Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1620
Views
0
Helpful
2
Replies

Problems setting up Guest VLAN on Cisco SG 300-28

Go to solution
dasm16483
Level 1
Level 1

‎11-28-2011 02:31 AM

Hi,

I am primarely enquiring whether the setup I have explained below is actually possible, and if so then how I can set this up. I know it isn't the easiest configuration and I need to set this up without purchasing any more equipment if at all possible.

I have a Cisco SG 300-28 setup with three VLAN's

VLAN1 (Business) - 192.168.10.0 - Switch IP 192.168.10.254

VLAN2 (VOIP) - 192.168.20.0 - Switch IP - 192.168.20.1

VLAN3 (Guest) - 192.168.30.0 - Switch IP - 192.168.30.1

Default Gateway is 192.168.10.1 (Netgear Router)

I have a Wireless network setup (Netgear WMS and 2 WAP's) configured with the TWO VLAN's (1 and 3). These go into ports on the Cisco SG 300-28 which are tagged on both VLAN's. The Business wireless worked fine but the guest network didn't reout out to the internet.

After some troubleshooting I realised the reason the guest wasn't working was because there was no route back from the internet to the router.

The router I have isn't really ideal, it is a Netgear DGN2200, but I managed to create a static route to 192.168.30.1 with a metric of 2, with 192,168,10.254 being the hop.

Success, the connection worked, the only problem is that now my guest network can see my business network because the business network is using the static route on my router to route back over to the guest network (due to the limitations of this device I can't do anything about that)

So basically, what I have is

Guest network can connect to Business VLAN via switch. I am assuming this is because the router is on the Business VLAN and the default gateway is the router. As they are on the same network the Guest network can inevetably see the business server and network.

The Business network can get back to the Guest network via the router using my static route I created. The static route is really basic and I can't create a firewall rule on the router to prevent the Business network speaking to guest network because it only has a LAN - WAN firewall and this connection is LAN - LAN.

What I need is...

to somehow stop any traffic from the 192.168.30.0 network routing to anything on the 192.168.10.0 network, appart from the router on 192.168.10.1.

Is this possible? I have this setup on a number of different site, the only difference is I have a CIsco Security Router on these with the VLAN's configured so I don't have this problem. Because I have a rather limited Netgear DGN2200 I am unable to setup the VLAN's correctly and as such I need to see if I can do this on the switch in any way.

Any assistance would be much appreciated.

This is my first post by the way so if I missed anything out that would help anybody then please let me know.

Kind Regards

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Hornstein
Level 7
Level 7

‎11-28-2011 05:36 AM

Hi David,

Why not apply a access list to filter incoming traffic into the SG300 switch such as, via command line or GUI.

Here is an example below, by no means complete, just an example

,

Just remember,  we are using reverse masking in the ACE;

config

ip access-list extended restrictGuest

deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 www
deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 telnet
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

exit

interface gigabitethernet1

service-acl input restrictGuest

exit

Don't forget to save the configuration with the following command and respond to the prompt.

write

or do it via the GUI method

Step 1.  Create a ACL name

step 2, Add the port based ACE which is the filter list,.

step 3.   Apply or bind the list to a port so that the port can look at and filter pattern matches for traffic ingressing into the switch.  I have given you an example of a ACE list above, you can be more creative in what you deny.

step 4. Now add or copy the entry to other switch ports.

Remember to save your configuration change.

Hope this helps.

regards Dave

View solution in original post

0 Helpful
2 Replies 2

Go to solution
David Hornstein
Level 7
Level 7

‎11-28-2011 05:36 AM

Hi David,

Why not apply a access list to filter incoming traffic into the SG300 switch such as, via command line or GUI.

Here is an example below, by no means complete, just an example

,

Just remember,  we are using reverse masking in the ACE;

config

ip access-list extended restrictGuest

deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 www
deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 telnet
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

exit

interface gigabitethernet1

service-acl input restrictGuest

exit

Don't forget to save the configuration with the following command and respond to the prompt.

write

or do it via the GUI method

Step 1.  Create a ACL name

step 2, Add the port based ACE which is the filter list,.

step 3.   Apply or bind the list to a port so that the port can look at and filter pattern matches for traffic ingressing into the switch.  I have given you an example of a ACE list above, you can be more creative in what you deny.

step 4. Now add or copy the entry to other switch ports.

Remember to save your configuration change.

Hope this helps.

regards Dave

0 Helpful

Go to solution
dasm16483
Level 1
Level 1
In response to David Hornstein

‎11-28-2011 10:23 AM

Hi Dave,

That did the trick, thanks very much for your assistance with that! It was quite straightforward when you know how!

Regards

David

0 Helpful
Customers Also Viewed These Support Documents