Cisco SG300 Vlan Help!

[jjoy8994]

Working with an SG300 and an internet feed from a router with DHCP. I have 4 devices in a video control system that I need to restrict the network traffic to only their own communication for stability. I do not want them on a network that has internet either to cut down on traffic. I have a computer as well as an iPad. The computer will be hardwired and the iPad will access the network via an access point. These machines do need to be in the internet as well as the ability to send commands to the 4 control system devices. I currently have it all on one network with no internet and I am able to see the video control devices and bring up their embedded web control interfaces, ping them, and control them via tcpip commands.

Here is my idea but need help "bridging the gap".

2 vlans
One with my four control system devices on it no internet connection
The second with the internet feed, access point, and any hardwired computers that need to see internet.

My issue is how do I now send commands and view the video control devices embedded web control pages on the other vlan? Can I do that with the SG300-20?

 

[bill001g]

You have 2 ways to do it with these devices. You could just leave it it the way it is and put a access list on the ports that are connect to devices that should not have internet. You would only allow traffic to the subnet in the building and block all else.

The other way is somewhat dependent on your routers ability to have static routes. You would define a 3 networks. 1 for the switch to the router, a second for your trusted users and a third for you non trusted. Say you use 192.168.1.x 192.168.2.x and 192.168.3.x. You would assign a IP on the vlan interfaces on the switch for each network. The switch would set its default route to the router. The devices on the 2 other vlans would use the switch as their default route. The switch by default will now work but you will not have internet for anyone. You would need to put a static route in the route pointing say 192.168.2.x to 192.168.1? (switch ip). Since you did not route 192.168.3.x they would be denied access just because the router does not know about them but the switch does so communication would work between vlans but not outside.

I would use the access list method it is much simpler.

If you are really ambitious this switch supports what is called private vlans which allows you to have all the devices on the same vlan but restrict access between the machines as well as to the router/firewall.

 

[jjoy8994]

You have 2 ways to do it with these devices. You could just leave it it the way it is and put a access list on the ports that are connect to devices that should not have internet. You would only allow traffic to the subnet in the building and block all else.

The other way is somewhat dependent on your routers ability to have static routes. You would define a 3 networks. 1 for the switch to the router, a second for your trusted users and a third for you non trusted. Say you use 192.168.1.x 192.168.2.x and 192.168.3.x. You would assign a IP on the vlan interfaces on the switch for each network. The switch would set its default route to the router. The devices on the 2 other vlans would use the switch as their default route. The switch by default will now work but you will not have internet for anyone. You would need to put a static route in the route pointing say 192.168.2.x to 192.168.1? (switch ip). Since you did not route 192.168.3.x they would be denied access just because the router does not know about them but the switch does so communication would work between vlans but not outside.

I would use the access list method it is much simpler.

If you are really ambitious this switch supports what is called private vlans which allows you to have all the devices on the same vlan but restrict access between the machines as well as to the router/firewall.

I would like to have them on separate vlans but how do I then communicate from one to another.
Ie: vlan 1 has the non internet devices with no internet traffic vlan 2 has internet and all of the traffic that comes with it. My ipad is on vlan 2 with internet access for email web surfing etc. An app on the ipad needs to send a command to a device on vlan 1

How or what will allow that to happen?

 

[bill001g]

The switch will route between them. You need to move the default gateway for your current network to the switch and create a new network between the switch and the router. The only other way to do this would be if your router can support vlans and build tag vlan trunks between the router and the switch. Since you have a layer 3 switch it will be simpler let the switch control traffic between the vlans and let the router do just the NAT to the internet.

 

[jjoy8994]

The switch will route between them. You need to move the default gateway for your current network to the switch and create a new network between the switch and the router. The only other way to do this would be if your router can support vlans and build tag vlan trunks between the router and the switch. Since you have a layer 3 switch it will be simpler let the switch control traffic between the vlans and let the router do just the NAT to the internet.

My apologies, I need a bit simpler explanation of the process. Which ever way you think is the best and most stable?

 

[bill001g]

This unfortunately is a web based switch that sorta is a cisco switch. It has a limited command line mode if you really work at it.

Still the access lists are similar. A IOS example assuming you are using 192.168.1.x for your lan would be

PERMIT IP ANY 192.168.1.0 0.0.0.255
DENY IP ANY ANY

You would apply this inbound to any port you want to restrict. This pretty much says only allow traffic with a destination address in the 192.168.1.0 subnet. So any other destination IP would be blocked