06-11-2015 12:27 PM
Hello all,
We have recently installed a Small Business Series RV325 to interface properly with a new VoIP phone system, and we have an additional issue to resolve regarding PCI compliance. We have one credit card terminal in the building, and it's come to our attention in recent months that to adhere to compliance standards, said terminal needs to be isolated from the rest of the network. I'd rather not pay for a second WAN connection, so I'm curious what the best way would be to set this up.
I have some VLAN configuration experience, but nothing with this line of Cisco routers. Since there is only one private LAN in the building otherwise, it seems like setting up one VLAN for that one specific device/port and tagging it while leaving the default VLAN (1, which is not currently enabled) not operating on a VLAN would be ideal, but I'll leave this one to the experts.
Thank you in advance.
Ben
Solved! Go to Solution.
06-11-2015 01:22 PM
Hello,
Yes, isolating the PCI terminal is recommended on the LAN.
To configure the Vlan:
- Port Managenet - Vlan Membership - Enable Vlan - ADD
- VLan ID 4, Name, Disabled, Disabled, Select one port to Untagged. This is the port that you will connect the PCI terminal
- Save
This will isolate on the inside of you network.
PCI is ,also, concerned about the remote access to you network through the WAN port. By default,the RV325 blocks all inbound connections / ports. IF you have port forwards, one to one NAT or VPN configured, however, this could cause the PCI test to fail. If you are using these function, you may have to disable for the PCI compliance.
Best Regards,
Mike
06-11-2015 01:22 PM
Hello,
Yes, isolating the PCI terminal is recommended on the LAN.
To configure the Vlan:
- Port Managenet - Vlan Membership - Enable Vlan - ADD
- VLan ID 4, Name, Disabled, Disabled, Select one port to Untagged. This is the port that you will connect the PCI terminal
- Save
This will isolate on the inside of you network.
PCI is ,also, concerned about the remote access to you network through the WAN port. By default,the RV325 blocks all inbound connections / ports. IF you have port forwards, one to one NAT or VPN configured, however, this could cause the PCI test to fail. If you are using these function, you may have to disable for the PCI compliance.
Best Regards,
Mike
06-11-2015 02:43 PM
Fabulous. Thanks, Michael. This all makes great sense.
Edit: I re-read your response and it answered my question. Thanks!
06-17-2015 10:31 AM
Hi again Michael,
Thanks for your response last week. I seem to have run into a frustrating issue that I can't resolve. It seems like it should be simpler, so I may just be doing something incorrectly.
I enabled the VLAN via checkbox and Saved. By default, all devices on VLAN 1 are set to Untagged (which it should be). Next, I created a new VLAN (you'll see 13 in the attached photos). By default, as in all VLANs other than the default, all ports are set to Tagged. When I attempt to set port 13 (which is what I want to use for the device I want to isolate), it throws the error message that a VLAN port can only be untagged to one VLAN ID. Makes sense, considering that it's already Untagged on the default (1) VLAN. When I edit that VLAN and try to set the port to either Tagged or Excluded, it throws the same error message (see 2.png). My assumption is that somewhere else in the router config I need to do something with that port because otherwise I don't seem to be able to make it operate outside of the default VLAN. That or I'm just doing something wrong.
Advance appreciation on any help!
Thanks,
Ben
06-17-2015 10:34 AM
Hi again,
Looks like I answered my own question. I wasn't aware until just now that I can select multiple VLAN IDs and edit them simultaneously. That was driving me crazy. Mommy always said I was a little slow.
Thanks again for the info!
Ben
06-17-2015 10:41 AM
Hello,
It is correct that you can only have 1 untagged Vlan / port.
However, when you edit the vlan settings on the port, select both Vlans to edit. Thus you can change Vlan to untagged and change Vlan 1 to tagged at the same time. This should allow the change.
Best Regards,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide