Solved: Need help configuring SG300-10 switch

Justin Girard · ‎02-19-2014

Hi

i bought an SG300-10 switch and started configuration.

i have some problem to configure it cause i am not realy used to networking.

what i have configured for now is the VLAN.

Vlan 2 - i will plug my router there for the internet access

Vlan10 - is for my server and pc in my office

Vlan 40 - is for the guest wifi.

i will use the switch in layer 3 mode and i want to configure a DHCP on the vlan 40 but im not quite sure how to do it. I have enabled the DHCP and created a ip pool but how i assign it on the vlan 40 ? and how i configure everything to go out on internet ?. if i follow the base logic, i will put all my port member of the vlan 2, is that correct ?

Im new in the networking domain

thanks

Tom Watts · ‎02-19-2014

Hi Justin,

Here is some basic information for switching. With VLAN, there is tag VLAN and untag VLAN. An untag packet means within the packet header, there is no VLAN ID. The switch will provide separate of client connection based off the bridge forwarding table. Generally untag VLAN is used for client connection. A Tag packet contains the VLAN ID in the header. Tag packet in general is used between other network device. An access port is a member of 1 VLAN which is untagged. A trunk port (on small business product) is a port that has 1 untag VLAN (native VLAN) and has the ability to tag additional VLAN.

Here is some CLI configuration example for tag and untag VLAN. Keep in mind, VLAN 1 is the default VLAN, therefore, unless you make it so, VLAN 1 will be default.

To create VLAN 2 on your switch

configure terminal

vlan database

vlan 2,3,4

This will create vlan 2, 3 and 4

To configure an IP address to a VLAN

configure terminal

interface vlan 1

ip address 192.168.1.254 255.255.255.0

interface vlan 2

192.168.2.254 255.255.255.0

interface vlan 3

ip address 192.168.3.254 255.255.255.0

interface vlan 4

ip address 192.168.4.254 255.255.255.0

Keep in mind, VLAN 1 must have a static IP address before you assign any other VLAN an IP or else the switch will "lock up".

To assign an access port as a member of VLAN 1

configure terminal

interface gi1

switchport mode access

To assign an access port as a member of VLAN 2

configure terminal

interface hi2

switchport mode access

switchport access vlan 2

If you check the GUI you will notice port 1 is "1u" and port 2 is "2u".

To create a trunk and assign multiple VLAN-

configure terminal

interface gi3

switchport mode trunk

switchport trunk allowed vlan add 2

In the GUI, you will notice port 3 will be "1u, 2t".

To configure a port to have a different VLAN other than 1 as untag on a trunk-

configure terminal

interface gi4

switchport mode trunk

switchport trunk native vlan 2

switchport trunk allowed vlan add 3,4

On the GUI this will show "2u,3t,4t"

Now that we have fundamental port assignment out of the way, you can work on DHCP and IP address management.

While the switch is in layer 3 mode, if there is an IP address assigned to a VLAN, this is a switch virtual interface (SVI). The IP of the VLAN services as the default gateway of what connects in that VLAN. The switch can associate the DHCP pool based off the IP interface created on the switch in layer 3 mode.

First, we need to establish your first hop from the switch - the default gateway the switch reports to. If you have a router connecting to the SG300 you should assign the SG300 the default gateway, which is the IP address of the router.

configure terminal

ip default-gateway 192.168.1.1

Next, you can focus on your DHCP scope. To configure a DHCP table here is an example-

ip dhcp pool network PRODUCTION

address low 192.168.2.1 high 192.168.2.253 255.255.255.0

lease infinite

default-router 192.168.2.254

dns-server 8.8.8.8

This basic DHCP table says many things.

The name of the table is PRODUCTION, this can be anything you want.

address low is the first assignable IP address in the pool while address high is the last

lease infinite means the DHCP lease won't expire

Default router, this is the most important. This is the default gateway the switch will assign to the client. This is very important if you want to router between VLAN or upstream to the internet

DNS server, this allows to resolve name instead of having to use only IP.

