Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4211
Views
0
Helpful
6
Replies

RV110W - trying to set up 2 VLANS - are there docs / help for this?

feetsdr88
Level 1
Level 1

‎11-25-2012 06:56 PM

I am trying to set up an RV110W router with 2 VLANs - 1 for guests to the office to just have internet access via wireless and another for employees to be able to access the LAN and internet wirelessly. I have not done anything with VLANs before, so please bear with me.

I thought this would be simple, but banging my head against the wall with all the terms in the docs:

http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf

port 1 is connected to a wired LAN / unmanaged switch with office PCs. So these machines / nothing on this subnet tag the packets before they get to the router.  This subnet is using 10.10.1.0/24

Port 2 is connected to an Engenius EAP 300, a wireless access point that can broadcast SSIDs and tie each SSID to a different VLAN.

SSID1 is called Private and is set to be VLAN 1. There's encryption on this SSID - only office staff would be able to log on.

SSID2 is called public and is set to be VLAN 10.  There's no encryption on this SSID.

I know - the router also does this, but where the router is vs. where the wireless is needed, we need to have the Engenius at that remote location.

I have the RV110W set to give out 10.10.1.0/24 IPs when you connect to the SSID1 / VLAN1

And it gives out 10.10.10.0/24 IPs when you connect to the public SSID / VLAN10.

Both get on the internet fine.  The only issue is how to set the VLAN membership for each port / and any other settings so that the wireless devices on VLAN 1 can get to the LAN devices on Port 1.  (and the public / vlan 10 devices on the wireless network to NOT get to the devices on port 1, but i think that's working.

I played with tagged / untagged / excluded, for the port membership, but either the wireless VLAN 1 devices get blocked from even the web (when port 2 is set to untagged, since they ARE tagged VLAN1) or they can't get to port 1 when set to tagged, since the port 1 devices are all untagged and the reply packets get blocked?

the doc for this unit talks about inter-vlan routing but doesn't explain what that is.  THe wireless isolation should be turned on for vlan 10, right? We don't want guests to be able to access other guest's machines?

I saw on page 71 on how to set up the guest network, but that's using the wireless built into the box, not a wireless access point.

Overall, what I want is:

VLAN 1: port 2 (with tagged VLAN1 packets) and port 1 (with untagged packets) can pass data between each other and access the internet

VLAN10: port 2 with tagged VLAN10 packets can only get to the internet.

Is that doable?

How?

1 person had this problem
Labels:
Preview file
164 KB
0 Helpful
6 Replies 6

Tom Watts
VIP Alumni
VIP Alumni

‎11-25-2012 10:08 PM

Hi Mike, Yes, the wireless isolation can be enabled. This means wireless devices cannot communicate to other wireless devices.  Additionally, you would need to have inter-vlan routing disabled.

Inter-vlan routing is a layer 3 function (meaning router function). In a layer 2 (switch) network, vlans cannot communicate to one another without a layer 3 (router) device to move information across the different subnets (vlans). To achieve your goal, inter-vlan routing should be disabled so vlan 1 only talks to vlan 1 and vlan 2 only talks to vlan 2. So as long as the port 1 of the router is vlan 1, anything other on vlan 1 should have no issues for access there.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

feetsdr88
Level 1
Level 1
In response to Tom Watts

‎11-26-2012 04:26 AM

Thanks Tom. But all the machines on port 1 are hardwired and connected with an unmanaged switch. so their packets are untagged, right?  I want them to be able to talk to the laptops (whose packets are tagged vlan1). Seems you can't have both on the same port? untagged and tagged? 'cause I've tried setting the port 1 membership for vlan 1 to tagged and untagged. and either the vlan1 packets from port 2 don't get through or the untagged packets from port 1 don't get back to the wireless on port2.

thanks.

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to feetsdr88

‎11-26-2012 08:47 AM

Mike, the correct configuration would be port 1 is vlan 1 untagged, port 2 is vlan 1 untagged, vlan 2 tagged.

Your access point is the question, as it should be 802.1q compliant meaning its native vlan should be vlan 1 and its management ip address should be on vlan 1 as well.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

feetsdr88
Level 1
Level 1
In response to Tom Watts

‎11-27-2012 08:57 AM

thanks.  Still not working

For the vlan membership page

when set like this:

           port1         port 2

vlan1     untagged    untagged

vlan10  excluded     tagged

connecting to the vlan1 wireless SSID on port 2, I can't even get an IP address from the router (the dhcp request can't even come through port 2 because it's saying vlan1 packets have to be untagged?

connecting to the vlan 10 wireless SSID on port 2 gets a DHCP address and can only get to the web, so that's good.

If I change the membership to:

                  port1 port 2

vlan1 untagged  tagged

vlan10 excluded tagged

connecting to both SSIDs on port 2 will get you a dhcp address, and vlan1 devices can get into port 1, but trying to admin the wireless access device on port 2 or even pinging it, now fails -  'cause the router gatekeeper says if you want to come through port 2, your packets have to be tagged? and the packets from port 1 to port 2 are untagged?

If I change the membership to:

            port1 port 2

vlan1   tagged tagged

vlan10 excluded tagged

connecting to both SSIDs on port 2 will get you a dhcp address, but replies from the wired PC on port 1 / vlan1  vlan1 can't get back out of port 1 'cause the router gatekeeper says if you want to leave  through port 1, your packets have to be tagged? and the ping reply is coming form a device with untagged packets?  although the devices on vlan1 / port 1 CAN get on the web with their untagged packets.

the wireless device says it supports 802.1q

http://www.engeniustech.com/resources/EAP300_DataSheet_v2.1.pdf

when they say port 2 / vlan 1 tagged, is it saying packets coming in FROM devices on that port have to be tagged? Or packets going TO devices on that port have to be tagged?  or both directions?

Any advice?

0 Helpful

feetsdr88
Level 1
Level 1
In response to feetsdr88

‎12-18-2012 10:02 AM

Bump - anyone have advice?

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to feetsdr88

‎12-18-2012 10:17 AM

Hi Mike, I'd recommend to give Engenius a telephone call. If the AP is 802.1q compliant, 802.1q states there is a native vlan (untagged member) and any additional vlans which would like to be a member of the link should be tagged. There are exceptions to every rule, however, this is generally how it works and most AP do not allow much modification for link set up.

The port 1 of your router is not in question at all. The port should be configured as 1 untagged. An unmanaged switch can't understand vlan tags and most computers can't tag vlans on their NIC so it's a moot point.

So, as long as the router port is 1u, 2t the engenious should also be 1u,2t.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents