Switch – Help with VLANs, ACLs, DHCP on SG-300 Layer 3 switch

I have to do the following configuration on an cisco Sg-300 small business L3 switch as in the figure.

Since i don’t have access to this switche for practice before doing this live in production i need to clear some doubts in my head.

So here is my plan, i would really appreciate if you could check it to see if im headed right.

1.Configure vlan 2 and 3 interface with .1 ips as per the subnet, assign ports and configure the clients to use them as the gateway.
question: Does tagged port simply mean an access port on just a single vlan and a port tagged on many different vlans means a trunk port? what does an untagged port mean then?

2.Add a static route on the switch as 0.0.0.0/0 with 192.168.1.1 0.0.0.255 as next hop which is the firewall. Does the L3 switch allow its interfaces to be assigned an ip address? On packet tracert I had to do "no switchport" before i could assign an ip to an interface on the L3 switch

3.Add reverse routes on the firewall for both the vlan subnets with 192.168.1.2 as the next hop for the internet to work.

4.Configure firewall policies to allow traffic from 192.168.2.0 and 3.0 subnets to the internet. Does the switch to firewall /30 link need trunk ports? as that is going to on vlan1.

At this stage the internet should get started on both vlans.

My next phase of config is to block the entire vlan 3 from accessing one particular host on vlan2. And then allow only certain hosts on vlan2(printers) to be accessible from vlan3.

This is proving to be confusing, i could really use some help here.

Also the plan is to use static IPs for now, but if we decide to go with dhcp I would be configuring the switch itself as the dhcp server.

I am aware of creating the dhcp pools, how do i assign them to the vlans though?

Do we use the ip helper cmd in this case?
eg:
pools:

ip dhcp pool vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 4.2.2.2

ip dhcp pool vlan3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8

and then for the binding to vlan2 :

interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.2.1

Also if i am to add a access point in either of the vlans, the AP would to the vlan port on the switch and does it need to have vlan tagging enabled as well?

ip access-list extended vlan3-in remark allow printers. Repeat this line for each printer permit ip any host <printer address> remark alternatively, you can only allow the printer port on the VLAN, for ex. permit tcp any 192.168.2.0 0.0.0.255 eq 9100 remark block the rest of vlan 2 deny ip any 192.168.2.0 0.0.0.255 remark permit Internet permit ip any any interface vlan 3 service-acl input vlan3-in

Best Answer

You do not need the ip helper-address statement.

As I understand your requirement, you only want to allow printers on vl 2 to be accessed from vl 3. Nothing else on vl 2 can be accessed from vl 3.

If your AP can offer multiple SSIDs, then you can have one SSID for each VLAN. You tag the VLANs and set the switchport to trunk.

If your AP can't offer multiple SSIDs, then make the switch port an access port and don't tag the vlan.

Best Answer

Related Solutions

Vlan – Is it possible to assign each vlan to a physical port on the ZyXEL USG40

Switch – Need Help Configuring VLANs on SMC Managed Switch

Related Topic