Solved: Re: SG300-10P Guest Network Setup Help

Kelly O'Connor · ‎02-04-2018

Hello Cisco community! First time post, I'm sure someone can help me with this problem of configuring something that should be simple but has eluded a solution for a week now. I've attached a very rough diagram of my topology and hopefully enough information to help you. I am setting up a guest network and access point and have searched & read many, many posts, blogs, howto's and cannot get this to work. I have two SG300-10P switches in two different buildings connected via fiber. The switches are at the latest version firmware. The Netgear WAC510 supports VLANs and I have two SSID's setup, one on VLAN 1 and the guest SSID on VLAN 4.Both switches are in layer 3 mode, I created Interface VLAN 4 and setup DHCP for VLAN 4. DNS on the switch points to Router. As it should, connecting to SSID 1 results in internet connectivity. The issue is SSID 2. Connection to it results in no internet. The Guest PC gets an IP of 10.65.240.100, GW is 10.65.240.254, DNS is 10.65.240.254. Guest pc can ping 10.65.240.254, 10.65.236.26 but nothing else. As I've read, I need a static route and the switch should handle all the routing, not needing a VLAN capable router. I tagged VLAN 4 through both switches in testing. I have a static route setup on The ASUS RT-AC87U router but am not sure it's correct. I've tried all three listed, individually but for screenshot had them all listed. In the running config you can see where I tried adding the other switch as a gateway but it doesn't show up in the static route list. I've tried everything. What am I doing wrong or, does my network hardware not support this? Thanks, I'm looking forward to the solution as I'm sure it's something simple for the community.

Topology

Switch Screenshots:

Static Routes Automatically CreatedVLAN 4 Details

Static Route Dialog. What is the proper syntax for a route that works?

Firmware Info

Trunking and Tagging Info

Three different static routes tried on the Asus RT-AC87U Router

Running config:

HOME-SWITCH#sh run
config-file-header
HOME-SWITCH
v1.4.8.6 / R800_NIK_1_4_202_008
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 4
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp pool network "Guest Network"
address low 10.65.240.100 high 10.65.240.150 255.255.255.0
exit
no bonjour enable
bonjour interface range vlan 1
hostname HOME-SWITCH
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
username root password encrypted ddfc952a49a4327c80c305a84d6f6a7d8e0f347c privilege 15
username cisco password encrypted ddfc952a49a4327c80c305a84d6f6a7d8e0f347c privilege 15
snmp-server location HOME
snmp-server contact "Myself"
ip http timeout-policy 1800
clock timezone CST -6
clock summer-time web recurring usa
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server us.pool.ntp.org poll
ip name-server 10.65.236.1
ip telnet server
!
interface vlan 1
ip address 10.65.236.26 255.255.255.0
no ip address dhcp
!
interface vlan 4
name "Guest Network"
ip address 10.65.240.254 255.255.255.0
!
interface gigabitethernet1
description "Netgear WAC510 AP"
switchport trunk allowed vlan add 4
!
interface gigabitethernet2
description Camera
!
interface gigabitethernet6
description Camera
!
interface gigabitethernet10
description "Fiber Line to Shop"
switchport trunk allowed vlan add 4
!
exit
banner login ^C
You are logging into the Home Switch
^C
banner exec ^C
Welcome to the Home Switch
^C
ip default-gateway 10.65.236.1
ip default-gateway 10.65.236.25
ip route 10.65.240.0 /24 10.65.236.25

Seb Rupik · ‎02-05-2018

Hi there,

Since you are routing VLAN4 on the SG300 you need to let the ASUS router how to reach that subnet (10.65.240.0/24) .

Configure the following on the ASUS:

!
ip route 10.65.240.0 255.255.255.0 10.65.236.26
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎02-05-2018

If you are trying to block your guest network from accessing 10.65.236.0 /24 be careful how you implement the ACL as you are also using the subnet (in particular 10.65.236.1) as your transit network.

Perhaps if you configured the VLAN1 DHCP to use 10.65.236.128 /25 for hosts, that way you could implement an ACL that would allow outbound access to the internet (and perhaps future internal servers) but block access to other VLAN1 hosts.

