Hi Marc, on the RV220W you should be able to tag the vlan as you like from the drop down options.

So you should be able to tag the default/native vlan on the sg200 while running a tag packet on the router as well.

To add a new VLAN, click

Add Row

. Then enter these settings:

-

VLAN ID—

Enter a numerical VLAN ID that

will be assigned to endpoints

in the VLAN membership. The VLAN ID can range from 2 to 4094. VLAN

ID 1 is reserved for the default VLAN, which is used for untagged frames

received on the interface, and VLAN ID 4092 is reserved and cannot be

used. After a new VLAN entry is saved, the VLAN ID cannot be changed.

-

Description—

Enter a short description to identify this VLAN.

-

Inter VLAN Routing—

Check the box to enable routing between this and

other VLANS, or uncheck the box to disable this feature.

-

Device Management—

Check the box to enable this feature, or uncheck

the box to disable it. This setting determines whether or not clients can

access the Cisco RV220W Configuration Utility on this VLAN. To prevent

access to this utility from this VLAN, disable this feature.

-

Port 1-4—

For each of the ports, choose one of the following options:

-

Tagged

—Used when connecting to switches carrying multiple VLANs.

-

Untagged

—Access ports connecting to end devices like printers and

workstations.

-Tom
Please mark answered for helpful posts

Hi Jeff,

Thanks for getting back to me. I'm a little confused by your response... Did you mean 'excluding ports from the DEFAULT VLAN' and 'changing the NATIVE VLAN to something else'???

As well, can you explain how the "admit tagged only" feature would increase security.

Thank you.

Hi Tom,

Thank you for getting back to me on this.

I tried exactly what you suggested during the initial router configuration and the RV220W wouldn't allow me to not have an untagged VLAN on any port... When I select the native vlan for port 1 (connected to switch), which I've named: Nowhere, and select tagged and click save, it loads for a while and then says in red that there must be one untagged vlan on each port, or something like that... That's why I posted this question. I believe it is possible to set all VLANs to tagged on the switch, but I didn't try because the security best practices whitepaper said:

     "In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native

VLAN of all the trunks; don’t use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out

[3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any

data packets."

Thank you.

P.S. I'm running the latest firmware on both the router and switch. Another issue I found with the VLAN setup on the router is that I can't disable "Device Administration" on any of the VLANs. If I uncheck that option and choose save, it saves it, but then after a reboot the option is checked and enabled again... Not sure why there's an option to configure it if it can't be controlled.

Hi Marc, I'd agree it should... If the router has this limitation then you'd need to move everything off the untagged vlan. So you could technically use vlan 1 native as the untagged between devices and all else on the different vlans.

As I have it now, the default VLAN "Default" has been excluded from all ports (on both router and switch) and I have an empty VLAN called "Nowhere" set as the untagged/native VLAN for the ports that connect the router and switch (trunk). So this is the best I can do in terms of security?

Thank you