Solved: Isolate ports on SG200-8

Jone Tytlandsvik · ‎11-20-2013

Hello

I have 2 VDSL links that I'm sharing between 9 users. I have a RV082 connected to the two VDSL modem/routers. Some of the users are connected directly to the RV082 and some are behind a SG200 switch. I'm able to isolate the LAN ports from each other on the RV082 but not on the SG200 even tho the SG200 is supposed to handle VLANs in a more sophisticated way (IEEE 802.1Q) than the RV082. Is it possible to achieve what I want with these to devices or do I need to replace one of them?

The goal is to isolate the users so that what they do on their own LAN cannot interfere with the others. One user just brought down the net by plugging the LAN side of his router towards my switch, creating a DHCP conflict.

Thanks,

Tom Watts · ‎11-21-2013

Hi Jone, double NAT is not necessarily an issue. It's simply a caveat. You (whoever) could have some common functionality hurdles. Such as port forwarding, VPN, etc.

For port security, you can essentially force a person to use only a specific device or a specific amount of devices per port by limit either the specific MAC addresses or specific number of MAC addresses.

The last question is kind of interesting, as there isn't a gaurantee which DHCP server a host would reply to. But I do think it'd help.

The RV320 router is certainly an enticing product with a good feature set.

Here is the device emulator page

https://supportforums.cisco.com/community/netpro/small-business/onlinedemos

Here you can see a lot of the Small Business offerings and how to configure them from a mock up GUI. It's not perfect but it's darn near close.

Edit- Another thought, unfortunately the SG200-8 doesn't support this feature but... another thing you could do is grab a 10 port SX300 switch and use "protected ports". Enable the feature on every port of the switch and none of the ports communicate with each other.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎11-20-2013

Hi Jone, I see several kind of interesting pieces of information. One problem is if one of those 9 users want to use their own router, they would need that router to be on a different LAN subnet than your RV082 (double NAT). When they connected that router, they certainly used a LAN port and not the WAN port, hence causing problems.

The RV082 supports port based VLAN. 802.1q essentially specifies VLAN tagging. It is 2 different languages per se. A thing you could do is set up a port security and essentially force those users to use the same devices connecting to their designated port Chapter 10 of the admin guide "port security".

http://www.cisco.com/en/US/docs/switches/lan/csbss/sg200/administration_guide/78-19562.pdf

Another idea you could make DHCP reserves for the connecting clients on the RV082, map their MAC to an IP address to force the known clients to associate to those leases and then constrict the DHCP scope to service your needs only.

If you're looking for a new hardware, I might recommend the RV220W or RV320W to support the 802.1q VLANs and access lists if you want greater control.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Jone Tytlandsvik · ‎11-21-2013

Thank you for your answer Tom!

Sorry for asking more questions, but this does not seem crystal clear for me.

You mention double NAT as it is a problem. Is it? All users have set up a Wlan router of their own choice.

If I was to use port security, how would that help? On most (all?) routers the LAN and WAN mac address would be the same and one of the users could still connect a router LAN port to my network.

If I add all connected device to the Static IP list, will those devices always connect to the RV082 and ignore other DHCP servers that may be present if a user messes up again?

If I go for RV320, I will create 9 VLANs on the router, tag 4 of them to LAN1, 5 of them to LAN2, and on the two switches I will have 4 and 5 VLANs tagged to the port that goes to the router, and then one VLAN untagged to each LAN port to the 9 users. Is that correct? All users will be protected from each other and this will be a more secure solution then with the RV082?

After reading about the RV320, purchasing the RV082 seems like a misstake...

Tom Watts · ‎11-21-2013

Hi Jone, double NAT is not necessarily an issue. It's simply a caveat. You (whoever) could have some common functionality hurdles. Such as port forwarding, VPN, etc.

For port security, you can essentially force a person to use only a specific device or a specific amount of devices per port by limit either the specific MAC addresses or specific number of MAC addresses.

The last question is kind of interesting, as there isn't a gaurantee which DHCP server a host would reply to. But I do think it'd help.

The RV320 router is certainly an enticing product with a good feature set.

Here is the device emulator page

https://supportforums.cisco.com/community/netpro/small-business/onlinedemos

Here you can see a lot of the Small Business offerings and how to configure them from a mock up GUI. It's not perfect but it's darn near close.

Edit- Another thought, unfortunately the SG200-8 doesn't support this feature but... another thing you could do is grab a 10 port SX300 switch and use "protected ports". Enable the feature on every port of the switch and none of the ports communicate with each other.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Jone Tytlandsvik · ‎11-27-2013

Thanks again Tom. I missed your "edit" but just found out through a lot of googeling that "Private VLAN Edge (PVE), also known as protected ports" was the way to go. The RV320 has only 7 VLANs, so RV320 and 2 X SB 200 would not solve it for me.