Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3433
Views
0
Helpful
5
Replies

WRVS4400N - Can't seem to isolate VLANs

BostonAutomation
Level 1
Level 1

‎08-07-2011 11:01 PM

Hello.  Recommended a WRVS4400N router for a client of mine due to its multiple SSID and VLAN support, but I'm unable to make it do what I thought would be very easy.  I wonder if anyone can shed any light on the error of my ways.

Here's the story (names and IPs changed for privacy reasons):

Site has five fixed IP addrresses from its Internet provider.  One of the IPs goes to a router (Cisco 800 series) and supports a local area network for the business (including VPNs to other sites, etc. - none of which is all that important to this discussion).  There is a server on the LAN and that server provides DHCP service, assigning addresses in the 192.168.200.x range.

A second fixed outside IP address is used as the WAN address on the WRVS4400N, and provides an unsecured, public WiFi service for customers on site.  The LAN side of that network is assigned addresses in the 192.168.100.x range by the DHCP server built in to the router.

So far, so good.

But now, what I want to do is create a second wireless "identity" for the router that essentially makes it an access point, giving authorized people (with the right password) access to the internal, 192.168.200.x network.  So: I enabled VLAN functionality on the router and created a second VLAN.  Now, VLAN1 is the public network, mapped through to the 192.168.100.x addresses.  VLAN2 is the private network, the idea being that it will be used for access to the private, internal network.

I created two SSIDs for the router, WiFiPublic and WiFiPrivate.  WiFiPublic (with no security) was assigned to VLAN1.  WiFiPrivate (with WPA security) was assigned to VLAN2.  In the LAN side settings for VLAN1, I specified a router address of 192.168.100.1, and turned on DHCP distribution for the IP range 192.168.100.101 through 192.168.100.199.  In the LAN side settings for VLAN2, I specified a router address of 192.168.200.250, and turned DHCP off.

Finally, I assigned all four LAN ports in the router to VLAN2. I tried a variety of ways to do this, and am pretty sure I set them so that the ports should have been associated only with VLAN2.  Then I took a patch cable and patched one of the LAN ports (now part of VLAN 2) to the internal network switch (the LAN side of the other router).

So here's what I expected this configuration to do:  If you connect a wireless device to the WiFiPublic SSID, it should be a part of VLAN1, which means it should get an IP address in the 192.168.100.101-199 range with a gateway of 192.168.100.1 (the wifi router's LAN adress in VLAN1).  People connected to this SSID would not "see" the 192.168.200.x network, because that network is in VLAN2.  If you connect a wireless device to the WiFiPrivate SSID (with the correct password), it should be a part of VLAN2, which means it should see the DHCP server out on the internal LAN, which will assign it an IP address in the 192.168.200.10-192.168.200.99 range (that's what the server's DHCP service hands out) and a gateway address of 192.168.200.254 (the address of the 800 series router).  Thus, the WiFiPublic network is separate from the WiFiPrivate network, and people connecting to the private network can access internal systems but people connecting to the public network cannot.

That's what's SUPPOSED to happen.

What seems to happen instead is that the four LAN jacks are NOT isolated from VLAN1.  The DHCP service provided in the internal, private network "bleeds through" to VLAN1, so that people connecting to WiFiPublic end up getting a PRIVATE IP address in the 192.68.200.x block, and further, they can see (ping, etc.) all the machines hardwired on the local LAN.  Furthermore, after a time, the DHCP server on the private network apparently detects the presence of the Public DHCP server inside the WRVS4400N, which "bleeds through" to VPN2.  This causes the internal DHCP server to shut down, because it thinks there's a duplicate DHCP server on the network.

So.  What am I doing wrong?  This seemed like a pretty simple thing.  But it doesn't appear to work at all.

Any thoughts?

What I expect to happen under this configuration is that

Labels:
0 Helpful
5 Replies 5

qumartin
Level 1
Level 1

‎08-09-2011 09:12 AM

Hello

I have read the information a few time and just trying to get a complete understanding of your problem.

When setting up the second SSID did you go and setup under "wireless"==> "vlan and QoS" the vlan id for each SSID?

screenshot of the location:

Also under advance routing do you have the inter-vlan routing "enable" or "disable"  When this enable it will allow the two vlan to see each other. Disable it will not allow them to see each other. It is enable by default on the router. Here is another screenshot of what it looks like:

Thanks

Q

0 Helpful

BostonAutomation
Level 1
Level 1
In response to qumartin

‎08-15-2011 07:20 PM

My apologies for not responding sooner; I did not have access to the router for a while and couldn't be certain of my answers to your questions.

But, unfortunately, I have confirmed that the settings are as you specified -- Inter VLAN routing was disabled, and yes, I specified VLAN 2 for the second SSID and VLAN 1 for the first.

I read something somewhere where it was suggested that the four ethernet (LAN) ports on this router were always implicitly part of VLAN 1 no matter how you configured things.  Is there any truth to this?  Would this work better if I made VLAN2 the public network and VLAN1 the private/internal one?

0 Helpful

mvierling
Level 1
Level 1
In response to BostonAutomation

‎12-08-2011 05:20 AM

I have the exact same problem with my WRVS4400n.  I have just found out that these routers will bleed DHCP when DHCP is coming from anything else besides the routers themselves.  So, unless you use the WRVS4400n to provide DHCP, instead of a DHCP server on your network, this is not possible.  Cicso is not calling it a "bug", but a feature limitation and is not correctable with a firmware update.  This model is carry over from the LinkSys purchase and I believe Cicso wants you to purchase their more expensive business class routers.

0 Helpful

BostonAutomation
Level 1
Level 1
In response to mvierling

‎12-08-2011 06:31 AM

Michael,

Thanks very much for that.  The information is very disapointing, obviously, but at least I don't feel like I'm losing my mind anymore.  The lack of help from Cisco here does not bode well, either.

The thing is, whether it originated in the Linksys line or not, this is not an inexpensive, consumer grade router.  It's at least three times the price of a consumer grade router and it's advertised as a small business device.  Cisco's refusal to acknowledge this as a bug and offer a fix for it is dismaying, to say the least.

Do you have anything in writing (e-mail, etc.) from Cisco support that you could share with me so I could officially complain about this?  I am an authorized Cisco reseller and my distributor rep is always calling me on the phone asking me how I am doing with Cisco products and if there's anything he can do to help me sell more.  I do believe I might suggest to him that he could help me sell more of these by getting someone at Cisco to make them work as advertised.  I don't know if that will get me anywhere (probably not), but perhaps if enough people complain about this sort of thing, it might eventually reach somebody at Cisco who actually cares what people think.  Any info you could provide to help me in this endeavor would certainly be appreciated.

0 Helpful

mvierling
Level 1
Level 1
In response to mvierling

‎12-08-2011 06:44 AM

Yes, check the 4th post in this thread:

https://supportforums.cisco.com/thread/2071274

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents