or do it via the GUI method
Step 1. Create a ACL name
step 2, Add the port based ACE which is the filter list,.
step 3. Apply or bind the list to a port so that the port can look at and filter pattern matches for traffic ingressing into the switch. I have given you an example of a ACE list above, you can be more creative in what you deny.
step 4. Now add or copy the entry to other switch ports.