Solved: RV220W - Setting Up VLANs Help

Fireman1224 · ‎08-15-2013

Hello,

I am new to VLANs and wanted some feedback as to how I have the router set up prior to deployment. I have 5 VLANs set up as follows:

VLAN ID	Description	InterVLAN Routing	Device Management	Port 1	Port 2	Port 3	Port 4
1	Default	Enabled	Enabled	Untagged	Untagged	Untagged	Untagged
2	Office	Disabled	Enabled	Tagged	Tagged	Tagged	Tagged
3	USDA	Disabled	Enabled	Tagged	Tagged	Tagged	Tagged
4	Cameras	Disabled	Enabled	Tagged	Tagged	Tagged	Tagged
5	Guests	Disabled	Enabled	Tagged	Tagged	Tagged	Tagged

The USDA and Cameras VLAN will be on the same port with an unmanaged switch (I was planning on using MAC filtering to differentiate) and the Office VLAN will go to another unmanaged switch (using MAC/IP reservations here), the Guests VLAN was going to be used for the Guest Wifi only, keeping this completely seperate from the other networks.

Is there a better way to configure or do I need to make any further adjustments?

Any help is greatly appreciated!

Fireman1224

trgood · ‎08-19-2013

Hi Dwight,

I don't see why you would need that other router as you still have Port 4 you could use ( based on what you've written above) for the USDA VLAN. If the device on the USDA needs to be reached externally a DMZ would probably be the best bet. Otherwise this looks fine assuming those two different office ports are only connected at the RV. Yes it is a good idea to exclude any VLANs on interfaces you don't want them on.

-Trent Good

** Please rate useful posts! **

-Trent Good ** Please rate useful posts! **

View solution in original post

trgood · ‎08-15-2013

Hi Dwight,

You may want to look into VLAN Tagging. On the RV Device( and in general) you can only have 1 untagged VLAN per interface. In order to transfer multiple VLANs you would need a trunk with 1 untagged VLAN and 1 tagged VLAN which is as you have configured now. However, unmanaged switches don't recognize tagging. Therefore, all tagged traffic will probably be dropped.

You will need to have either 1 unmanaged switch for each VLAN or plug multiple interfaces from the RV into an unmanaged switch(this is a bad idea as it will cause security issues).

Also, if you have a managed switch you can use just one interface from the RV to transmit multiple VLANs.

-Trent Good

** Please rate useful posts! **

-Trent Good ** Please rate useful posts! **

Fireman1224 · ‎08-15-2013

Ok, using two unmanaged switches to support the office computers and an office wifi SSID, running a separate line for the camera system, running a separate line for the USDA computer, and associating the Guest VLAN only to the Guest wifi, how would you configure the VLANs? Or do I have it basically set up correctly?

Thanks for the help!

trgood · ‎08-16-2013

Hi Dwight,

If you only have one PC that you want on the USDA VLAN than you can run a line straight from the RV into that PC. However, if you want to be able to reach the USDA from the office I would enable inter vlan routing.

I would have the following configuration:

Port 1 as an access port has Office VLAN 2 Untagged(PVID). (this connects to an unmanaged switch for office items.)

Port 2 as an access port has USDA VLAN 3 Untagged(PVID). (connects directly to USDA Computer)

Port 3 as an access port has Camera VLAN 4 Untagged(PVID). (connects to an unmanaged switch for cameras.)

Than on the same page assign the Guest SSID for VLAN 5 Guest.

If you have an office VLAN I would assign the SSID for the Office VLAN 2.

Let me know if you have any further questions!

-Trent Good

** Please rate useful posts! **

-Trent Good ** Please rate useful posts! **

Fireman1224 · ‎08-16-2013

Thanks for the advice!

I am going to set it up as described, except I am going to eliminate USDA. There was an additional router at the location, so I am going to use this as another LAN attached to the remote switch to act as the USDA VLAN. Also, we will run another cable directly to the router, as you suggested for the cameras. Do you think I should place the second router in the DMZ on the RV220W? Just a thought, but don't want a security hole either being that it is just a Dlink DIR-615.

In order to designate the ports properly, do I need to exclude the ports not associated with the VLAN? For example:

VLAN ID - 1
Name - Office
Port 1 - Untagged (going to switch for office computers)
Port 2 - Untagged (going to remote switch for other office computers)
Port 3 - Excluded
Port 4 - Excluded

VLAN ID - 2
Name - Cameras
Port 1 - Excluded
Port 2 - Excluded
Port 3 - Untagged (New cable to be run)
Port 4 - Excluded

Thanks again!

trgood · ‎08-19-2013

Hi Dwight,

I don't see why you would need that other router as you still have Port 4 you could use ( based on what you've written above) for the USDA VLAN. If the device on the USDA needs to be reached externally a DMZ would probably be the best bet. Otherwise this looks fine assuming those two different office ports are only connected at the RV. Yes it is a good idea to exclude any VLANs on interfaces you don't want them on.

-Trent Good

** Please rate useful posts! **

-Trent Good ** Please rate useful posts! **

Fireman1224 · ‎08-19-2013

Trent,

Thanks so much for your assistance!

I only have enough cable to run one more line, that's why I used the Dlink router. I need to run the Cameras off of the router on a separate VLAN, then configure it for remote access. I don't really care about the USDA computer, so being outside the firewall (DMZ) is not of my concern, I just didn't want to create a security hole for our network.

Thanks again!

Dwight

Sent from Cisco Technical Support iPad App