Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2779
Views
0
Helpful
5
Replies

VLAN 101 basics for RV110W RV220W RV215W and others

feetsdr88
Level 1
Level 1

‎07-07-2013 09:33 AM

I've been bashing my head against the wall trying to do, what I think are, basic things with a vlan with these boxes.  I got it working once on a 110W a while ago, but not really sure how or why it is working / can't recreate it on the RV215W.

At its simplest, I have a server on port 1 of the router, with IP of 192.168.5.2. It and PCs are tied into a switch and working on the 192.168.5.0/24 subnet.

I connect a ubiquiti unifi wireless access point on port 2.  It can do 2 seperate SSIDs, each with its own vlan.  So let's call the SSIDs 5 and 10.  5 has a password. If you know that password / you connect to ssid 5 and can get on the web AND access the machines on port 1 (and would get an IP address of 192.168.5.0/24).  the public SSID of 10 would get IP of 192.168.10.0/24

So SSID / VLAN / subnet 5 is to for the office people to access the server

SSID / VLAN / Subnet 192.168.10.0 is for guests and to keep them from getting to the server.

How do you set up the RVxxxW to allow this?

For ubiqiiti unifi, there is a controller installed on the server (on the .5 subnet) that talks to the access points.  So the untagged packets on port 1 have to get to port 2 to get to the WAP.

I had to enable interVlan routing.  Doesn't that allow the .10 users (on port 2) to get to the .5 server on port 1?

In the instance I got working, I wound up having 3 VLANS - 1, 5, 10.  The 1 VLAN gave out 1.0 subnet IPs and the acecss points show they have the .1 IPs.  that is working but not sure how I came up with that and why there needs to be 3 subnets? 

And on the RV215W I am working with no, it has intervlan check boxes for each VLAN.  Which to check and which to uncheck?

I have locked myself out of / rebooted the RV215W too many times already : ). 

How can I ensure not to lock myself out?

THANKS!!

Labels:
0 Helpful
5 Replies 5

Kremena Ivanova
Cisco Employee
Cisco Employee

‎07-08-2013 03:39 AM

Hi Mike,

By default RV215W is configured for VLAN1 with IP 192.168.1.1 and DHCP server in that range.

You need to start the VLAN configuration from the router. If you are planning to use VLAN5 and VLAN10 you need to configure them in the menu VLAN membership and to assigne them to the ports.

For example port 2, where the access point is plugged, needs to be configured for VLAN5 - untagged and VLAN10 - tagged. Thus the AP will take an IP from VLAN5, you need to Exclude VLAN 1 on every port if you are not planning to use it.

Are you planning to have access from VLAN5 to 10 and vice versa. Also is there a DHCP server for both VLANs?

Regards,

Kremena

0 Helpful

feetsdr88
Level 1
Level 1
In response to Kremena Ivanova

‎07-09-2013 01:11 PM

Kremena;  Thanks for the reply.

Yes, I set up the 2 VLANs 5 and 10 in the lan configuration page.

Let's keep it simple and let the router do DHCP for both.

As for LAN membership, that's where I get confused.

Port 2 has the access point.  Packets from that will be untagged and yes, we need to talk to it from devices on port 1.  THe port 1 devices are untagged also, if I am not mistaken.

So on port 2 there are 3 types of data

untagged to / from the access point that should be able to get to port 1 devices

tagged vlan5 that should be able to get to the port 1 devices

tagged vlan10 that should NOT be able to get to port 1 devices.

Wth just 2 subnets / vlans, you can't have those  3 types of data, right? 

because based on what you say -

               port1               port 2      

vlan 1         ??               ??

vlan 5       untag            untag

vlan 10     block             tag

packets from port 2 that are tagged vlan 5 can't get out of port 2 if it's set to untagged as you mention above?!

Is thatt why I came up with 3 subnets / 3 vlans on the other network?

vlan 1 is subnet 192.168.1.0

vlan 5 is subnet 192.168.5.0

vlan 10 is subnet 192.168.10.0  for guests and kept off port 1

Then

          port1          port2

vlan1     untag          untag

vlan 5     tag               tag

vlan 10     block          tag

then the access point gets a vlan 1 IP address, people with the password through the access point get a vlan 5 / 5.0 IP address and can talk to the hardware on the port1 devices (but wait? the devices on port 1 have 5.0 IP addresses. and are untagged.  whill they get to talk to port 2's vlan 5 5.0 devices?  Or is that where interVLAN routing comes into play?

My head is spinnging!!

0 Helpful

Kremena Ivanova
Cisco Employee
Cisco Employee
In response to feetsdr88

‎07-10-2013 02:08 AM

Hi,

For the last sentence i agree :-)

Just to be sure that we are on the same page, some theory: VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN (Virtual Local Area Network) the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

"packets from port 2 that are tagged vlan 5 can't get out of port 2 if it's set to untagged as you mention above?!" - whether a VLAN will be tagged or not when going out of the port is decided by the configuration of that particular port - Tagged/Untagge. The tagging is done on the outgoing port of the router, the AP and the switch and not before that. Those devices needs the tag on the incoming packets to decide to which VLAN the trafic belong and based on that where to send it. Most of the network cards of the PCs does not support tags and disregard incoming packets which are tagged.

Whether a device from one VLAN will communicate with device from another VLAN depends (in that particualr case) from the option - interVLAN routing

Then

          port1          port2

vlan1     untag          untag

vlan 5     tag               tag

vlan 10     block          tag

with that configuration the AP has an IP address from VLAN 1, because his management VLAN is 1 and the hosts, connected to the wifi, receive an IP addres from VLAN 5, because when you created the SSID you assigned it to VLAN 5.

I just assume that there is a switch connected to port 1. If it is so with that configuration the switch itself will have an IP from VLAN 1 and according to his configuration the users attached may have IP from VLAN 5 or 1

To be more clear, it will be good if you can send your topology with the IP addresses.

Regards,

Kremena

0 Helpful

feetsdr88
Level 1
Level 1
In response to Kremena Ivanova

‎07-17-2013 08:10 AM

https://www.dropbox.com/sh/6fr2nytlgshb6sn/HXnAqK-KXX please see the attached 2 pictures.  part 1 is what I am looing for here.  part 2 builds on that and asks - can a private network PC be connected to a switch which also has one of the WAPs?  That location doesn't have a spare cat 5 port.  can you configure the port the switch connects to so that it still gives out 2 different subnets depending on ssid - password protected gets to talk to the .16 subnet.  ssid with no password only gets on the web.

the switches are all UNMANAGED / do not have IP addresses

thanks!

0 Helpful

Kremena Ivanova
Cisco Employee
Cisco Employee
In response to feetsdr88

‎07-18-2013 12:16 AM

Hi,

Unmanaged switches don't have a way to define or manage VLANs nor do they support VLAN frame tagging for trunk support

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents