Cisco / netgear VLAN issue router switch: what would you recommend?
Trying to set up what I thought was simple: a Cisco RV110W wireless router and a Ubiquiti Unifi access point with 2 SSIDs:
1 (with password) to access wired desktops and server along wiht internet
1 without a password that would only be able to access the internet.
We were able to configure the wireless router to achieve this when you connect to the wireless in the router. But the router isn't where they want to offer the wifi. We have not been able to resolve this issue with the unifi (although I have 99.9999% confidence it is not a wireless access point issue. We tried with engenius with the same failed results.
We got a Netgear GS105E switch, connected it to the Unifi and seems to accomplish what we want, at least in our lab.
The difference in the Netgear vs. Cisco VLAN settings appears to be that the netgear will tag the untagged packets (coming from the wired desktops) for the private VLAN. The cisco appears to allow untagged packets onto 1 vlan, but that isn't working, at least for us.
We can use the switch connected to the router, but I would like to have just 1 device, a router, that allows VLAN configuration. Would anyone have a recommendation?
What we set up when testing the netgear or when it was just the Cisco:
Port 1 connects to the wired desktops with a 16 port unmanaged switch and these packets are untagged
Port 2 connects to the Unifi access point set up:
SSID closed has a WPA password and is on vlan 10
SSID open has no password and is on vlan 20
For the cisco, the wan port connects to the internet
For the netgear switch, port 3 connects to the cisco, with all vlan settings turned off on the cisco. The netgear is set as follows:
VLAN 10 is ports 1, 2, 3
VLAN 20 is ports 2, 3
PVID is turned on for port 1 and tags those untagged packets with VLAN 10
It seems that last step of allowing untagged and vlan 10 packets on different ports to talk back and forth is where the cisco breaks. Would anyone know what I need to do or what hardware to replace this with?
1 (with password) to access wired desktops and server along wiht internet
1 without a password that would only be able to access the internet.
We were able to configure the wireless router to achieve this when you connect to the wireless in the router. But the router isn't where they want to offer the wifi. We have not been able to resolve this issue with the unifi (although I have 99.9999% confidence it is not a wireless access point issue. We tried with engenius with the same failed results.
We got a Netgear GS105E switch, connected it to the Unifi and seems to accomplish what we want, at least in our lab.
The difference in the Netgear vs. Cisco VLAN settings appears to be that the netgear will tag the untagged packets (coming from the wired desktops) for the private VLAN. The cisco appears to allow untagged packets onto 1 vlan, but that isn't working, at least for us.
We can use the switch connected to the router, but I would like to have just 1 device, a router, that allows VLAN configuration. Would anyone have a recommendation?
What we set up when testing the netgear or when it was just the Cisco:
Port 1 connects to the wired desktops with a 16 port unmanaged switch and these packets are untagged
Port 2 connects to the Unifi access point set up:
SSID closed has a WPA password and is on vlan 10
SSID open has no password and is on vlan 20
For the cisco, the wan port connects to the internet
For the netgear switch, port 3 connects to the cisco, with all vlan settings turned off on the cisco. The netgear is set as follows:
VLAN 10 is ports 1, 2, 3
VLAN 20 is ports 2, 3
PVID is turned on for port 1 and tags those untagged packets with VLAN 10
It seems that last step of allowing untagged and vlan 10 packets on different ports to talk back and forth is where the cisco breaks. Would anyone know what I need to do or what hardware to replace this with?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
when you say 'full access', I am meaning that would be to allow people on the wireless (on port 2, vlan 10 / closed SSID) to get to the devices on port 1.
'require tagging'. Right. data coming from the open and closed SSIDs DO get tagged. but then data from port 1 - all the desktops, they are untagged. And I am realizing - what about the IP of the unifi itself? to talk to that, those are untagged packets coming from port 1 and its replies are untagged also
Correct my thinking, please. There's a VLAN membership page on the cisco router and it looks like this:
VLAN ID Description Port 1 Port 2 Port 3 Port 4
1 Default Tagged Untagged Untagged Untagged
10 closed Untagged Tagged Tagged Tagged
20 open Excluded Tagged Tagged Tagged
the router is the DHCP server
for vlan 1, it gives out 10.10.1.0/24 addresses
10 gives out 10.10.10.0/24
20 gives out 10.10.20.0/24
Wireless devices coming through the wireless access point using the open SSID on port 2 are allowed through the port 2 of the router (since they are tagged 20) and get 10.10.20.0/24 addresses
Same for wireless devices using the closed SSID - they are tagged 10, allowed to go through port 2 of the router and get 10.10.10.0/24 addresses.
the wired devices on port 1 get a 10.10.10.0/24 address because that membership table is saying untagged packets coming into? Through? port 1 are are on vlan 10.
Those 3 things work fine. But those untagged packets (treated as vlan 10) from port 1 are not allowed into port 2 / wireless devices because they are not tagged? and vice versa, since port 2 packets are tagged vlan 10, they are not allowed into port 1, even though they should be. But they are tagged vlan 10 and that membership table doesn't allow tagged packets into port 1?
The problem is resolved witt the netgear switch because it lets you tag the untagged packets to make them true tagged vlan 10 packets. From the netgear docs:
A Port Default VLAN ID (PVID) is a VLAN ID tag that the switch assigns to data packets it receives that are not already addressed (tagged) for a particular VLAN group. If you have a computer on port 6 and you want it to be a part of VLAN group 2, configure port 6 to automatically add a PVID of 2 to all data received from the computer. This ensures that the data from the computer on port 6 can only be seen by other members of VLAN group 2.