!
ip access ext DENY-VLAN4-VLAN1
  deny ip 10.65.240.0 255.255.255.0 10.65.236.128 255.255.255.128
  permit ip any any
!
int vlan1
  access-group DENY-VLAN4-VLAN1 in
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎02-08-2018

Sorry for the delay...
If I am reading your message correctly, you are proposing the router and the switch both running DHCP for VLAN1 offering different pools. Don't do this. Have a single device managing a pool. You could also configure DHCP forwarding (ip helper-address) on the SG300 to send requests to the Asus router for VLAN4, where you would configure HDCP pools for VLAN1 and VLAN4. Not sure if the Asus would support that?

So....on the Asus configure a DHCP pool with a range of 10.65.236.128 - 254 . On the SG300 leave the pool as it is currently configured.

The SG300 only supports ingress ACLs, so configure the one I specified earlier on the SG300 VLAN1 SVI. This will prevent VLAN4 clients from communicating with the VLAN1 DHCP clients, but will allow communication to devices in the lower half of the 10.65.236.0 /24 subnet. If you wanted to restrict the ACL to just Asus GW IP 10.65.236.1 then you would need something like this:

!
ip access ext DENY-VLAN4-VLAN1
  permit ip 10.65.240.0 255.255.255.0 10.65.236.1 255.255.255.255
  deny ip 10.65.240.0 255.255.255.0 10.65.236.0 255.255.255.0
  permit ip any any
!

There is also the option of tagging the VLAN4 frames all the way to the Asus router and placing the VLAN4 SVI there. This way the Asus would do all the routing and both SG300's would operate at Layer2. You would then just need a simpler ACL on the ASUS:

!
ip access ext DENY-VLAN4-VLAN1
  deny ip 10.65.240.0 255.255.255.0 10.65.236.0 255.255.255.0
  permit ip any any
!

cheers,
Seb.

View solution in original post

Seb Rupik · ‎02-05-2018

Hi there,

Since you are routing VLAN4 on the SG300 you need to let the ASUS router how to reach that subnet (10.65.240.0/24) .

Configure the following on the ASUS:

!
ip route 10.65.240.0 255.255.255.0 10.65.236.26
!

cheers,

Seb.

Kelly O'Connor · ‎02-05-2018

@Seb Rupik wrote:

Hi there,

Since you are routing VLAN4 on the SG300 you need to let the ASUS router how to reach that subnet (10.65.240.0/24) .

Configure the following on the ASUS:
!
ip route 10.65.240.0 255.255.255.0 10.65.236.26
!
cheers,

Seb.

Bless you Seb! That did the trick! I knew it was something easy but my head just doesn't wrap around the IP routing world very well. I also had to add the router as a DNS server in the Guest network DHCP pool which I had left blank. The test guest PC now has internet access. The guest network will ping the private network. I plan to add some ACL to block the guest network from getting to the private network. Once blocked will the DNS of the guest pool still work when pointing to the router if the router isn't pingable after implementing the ACL?

Seb Rupik · ‎02-05-2018

If you are trying to block your guest network from accessing 10.65.236.0 /24 be careful how you implement the ACL as you are also using the subnet (in particular 10.65.236.1) as your transit network.

Perhaps if you configured the VLAN1 DHCP to use 10.65.236.128 /25 for hosts, that way you could implement an ACL that would allow outbound access to the internet (and perhaps future internal servers) but block access to other VLAN1 hosts.

!
ip access ext DENY-VLAN4-VLAN1
  deny ip 10.65.240.0 255.255.255.0 10.65.236.128 255.255.255.128
  permit ip any any
!
int vlan1
  access-group DENY-VLAN4-VLAN1 in
!

cheers,

Seb.

Kelly O'Connor · ‎02-06-2018

Thanks again Seb, you are most helpful. Please bear with me, I hate to keep asking questions but if you don't mind, a few more? If I understand you, If I set the router IP setup as normal with a netmask of 255.255.255.0 and the pool start and end of 10.65.236.75-10.65.236.127 (I have nearly all my lan setup with reservations from 10.65.236.2-10.65.236.30 or so) By starting the pool at .75 would allow me growth if needed. This would limit the router to half the addresses I think. Then on the switch VLAN 1, I setup a DHCP pool from 10.65.236.129-10.65.236.254 ( or less) with a netmask of 255.255.255.128? Will that work for the ACL you are proposing? If you could explain the ACL and what it's blocking and not blocking i would understand this better. I understand the two networks are separate but on the same third octet but not how having the .128-.254 separated from .1-.127 helps block the VLAN 4 from VLAN 1.

