cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
5
Helpful
6
Replies

Assign and isolate ports on an RV160 - baffled, I am.

Mahmood01
Level 1
Level 1

I'm trying to set up an RV160 so three physical ports are assigned to specific IP ranges via VLAN settings.  I've set up three VLANS named 2, 3 and 5, which correspond to the ranges 192.168.2.0/24, 192.168.3.0/24, and 192.168.5.0/24.  I've assigned VLAN 2 to port two, VLAN 3 to port 3, and VLAN 5 to port 4.  I'm sure a big problem is how I've set up the "Assign VLANs to ports" section and the Inter-VLAN Routing entries.  Ultimately, ports three and four will hit the internet and see each other, but not port 2.  Port 2 can hit the internet, but not see ports three and four.  All VLAN’s are DHCP’d, but eventually I plan to set port three without DHCP and static the only device that will be in that range and connected to that port.

 

The tagged, untagged, and excluded bits are confusing me.  I’ve been webbin’ the heck out of this, and one page said that I’d also need to do something to the Firewall/NAT settings, as well.  It’s enabled.  The Inter-VLAN Routing options were all enabled so I could do some testing, but I have since changed VLAN two's setting.  If I plug in to port one, two, three, or four, I can still ping the 1.1, 2.1, 3.1, and 5.1 gateways from each port.

 

At this time, the correct DHCP'd IP’s pull from each port, but I cannot determine the settings to forbid the devices on ports three and four from seeing the 192.168.2.0/24 range on port two.  I don’t plan on having anything on port one of the router.

 

Any assistance would be appreciated.

6 Replies 6

Hello,

 

it is unclear from your description what the actual problem is. Do you want port 2 (Vlan 2) to communicate with the other ports/Vlans, and that is not working ?

 

In general, all non-default Vlans should be tagged. The untagged Vlan is typically Vlan 1 (or any Vlan you want to use for just management)...

Thank you for replying.  I want port two to be isolated so no networks on other ports can see it.  Port two, 192.168.2.0/24, is the line that hooks to the work network via a VPN link.  I don't want any other VLAN or port see the one computer on the VLAN on port two.

Hello


@Mahmood01 wrote:

The tagged, untagged, and excluded bits are confusing me. 


I interpret this as:
excluded = manual prune this specific vlan of the trunk/port
untagged =assign this specific vlan of the trunk/port (untagged packets)
tagged = assign this specific vlan of the trunk/port (tagged packets)

The below would be an example of all 4 ports running as access ports assign to a specific vlan
Access-ports
LanPort1 untagged Vlan1  2-3-5 excluded
LanPort2 untagged Vlan2  1-3-5 excluded
LanPort3 untagged Vlan3  1-2-5 excluded
LanPort4 untagged Vlan5  1-2-3 excluded

Trunks Ports
Port 1 running as a trunk allowing all vlans
LanPort1 tagged  vlan1  2-3-5 tagged

Port 2 running as a trunk allowing vlans 1-2-3 with native vlan 5
LanPort2 tagged  vlan 1  2-3 tagged  5 untagged

Now excluding a port in one vlan so not be able to communicate with a host in another vlan on this router then you would need to apply some filter like an access list or isolate it in its own dmz network, do you have any options on this router for applying an access-list or creating a dmz?

 

Edited - RV160 dmz


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for replying. I am wanting to isolate one VLAN and assign it a specific router port, that one VLAN will be isolated so none of the other VLAN's can see it and can't ping any device on it.  The 192.168.2.0/24 range is for work's VPN only, I don't want the PC on that range to see any other VLANs on the RV160.

Hello
After checking the  RV160-admin-guide (page 81) you can indeed create a filter to isolate a specific vlan from the other vlans on your network -  So please review it.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

While the "STFU and RTFM" response is normal from some folks, it doesn't really help a newbie, but thank you anyway.  "Community" at its best!  Page 81 in the Cisco manual, or Page 81 in the PDF document?  Page 81 actual, Goal: Use the source address to let the PC translate to a specific public address while the others will still translate to a WAN address, doesn't seem to help at all, so I'll go with Page 75 of the manual, Page 81 of the PDF file, Firewall Access Rules.

 

I set up a Deny action rule, the Source Interface of VLAN5, Source Address of Any, to the Destination Interface of VLAN2, Destination Address of Any.

I set up another Deny action rule, the Source Interface of VLAN2, Source Address of Any, to the Destination Interface of VLAN5, Destination Address of Any.

 

The gateways are pingable from each VLAN, but the PC IP's betwixt two of the VLANs are not.  Don't know if both rules are needed.  Can the gateway access between the two VLANs be disabled, as well, or is that even necessary?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card