Solved: VLAN configuration

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

gurutech

Thread Starter
Joined
Apr 23, 2004
Messages
2,960
Just got myself a brand new Cisco RV110W firewall/vpn/router, and would like to configure it to use VLANs to separate my wireless network from my wired network, but still allow each VLAN to talk to each other (so to speak).

I guess I'm looking more to "segment" the network, if that's the proper term for it, as I eventually want to add a "guest" wifi network, but not allow that part of the network to talk to the rest of my network.

I currently am using the "default" VLAN for everything, but have reserved DHCP addresses based on they type of connection - wired connections are from 2-99, Wifi is from 100-199, and in the future, "guest wifi" will be 200-254.

My question is mainly as far as the "Tagged", "Untagged", and "Excluded" options for each port (1-4) - not exactly sure what these mean (although I'm assuming the "excluded" means the particular port will not be included in that particular VLAN.)

I only have two devices plugged directly into the firewall - my Vonage router, and my "other" router that connects to the rest of the network. I just don't see what "port" would be used for the wireless.

Thanks in advance!
 

gurutech

Thread Starter
Joined
Apr 23, 2004
Messages
2,960
I think I may have figured out how to do this, but it seems that the router will put each VLAN on a different subnet (which is fine, just unexpected, and kicked my kids off the internet! lol)

So for the default VLAN (1), I have 192.168.1.x, then my Wifi I have 192.168.2.x, and the guest wifi is 192.168.3.x...

I'm only wanting the .1.x and .2.x subnets to talk to each other (and access the internet), and I only want .3.x to access the internet and not any other computer on the subnet and I don't want it to be able to access the .1.x or .2.x subnets.

And I'm still not sure what the "tagged" stuff is either - the help screen on the router doesn't really explain it too well.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,482
Getting back to basics.

VLAN stands for virtual LAN. When you look at the typical network without VLANs, you have a physical component (your NIC and Ethernet cable for example) referred to as layer 1, then you have your LAN (your switch, hub, MAU--token ring, etc) which is referred to as layer 2, and finally the IP component (your router) referred to as layer 3. These components form up the foundation of how networks work. VLANs operate at layer 2. VLANs allow the ability to have layer 2 isolation/separation on the same physical switching/routing device without needing to resort to buying individual switches/routers to accomplish the same thing. From an enterprise standpoint, this is huge as businesses have requirements for isolation but also need to be able to do this in a scaleable and economical fashion.

What is a VLAN? VLANs fall into two main categories: port based and tagged. Port based was the first iteration where isolation of networks was defined at the switch port level. A switch can have ports 1 through 3 assigned to VLAN 2 while ports 4 through 8 are assigned to VLAN 5. But when you extend network connectivity to other switches, the definition of the VLAN on switch 1 has no relationship to the same VLAN defined on switch 2 with port based VLANs. Tag based VLANs allows all switches connected to each other to share VLAN "awareness". VLAN 2 on switch 1 is the same as VLAN 2 on switch 2. Tagging also allows multiple VLAN traffic to be sent between switches over a link called a VLAN trunk. So now I can send traffic between switches for multiple VLANs where as with port based, this was not possible.

Tagged VLANs follow a IEEE spec called 802.1Q. What this means is that a portion of the Ethernet header is modified to contained information defining what VLAN that Ethernet frame belongs to. Because the Ethernet header is modified, switches that do not understand 802.1Q will not be able to pass tagged Ethernet frames. This is why VLAN functionality is confined to managed switches which have this functionality and "dumb" switches cannot support it.

Because, VLANs operate at layer 2, moving network traffic in and out of a VLAN requires a router. And a router's function is to move packets between subnets/networks. If the subnets of two VLANs are the same, no routing will happen as the router doesn't need to route traffic. This is why every VLAN defined has a unique subnet defined for it if network traffic needs to go in and out of that VLAN. Otherwise, if the VLANs always stay isolated, you can have all the VLANs run on the same subnet without a problem on the same physical network.

Advancements to IEEE 802.1Q include QinQ which refers to having a tagged Ethernet frame with an additional VLAN tagged wrapper around it and PVLANs (private VLANs). Private VLANs take the VLAN concept on step further where you have concepts of isolated and community secondary VLANs which all talk to a primary VLAN with a promiscuous port.
 

gurutech

Thread Starter
Joined
Apr 23, 2004
Messages
2,960
So what I am looking for, with only a single firewall/router, I can leave this as "untagged", correct? But if I want to isolate my Vonage device (wired) from the rest of my network, I can assign that to port 4, and have ports 1-3 on VLAN1, with port 4 on VLAN 10.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,482
Yes. And based on what you've posted so far, it looks like the router can support virtual router interfaces for each VLAN.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top