Go Premium for a chance to win a PS4. Enter to Win


Cisco / netgear VLAN issue router switch: what would you recommend?

Posted on 2013-02-07
Medium Priority
Last Modified: 2013-02-18
Trying to set up what I thought was simple: a  Cisco RV110W wireless router and a Ubiquiti Unifi access point with 2 SSIDs:

1 (with password) to access wired desktops and server along wiht internet

1 without a password that would only be able to access the internet.

We were able to configure the wireless router to achieve this when you connect to the wireless in the router. But the router isn't where they want to offer the wifi. We have not been able to resolve this issue with the unifi (although I have 99.9999% confidence it is not a wireless access point issue. We tried with engenius with the same failed results.

We got a Netgear GS105E switch, connected it to the Unifi and seems to accomplish what we want, at least in our lab.

The difference in the Netgear vs. Cisco VLAN settings appears to be that the netgear will tag the untagged packets (coming from the wired desktops) for the private VLAN. The cisco appears to allow untagged packets onto 1 vlan, but that isn't working, at least for us.

We can use the switch connected to the router, but I would like to have just 1 device, a router, that allows VLAN configuration. Would anyone have a recommendation?

What we set up when testing the netgear or when it was just the Cisco:

Port 1 connects to the wired desktops with a 16 port unmanaged switch and these packets are untagged
Port 2 connects to the Unifi access point set up:
    SSID closed has a WPA password and is on vlan 10
    SSID open has no password and is on vlan 20

For the cisco, the wan port connects to the internet

For the netgear switch, port 3 connects to the cisco, with all vlan settings turned off on the cisco.  The netgear is set as follows:
    VLAN 10 is ports 1, 2, 3
    VLAN 20 is ports 2, 3
    PVID is turned on for port 1 and tags those untagged packets with VLAN 10

It seems that last step of allowing untagged and vlan 10 packets on different ports to talk back and forth is where the cisco breaks. Would anyone know what I need to do or what hardware to replace this with?
LVL 21

Accepted Solution

Rick_O_Shay earned 2000 total points
ID: 38864774
I am not sure I get what you are doing here. Can you draw this out for a better idea of how it is being configured?

I think you are trying to get the UniFi AP's VLAN traffic up to and then through the core router and out to the internet for the guests and full access for the employees.

I would say that that would require tagging of both VLANs on all ports in the path up to where the routing is being done. Once there you should be able to control access with ACLs or policies/rules for the two IP networks.

I don't know if those APs have built-in guest networking which might streamline configuring things for you.

Author Comment

ID: 38866057
Rick - your second paragraph says what I want much clearer than I did.  Thanks!

when you say 'full access', I am meaning that would be to allow people on the wireless (on port 2, vlan 10 / closed SSID) to get to the devices on port 1.

'require tagging'.  Right.  data coming from the open and closed SSIDs DO get tagged.  but then data from port 1 - all the desktops, they are untagged.  And I am realizing - what about the IP of the unifi itself?  to talk to that, those are untagged packets coming from port 1 and its replies are untagged also

Correct my thinking, please.  There's a VLAN membership page on the cisco router and it looks like this:  

VLAN ID Description           Port 1     Port 2         Port 3       Port 4  
 1             Default              Tagged   Untagged Untagged Untagged  
 10            closed             Untagged   Tagged   Tagged        Tagged  
 20              open               Excluded   Tagged  Tagged        Tagged

the router is the DHCP server
for vlan 1, it gives out addresses
               10 gives out
                20 gives out

Wireless devices coming through the wireless access point using the open SSID on port 2 are allowed through the port 2 of the router (since they are tagged 20) and get addresses

Same for wireless devices using the closed SSID - they are tagged 10, allowed to go through port 2 of the router and get addresses.

the wired devices on port 1 get a address because that membership table is saying untagged packets coming into? Through? port 1 are are on vlan 10.  

Those 3 things work fine.  But those untagged packets (treated as vlan 10) from port 1 are not allowed into port 2 / wireless devices because they are not tagged?  and vice versa, since port 2 packets are tagged vlan 10, they are not allowed into port 1, even though they should be. But they are tagged vlan 10 and that membership table doesn't allow tagged packets into port 1?

The problem is resolved witt the netgear switch because it lets you tag the untagged packets to make them true  tagged vlan 10 packets.  From the netgear docs:

A Port Default VLAN ID (PVID) is a VLAN ID tag that the switch assigns to data packets it receives that are not already addressed (tagged) for a particular VLAN group. If you have a computer on port 6 and you want it to be a part of VLAN group 2, configure port 6 to automatically add a PVID of 2 to all data received from the computer. This ensures that the data from the computer on port 6 can only be seen by other members of VLAN group 2.

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month6 days, 15 hours left to enroll

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question