Now, if you connect a computer that is DHCP enable where VLAN 2 is untagged, you should receive an IP address assigned by the switch on that computer. Notice the pool correlates to VLAN 2 IP address numbers. The IP pool definition is how it will bind itself to a VLAN, by matching the subnet.

Now, once you have all the basic configuration complete, as Marty indicates, depending on the capability of your router, it will either need to support VLAN tagging, dot1q sub interface OR, as Marty said, would need a static route to allow your additional subnet to route on the internet.

Hope this will help you get on your way.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎02-26-2014

Hi Justin, here is a couple examples-

Example 1-

This will apply an ACL to VLAN 1 where the 192.168.1.0 subnet will not communicate to 192.168.40.0 subnet. But the 192.168.40.0 subnet will communicate to 192.168.1.0 subnet.

ip access-list extended Test

deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255

permit ip any any

interface vlan 1

service-acl input Test

Example 2-

This will apply an ACL to VLAN 40 where the 192.168.40.0 subnet will not communicate to 192.168.1.0 subnet. But the 192.168.1.0 subnet will communicate to 192.168.40.0 subnet.

ip access-list extended Test

deny ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

interface vlan 40

service-acl input Test

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

mpyhala · ‎02-19-2014

Hi Justin,

I don't see any need to have the router on a different VLAN than the server and PC. I would remove VLAN 2 and 10 and use VLAN 1 for the office network, including the router. You could also make VLAN 2 OR 10 the default VLAN and use it instead, but it will require you to edit all of the ports.

All ports should be assigned to VLAN 1 by default, so no further configuration is needed for the main network if you choose VLAN 1.

For the guest network you will need to create an IP address on the switch for VLAN 40. That IP address will be the default gateway for all guests. (i.e. 192.168.40.254) If you have an access point, change the port on the switch that the AP plugs into to VLAN 40 Untagged. That way when wireless devices connect they will get an IP address in the VLAN 40 subnet.

You will need to create a route on your router that points back to the VLAN 40 network. It will look like:

To get to 192.168.40.0 (VLAN 40), go to 192.168.1.254 (VLAN 1 IP address of the switch).

If you run into any issues, feel free to open a support case and get some setup assistance:

www.cisco.com/sbsc

- Marty

Justin Girard · ‎02-19-2014

Alright

i will try you solution ( look better than mine ) and i will open a case if i have more trouble for the configuration

i think we have 3-years support with this switch, correct ?

anyway i have the switch for only 2 day so i think i will be good for the support

thanks Marty

mpyhala · ‎02-19-2014

Justin,

The SG300 switches come with 1 year of free phone/chat support and a limited lifetime warranty. If you need support beyond the first year you can purchase a 3 year support contract which lists for $69.

- Marty

Tom Watts · ‎02-19-2014

Hi Justin,

Here is some basic information for switching. With VLAN, there is tag VLAN and untag VLAN. An untag packet means within the packet header, there is no VLAN ID. The switch will provide separate of client connection based off the bridge forwarding table. Generally untag VLAN is used for client connection. A Tag packet contains the VLAN ID in the header. Tag packet in general is used between other network device. An access port is a member of 1 VLAN which is untagged. A trunk port (on small business product) is a port that has 1 untag VLAN (native VLAN) and has the ability to tag additional VLAN.

Here is some CLI configuration example for tag and untag VLAN. Keep in mind, VLAN 1 is the default VLAN, therefore, unless you make it so, VLAN 1 will be default.

To create VLAN 2 on your switch

configure terminal

vlan database

vlan 2,3,4

This will create vlan 2, 3 and 4

To configure an IP address to a VLAN

configure terminal

interface vlan 1

ip address 192.168.1.254 255.255.255.0

interface vlan 2

192.168.2.254 255.255.255.0

interface vlan 3

ip address 192.168.3.254 255.255.255.0

interface vlan 4

ip address 192.168.4.254 255.255.255.0

Keep in mind, VLAN 1 must have a static IP address before you assign any other VLAN an IP or else the switch will "lock up".

