Cisco / netgear VLAN issue router switch: what would you recommend?

Trying to set up what I thought was simple: a  Cisco RV110W wireless router and a Ubiquiti Unifi access point with 2 SSIDs:

1 (with password) to access wired desktops and server along wiht internet

1 without a password that would only be able to access the internet.

We were able to configure the wireless router to achieve this when you connect to the wireless in the router. But the router isn't where they want to offer the wifi. We have not been able to resolve this issue with the unifi (although I have 99.9999% confidence it is not a wireless access point issue. We tried with engenius with the same failed results.

We got a Netgear GS105E switch, connected it to the Unifi and seems to accomplish what we want, at least in our lab.

The difference in the Netgear vs. Cisco VLAN settings appears to be that the netgear will tag the untagged packets (coming from the wired desktops) for the private VLAN. The cisco appears to allow untagged packets onto 1 vlan, but that isn't working, at least for us.

We can use the switch connected to the router, but I would like to have just 1 device, a router, that allows VLAN configuration. Would anyone have a recommendation?

What we set up when testing the netgear or when it was just the Cisco:

Port 1 connects to the wired desktops with a 16 port unmanaged switch and these packets are untagged
Port 2 connects to the Unifi access point set up:
    SSID closed has a WPA password and is on vlan 10
    SSID open has no password and is on vlan 20

For the cisco, the wan port connects to the internet

For the netgear switch, port 3 connects to the cisco, with all vlan settings turned off on the cisco.  The netgear is set as follows:
    VLAN 10 is ports 1, 2, 3
    VLAN 20 is ports 2, 3
    PVID is turned on for port 1 and tags those untagged packets with VLAN 10

It seems that last step of allowing untagged and vlan 10 packets on different ports to talk back and forth is where the cisco breaks. Would anyone know what I need to do or what hardware to replace this with?
Who is Participating?
I am not sure I get what you are doing here. Can you draw this out for a better idea of how it is being configured?

I think you are trying to get the UniFi AP's VLAN traffic up to and then through the core router and out to the internet for the guests and full access for the employees.

I would say that that would require tagging of both VLANs on all ports in the path up to where the routing is being done. Once there you should be able to control access with ACLs or policies/rules for the two IP networks.

I don't know if those APs have built-in guest networking which might streamline configuring things for you.
BeGentleWithMe-INeedHelpAuthor Commented:
Rick - your second paragraph says what I want much clearer than I did.  Thanks!

when you say 'full access', I am meaning that would be to allow people on the wireless (on port 2, vlan 10 / closed SSID) to get to the devices on port 1.

'require tagging'.  Right.  data coming from the open and closed SSIDs DO get tagged.  but then data from port 1 - all the desktops, they are untagged.  And I am realizing - what about the IP of the unifi itself?  to talk to that, those are untagged packets coming from port 1 and its replies are untagged also

Correct my thinking, please.  There's a VLAN membership page on the cisco router and it looks like this:  

VLAN ID Description           Port 1     Port 2         Port 3       Port 4  
 1             Default              Tagged   Untagged Untagged Untagged  
 10            closed             Untagged   Tagged   Tagged        Tagged  
 20              open               Excluded   Tagged  Tagged        Tagged

the router is the DHCP server
for vlan 1, it gives out addresses
               10 gives out
                20 gives out

Wireless devices coming through the wireless access point using the open SSID on port 2 are allowed through the port 2 of the router (since they are tagged 20) and get addresses

Same for wireless devices using the closed SSID - they are tagged 10, allowed to go through port 2 of the router and get addresses.

the wired devices on port 1 get a address because that membership table is saying untagged packets coming into? Through? port 1 are are on vlan 10.  

Those 3 things work fine.  But those untagged packets (treated as vlan 10) from port 1 are not allowed into port 2 / wireless devices because they are not tagged?  and vice versa, since port 2 packets are tagged vlan 10, they are not allowed into port 1, even though they should be. But they are tagged vlan 10 and that membership table doesn't allow tagged packets into port 1?

The problem is resolved witt the netgear switch because it lets you tag the untagged packets to make them true  tagged vlan 10 packets.  From the netgear docs:

A Port Default VLAN ID (PVID) is a VLAN ID tag that the switch assigns to data packets it receives that are not already addressed (tagged) for a particular VLAN group. If you have a computer on port 6 and you want it to be a part of VLAN group 2, configure port 6 to automatically add a PVID of 2 to all data received from the computer. This ensures that the data from the computer on port 6 can only be seen by other members of VLAN group 2.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.