Hello Mark, thank you for your answer but I'm not really understanding.

Are you saying that I could use the sg300 or 2690? I was looking in the manual and see I could use 1 vlan and set it as isolated, this will prevent all ports from speaking to each other but I still need for all ports to be able to speak to the Q system. How would i accomplish that?

Hey yes you could use either switch and setting the ports as isolated or protected only prevents them speaking to each other , they will still be able to communicate with other systems/servers etc just not each other

if your not familiar with IOS cli probably best to use the sg300 as its GUI , also sg300 is layer 3 capable while 2960 is purely layer 2

Ok thank you once again. I did study for my CNNA a while back but never got around to doing the test. been a while since I used the CLI. For this reason i think the simplified GUI on the sg300 would do best for this project.

when you say they will be able to communicate with other systems, how is this accomplished?

Using my above graphic, I will only be using 4 ports on this switch. Lets say that my port 1 will be the system that can talk to all other ports and port 2, 3 and 4 are isolated, what will have to be configured on port 1 to allow this to happen?

so it depends on whats doing the routing in the network.

Is the plan to have the sg300 act as layer 2 or 3 or as both, is there any other devices doing routing currently?

what is this Q you have in your pic is it just a server/system you need your devices to be able to access ? 

usually with layer 2 you would set just ip default-gateway and point it to the device that's dong the routing locally and then the routing will be on that device to get you to where you need to go , if its all on same subnet nothing is required as the switch will arp for the devices locally same broadcast domain

if its layer 2/3 you need to have the routes on the sg300, a route that allows anything from the ip range of the pcs get to the Q system and also a default route so pcs/devices etc can break out onto the internet if required

I will try to give you more information.

This network is private LAN and will never be on the internet. I was going to use the sg300 as a layer 3 switch. The Q is a PLC system that all 3 D systems have to communicate with but cant be able to see each other.

From what i understand I could place all 4 systems on a different VLAN (Q vlan 100, D1 vlan 200, D2 vlan 300, D3 vlan 400) then configure routes for each Ds vlan to be able to communicate with Q's vlan. Correct me if im wrong.

Yes you could do it that way , another option leave everything in same vlan mark the ports as protected , everything will be able to communicate with Q but not with each other and no requirement for routing as it layer2

If you chose to route make sure you change the sg300 in system mode to layer 3 it comes default out of box as layer 2

Thank you for all the help Mark.