Cisco Support Community
Community Member

SG300's vlan isolation except for shared printers


We have 2 x SG300-20's and 1 x SG300-10.

We want to have a few vlans to isolate different departments from each other while still providing access to the broadband uplink as well as shared printers.

The setup we would like would be something like this:

1 x SG300-20 for VLAN 2

1 x SG300-20 for VLAN 3

1 x SG300-10 for VLAN 4-6

Shared printer(s) on VLAN 6 which should be accessible from all other vlans

We also have a RV180 router sitting in front of the switches which should provide broadband uplink access and trunking for the switches.

We need to forbid vlan 2-5 from communicating with each other.

In order to simplify and test, we are using the SG300-10 switch only in L3 mode at the moment with 3 computers to simulate 3 vlans but it seems to turn on inter-vlan routing on every port and vlan automatically when you set the switch in L3 mode and in L2 mode, vlan isolation works but we need to use the router to serve up dhcp and inter-vlan routing on a single vlan, which after over 6 hours of having the cisco tech logged into our system to try to set it up he gave up and said he didn't understand why it was not working...

Is there a way to use this setup, or something simillar?

We have contacted cisco support a second time and have had a tech test our switch config file for a week now and still no progress on this and we need to have this working asap.

We were told that this was possible with our equipment but it seems there are serious limitations with this gear that even the cisco techs don't know about...

We can provide the switch config upon request.



Re: SG300's vlan isolation except for shared printers

Hi Alain, this does seem very viable. It would require access lists.

Please provide me a topology where your connections reside and the relevant IP addresses / subnets. I'll attempt to draft a necessary switch config

Please mark answered for helpful posts

-Tom Please mark answered for helpful posts
Community Member

Re: SG300's vlan isolation except for shared printers

Hi Tom,

I replaced the cisco RV180 with a netgear FVS318N and so far, in the lab anyways, I've gotten the setup the following setup to work:

SG300-10 in layer 3 mode:

Port 1 - Admin Port - Vlan 1 pvid

Port 2 - general - VLAN 2 pvid - tagged vlan 4 - forbid vlan 3 - dhcp (iface

Port 3 - general - VLAN 3 pvid - tagged vlan 4 - forbid vlan 2 - dhcp (iface

Port 4 - general - VLAN 4 - Tagged vlan 2 - Tagged vlan 3 - dhcp (iface

Port 10 - Trunk - pvid vlan 1 - Tagged 2-3-4 - (iface


Added default gateway to vlan 1 iface on router

Added gateway vlan 1 iface router ip (lab's upstream router is on that block which doesn't have an iface on the switch)


Port 2 - priority 500 - Deny any to vlan 3 subnet

            priority 1000 - permit any to any

Port 3 - priority 500 - Deny any to vlan 2 subnet

            priority 1000 - permit any to any

On the netgear router, vanilla config with the 4 vlans added to it and inter-vlan routing enabled with switch port 10 plugged into router port 7 for uplink.

So far it seems to be working correctly, still need to test vlan hopping and static ip's and routing to simulate mis-configured or malicious computers plugged into the two main vlans but replacing the router seems to have done the job.

Perhaps further testing would of resulted in a working setup with the RV180 but after so many hours wasted on this setup by us and by the cisco tech, it was time to make a move.

What's your opinion on this setup Tom?

I'm so tired I'm getting cross-eyed and might be forgetting something important.


CreatePlease to create content