To assign an access port as a member of VLAN 1

configure terminal

interface gi1

switchport mode access

To assign an access port as a member of VLAN 2

configure terminal

interface hi2

switchport mode access

switchport access vlan 2

If you check the GUI you will notice port 1 is "1u" and port 2 is "2u".

To create a trunk and assign multiple VLAN-

configure terminal

interface gi3

switchport mode trunk

switchport trunk allowed vlan add 2

In the GUI, you will notice port 3 will be "1u, 2t".

To configure a port to have a different VLAN other than 1 as untag on a trunk-

configure terminal

interface gi4

switchport mode trunk

switchport trunk native vlan 2

switchport trunk allowed vlan add 3,4

On the GUI this will show "2u,3t,4t"

Now that we have fundamental port assignment out of the way, you can work on DHCP and IP address management.

While the switch is in layer 3 mode, if there is an IP address assigned to a VLAN, this is a switch virtual interface (SVI). The IP of the VLAN services as the default gateway of what connects in that VLAN. The switch can associate the DHCP pool based off the IP interface created on the switch in layer 3 mode.

First, we need to establish your first hop from the switch - the default gateway the switch reports to. If you have a router connecting to the SG300 you should assign the SG300 the default gateway, which is the IP address of the router.

configure terminal

ip default-gateway 192.168.1.1

Next, you can focus on your DHCP scope. To configure a DHCP table here is an example-

ip dhcp pool network PRODUCTION

address low 192.168.2.1 high 192.168.2.253 255.255.255.0

lease infinite

default-router 192.168.2.254

dns-server 8.8.8.8

This basic DHCP table says many things.

The name of the table is PRODUCTION, this can be anything you want.

address low is the first assignable IP address in the pool while address high is the last

lease infinite means the DHCP lease won't expire

Default router, this is the most important. This is the default gateway the switch will assign to the client. This is very important if you want to router between VLAN or upstream to the internet

DNS server, this allows to resolve name instead of having to use only IP.

Now, if you connect a computer that is DHCP enable where VLAN 2 is untagged, you should receive an IP address assigned by the switch on that computer. Notice the pool correlates to VLAN 2 IP address numbers. The IP pool definition is how it will bind itself to a VLAN, by matching the subnet.

Now, once you have all the basic configuration complete, as Marty indicates, depending on the capability of your router, it will either need to support VLAN tagging, dot1q sub interface OR, as Marty said, would need a static route to allow your additional subnet to route on the internet.

Hope this will help you get on your way.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

M Salim Olime · ‎05-05-2014

I am struggling to get this simple DHCP Server working on a newly purchased SG300 p10. As you can see below I have set the system mode to router and have configured two vlans and with two pool one for each. But for some reason clients connect to each of the ports assigned to each vlan respectively, fails to obtain an IP address. I have tried this configuration many times on proper layer 3 switch(3550) and on packet tracer working fine. But on this little managed SW, I am struggling. Is there something with the firmware? Should I get the latest? Is there anything I am missing here?

Here is my configuration.

MGIT#sh run
config-file-header
MGIT
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp excluded-address 172.30.10.1 172.30.10.10
ip dhcp excluded-address 172.30.20.1 172.30.20.10
ip dhcp pool network pool_for_vlan10
address low 172.30.10.1 high 172.30.10.254 255.255.255.0
lease infinite
default-router 172.30.10.1
exit
ip dhcp pool network pool_for_vlan20
address low 172.30.20.1 high 172.30.20.254 255.255.255.0
default-router 172.30.20.1
exit
bonjour interface range vlan 1
hostname MGIT
!
interface vlan 1
ip address 172.30.1.1 255.255.255.0
no ip address dhcp
!
interface vlan 10
ip address 172.30.10.1 255.255.255.0
!
interface vlan 20
ip address 172.30.20.1 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 10
!
interface gigabitethernet2
switchport mode access
switchport access vlan 20
!
exit
MGIT#

M Salim Olime · ‎05-06-2014

Just to let you all know, configuration I posted earlier is fine and working. The problem I had was with the client pc I was testing the dhcp configuration that was in fault. It was a linux ubuntu based labtop failing to obtain IP address. I need to figure that out i.e why on earth linux dhcp client side fails but at least dhcp server configuration on SG 300 pus inter-vlan communication all works fine.

