Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1844
Views
10
Helpful
5
Replies

Question regarding VLAN isolation/tagging on RV325

Go to solution
lucidr3v3ri3
Level 1
Level 1

‎06-11-2015 12:27 PM

Hello all,

We have recently installed a Small Business Series RV325 to interface properly with a new VoIP phone system, and we have an additional issue to resolve regarding PCI compliance. We have one credit card terminal in the building, and it's come to our attention in recent months that to adhere to compliance standards, said terminal needs to be isolated from the rest of the network. I'd rather not pay for a second WAN connection, so I'm curious what the best way would be to set this up.

I have some VLAN configuration experience, but nothing with this line of Cisco routers. Since there is only one private LAN in the building otherwise, it seems like setting up one VLAN for that one specific device/port and tagging it while leaving the default VLAN (1, which is not currently enabled) not operating on a VLAN would be ideal, but I'll leave this one to the experts.

Thank you in advance.

Ben

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michael Swenson
Cisco Employee
Cisco Employee

‎06-11-2015 01:22 PM

Hello,

Yes, isolating the PCI terminal is recommended on the LAN. 

To configure the Vlan:

  - Port Managenet - Vlan Membership - Enable Vlan -  ADD

 - VLan ID 4, Name, Disabled, Disabled,  Select one port to Untagged.  This is the port that you will connect the PCI terminal

 - Save

This will isolate on the inside of you network.

PCI is ,also, concerned about the remote access to you network through the WAN port.  By default,the RV325 blocks all inbound connections / ports.  IF you have port forwards, one to one NAT or VPN configured, however, this could cause the PCI test to fail.  If you are using these function, you may have to disable for the PCI compliance.

Best Regards,

Mike

View solution in original post

5 Replies 5

Go to solution
Michael Swenson
Cisco Employee
Cisco Employee

‎06-11-2015 01:22 PM

Hello,

Yes, isolating the PCI terminal is recommended on the LAN. 

To configure the Vlan:

  - Port Managenet - Vlan Membership - Enable Vlan -  ADD

 - VLan ID 4, Name, Disabled, Disabled,  Select one port to Untagged.  This is the port that you will connect the PCI terminal

 - Save

This will isolate on the inside of you network.

PCI is ,also, concerned about the remote access to you network through the WAN port.  By default,the RV325 blocks all inbound connections / ports.  IF you have port forwards, one to one NAT or VPN configured, however, this could cause the PCI test to fail.  If you are using these function, you may have to disable for the PCI compliance.

Best Regards,

Mike

Go to solution
lucidr3v3ri3
Level 1
Level 1
In response to Michael Swenson

‎06-11-2015 02:43 PM

Fabulous.  Thanks, Michael.  This all makes great sense.

Edit: I re-read your response and it answered my question. Thanks!

0 Helpful

Go to solution
lucidr3v3ri3
Level 1
Level 1
In response to Michael Swenson

‎06-17-2015 10:31 AM

Hi again Michael,

Thanks for your response last week. I seem to have run into a frustrating issue that I can't resolve. It seems like it should be simpler, so I may just be doing something incorrectly.

I enabled the VLAN via checkbox and Saved. By default, all devices on VLAN 1 are set to Untagged (which it should be). Next, I created a new VLAN (you'll see 13 in the attached photos). By default, as in all VLANs other than the default, all ports are set to Tagged. When I attempt to set port 13 (which is what I want to use for the device I want to isolate), it throws the error message that a VLAN port can only be untagged to one VLAN ID. Makes sense, considering that it's already Untagged on the default (1) VLAN. When I edit that VLAN and try to set the port to either Tagged or Excluded, it throws the same error message (see 2.png). My assumption is that somewhere else in the router config I need to do something with that port because otherwise I don't seem to be able to make it operate outside of the default VLAN. That or I'm just doing something wrong.

Advance appreciation on any help!

Thanks,
Ben

Preview file
39 KB
Preview file
39 KB
0 Helpful

Go to solution
lucidr3v3ri3
Level 1
Level 1
In response to lucidr3v3ri3

‎06-17-2015 10:34 AM

Hi again,

Looks like I answered my own question. I wasn't aware until just now that I can select multiple VLAN IDs and edit them simultaneously. That was driving me crazy. Mommy always said I was a little slow.

Thanks again for the info!

Ben

0 Helpful

Go to solution
Michael Swenson
Cisco Employee
Cisco Employee
In response to lucidr3v3ri3

‎06-17-2015 10:41 AM

Hello,

It is correct that you can only have 1 untagged Vlan / port.

However, when you edit the vlan settings on the port, select both Vlans to edit.  Thus  you can change Vlan to untagged and change Vlan 1 to tagged at the same time.  This should allow the change.

 

Best Regards,

Mike

Customers Also Viewed These Support Documents