On  the SG-300, all IP-aware devices, computers, etc are connected by  category in each a separate VLAN (entertainment, office, etc). The  television and mediaplayer are placed in a different VLAN opposite to  PC, NAS and Printer. However, it’s the intention to allow only specific  communication from one VLAN to another. For example, UDP port 1900 and  TCP port 2869 for DNLA, so the TV streams can be received from the NAS  but no further communication is possible between the VLANs. Another  example is limited internet connectivity of a device or PC (port based  VLAN tagging on the switch) from a more restricted VLAN. I intent using 4  to 6 VLAN’s in total.

IP-V4 ACL on the switch should be able to filter the traffic you don't want to permeate between the vlans, a simple rule to allow the few port numbers you'd like. On the SX300 switches, the ACL is ingress ONLY. It means traffic leaving the port is not subject to the ACL, only traffic entering the port. Also do not forget there is an implicit deny all on every ACL. I'm not sure why you would want to have port based vlan tags connecting to a device or a PC. This won't give limited internet connectivity, it would just drop all traffic unless it sends a tag packet for the vlan ID.

Then,  the RV-180 is placed with it’s LAN 'paw' in a SG-300 port and with it’s  WAN 'paw' in the internet modem's ethernet port (which now serves as a  nat router but later might be converted to a broadband bridge).

If you have some sort of residiential or business gateway, especially if you have DVR, these products often require to be "untampered". You may want to consult the ISP. Boxes such as 2-wire don't have a bridge mode, only DMZ options for routers connecting behind them.

Later  on I would like to easily make it possibly to utilize unused LAN ports  of the RV-180 through VLAN trunking as in remote expansion ports of the  SG-300. Because there are only 2 outlets per room, I can (by moving the  RV-180 to another room) create 3 additional and independent LAN’s there.

Finally  I would like to build two IPSec tunnels both from the RV-180 to 2  FritzBoxes (These are Linux based ADSL routers – www.avm.de), where it  would be possible to have unlimmited acces to the external sites.  Traffic to the local side (RV-180) should be limmited to specific ports  of a printer in a specific VLAN on the SG-300. If this is really not  possible, I can use the local inernet modem to set up these tunnels, but  this excludes the option to convert it to a broadband bridge.

Your modem will either need to be a bridge mode or support DMZ to allow the vpn tunnels.

The  above situation can be realized in multiple ways. The interVLAN routing  can ben settled by the RV-180, but it’s also possible to use the SG-300  as a Layer 3 switch. However this last configruation is preferred, I  don’t know if the SG-300 has the option to route only specific ports to  another VLAN. Seems to me the RV-180 most certainly can handle this (eg  through the firewall of the device). Only downside is that the removal  of the RV-180 completely destroy’s the network configuration.

If your intention is to remove the RV180, your current NAT device will have to support 802.1q, sub interfaces or static routes. The switch will intervlan communicate locally in layer 3, but only the native vlan of the router would have internet access since the router wouldn't know how to route the additional subnets.

Starting from an assumed need for the second option, I thought of the following sequence:

- Basic setup of the switch and management access. IP of the switch chosen that way it’s outside the range of VLAN’s?

In layer 2, the switch IP is for management only. In layer 3, all IP interfaces are management IP addresses

- Setup link aggegration of 2x 1 GB to the RV-180 to achieve routing  bandwidth of 1 GB. (Or is this, in the case of a single full-duplex  link, superfluous in  practice?)

To my knowlege, the RV180 does not support LAG or LACP.

- Setup VLANtrunk to RV-180.

- Define VLAN’s. Default VLAN as "Internet-VLAN", then create the  remaining VLAN’s including a management VLAN). Defining the VLAN’s only  in the SG-300 is sufficient because the RV-180 automatically takes over  the settings ... (Cisco VTP)?

The small business product lines support only IEEE standards, the only exception is CDP. The RV180 and SX300 switch will not participate in VTP.

- Ad the SG300 feature ‘guest VLAN’ for experimental goals (because of it’s insolating purpose).

- Add static routes to the RV-180 regarding the subnets of the VLAN’s associated.

If using the RV180, static routes are not needed because of the fact it supports the vlan trunks and tags

- Put the RV-180 in router mode or can it be left in NAT mode?

Depends what you're going to do with that ISP box. It should remain in NAT mode.

- Setup IPSec tunnels.

The RV180 is the VPN server, it should have a public IP address. Although it is possible to VPN through double-nat, it is an unsupported configurations.

- Add static routes from IPSec to VLAN’s.

Depending on how things go, the VPN policy should be able to allow inter-vlan communication if you're marking traffic as "any".

- Firewall rules regarding the extra restriction on the interVLAN routes.

To my knowledge, the firewall does not support lan to lan firewall rules. But this should be done on the switch level through ACL as the switch is faster, more resources.

- Disable Spanning Tree Protocol for all non-physical accessible ports or for all ports.

- Switch Port fashion accessories disable everything except the trunk port.

- Save running config.

I  might have missed a few thing in the above list and I’m also curious  what you guys think of this approach and if you see any pitfalls…?