Justin Girard · ‎02-23-2014

Hi All

for Tom: i use the GUI cause i dont have serial port on my pc to connect to the CLI

i have a little problem, im doing what Marty suggested me but when i try to add a new ipv4 interface for my vlan40, the switch freeze and a need to do a power cycle to get acces back to it.

do you know what it the problem or what im doing wrong ??

Thanks

Justin

Justin Girard · ‎02-24-2014

that's working now !!

figured out how to use the telnet ( was not enable by default on the switch ) so i used the command Tom give me and was able to add my vlan ip interface.

for the DNS server, can i use the router on 192.168.1.1 or i dont need it cause the client only go on the internet by this vlan ( networking is really more complicated than i was thinking :S )

and if my router is running on DD-WRT, i think it'S support vlan tagging .1q ( as i read from dd-wrt forum )

otherwise do i need to know something else for the basic configuration ? because i think Tom covered it well

thanks

mpyhala · ‎02-24-2014

Justin,

It is common to use the router as the DNS server, it will use the ISP to check DNS. For a secondary you can use a public DNS server such as 8.8.8.8 (Google) or 4.2.2.2 (Verizon).

The router does not need to be VLAN aware, just connect it to VLAN 1 and add a static route back to VLANs 10 and 40.

"You will need to create a route on your router that points back to the VLAN 40 network. It will look like:

To get to 192.168.40.0 (VLAN 40), go to 192.168.1.254 (VLAN 1 IP address of the switch)."

Do the same for VLAN 10

Other than that, I think that using Tom's instructions will get you to where you need to be.

Please let us know how it works out, feel free to ask if you need help.

- Marty

Justin Girard · ‎02-25-2014

Hi

ok all seem working now.except for the VLan40 ( guest ) that get ip address from the dhcp but cant access internet.

i tested this yesterday on my linksys ea2700 ( added a route 192.168.40.0 255.255.255.0 192.168.1.254 interface LAN/Wireless). the route work cause i can ping my ip from the 2 vlan ( i can ping vlan40 from vlan 1 and vice versa ) but the vlan 40 didn't get internet access. but the vlan 1 have the access. Any idea ??

just for the info, when i will install the switch in the office, i will use a router on DD-WRT. ( if it could help ?? )

another thing, i want to isolate the vlan 40 so it cannot see and reach the PC/server in vlan1, how i do this ?

thanks

Tom Watts · ‎02-25-2014

Hi Justin, from the VLAN 40, can you ping 8.8.8.8 ?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Justin Girard · ‎02-25-2014

Hi Tom

Misteriously, everything work now ( didn't do anything ?? )

but the other problem is that i need to block the pc in vlan 1, to protect them from vlan40 ( i dont want anyone to acces the server and PC )

im looking to configure the ACL ( mac or IP not sure ) but i do some reading and everything point to the ACL in the sg300 is only blocking the ingress traffic. is it true ??

if is true, do you have a suggestion how i can secure my pc and server to be accessed from the vlan 40

thanks

Tom Watts · ‎02-25-2014

Make ACL on VLAN 40 to prevent VLAN 40 IP traffic to access VLAN 1. should be a simple ACL. Give me your 2 subnets and I can make the ACL for you

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Justin Girard · ‎02-25-2014

vlan1 192.168.1.0 255.255.255.0 gateway 192.168.1.254

vlan 40 192..168.40.0 255.255.255.0 gateway 192.168.40.254

can you give me the step or juste a screen shot of the web gui ( or the command for CLI if you prefer )

thanks a lot, you are a great community, much better than netgear for the past experience