Thanks again!

Seb Rupik · ‎02-08-2018

Sorry for the delay...
If I am reading your message correctly, you are proposing the router and the switch both running DHCP for VLAN1 offering different pools. Don't do this. Have a single device managing a pool. You could also configure DHCP forwarding (ip helper-address) on the SG300 to send requests to the Asus router for VLAN4, where you would configure HDCP pools for VLAN1 and VLAN4. Not sure if the Asus would support that?

So....on the Asus configure a DHCP pool with a range of 10.65.236.128 - 254 . On the SG300 leave the pool as it is currently configured.

The SG300 only supports ingress ACLs, so configure the one I specified earlier on the SG300 VLAN1 SVI. This will prevent VLAN4 clients from communicating with the VLAN1 DHCP clients, but will allow communication to devices in the lower half of the 10.65.236.0 /24 subnet. If you wanted to restrict the ACL to just Asus GW IP 10.65.236.1 then you would need something like this:

!
ip access ext DENY-VLAN4-VLAN1
  permit ip 10.65.240.0 255.255.255.0 10.65.236.1 255.255.255.255
  deny ip 10.65.240.0 255.255.255.0 10.65.236.0 255.255.255.0
  permit ip any any
!

There is also the option of tagging the VLAN4 frames all the way to the Asus router and placing the VLAN4 SVI there. This way the Asus would do all the routing and both SG300's would operate at Layer2. You would then just need a simpler ACL on the ASUS:

!
ip access ext DENY-VLAN4-VLAN1
  deny ip 10.65.240.0 255.255.255.0 10.65.236.0 255.255.255.0
  permit ip any any
!

cheers,
Seb.

Kelly O'Connor · ‎02-09-2018

Seb, thanks again for the advice, I really appreciate you taking the time to answer my questions. This weekend I'll give all this a try, I'll set the pools as you recommend, try the ACL's. I'll report back next week how I make out with your recommendations. I'd tag all the frames back as you say as an option but the ASUS router has no easy way to configure VLANs and only supports a single DHCP pool. It's just not a business class type router. I understand the VLAN part pretty good.

Can you recommend a cheap Cisco router that supports VLANS, multiple DHCP pools and VPN? What about: RV325, RV320, RV340 type's? I've considered just buying one and selling the ASUS since I have the switches and a decent business class AP for the home and it would be much more configurable.

Seb Rupik · ‎02-12-2018

To be honest I've never used an RV series router so couldn't advise on a model. For a small business deployment I would opt for a 880 series ISR. There are plenty of hardware configurations available and it uses full-fat IOS. :)

cheers,

Seb.

Kelly O'Connor · ‎02-15-2018

Seb, I was able to finally give this a test and ended up using your advise about the single ACL of blocking access to just the router for now. I changed the router pool to 128-254 and the test pc is not able to access the other network. I did a lot of reading and comparing my budget to different router models and ended up purchasing an RV-340 Router NIB. I guess I never mentioned this this is my home network and half of it is in my shop with fiber between the home and the shop. Lots of grandkids, their friends are over and always needing a connection which is why I decided to get serious with the guest setup. The router firmware matches the familiar look of the switch firmware and being a Cisco, should allow me to setup two VLANs at the router and trunk them out to the switches using pools setup at the router. The ACL's you helped me with should still apply but I should be able to understand this a bit better. I plan to get another Netgear WAC-510 for the other building and with a bit of work everything should do what I want much easier than trying to use the ASUS Home Network rated router. I chose a Router without wireless as the router mounts inside a metal cabinet and before, I had to run extension cables from the router out to remote antennas so having the AP outside the cabinet will simplify that as well. I will probably have a question or two down the road, hopefully you will see them and be willing to reply. Thanks!