So, I've been working on computers for more years than I care to count, and some areas I've been able to avoid. Unfortunately, those areas usually pop up with minimal time to figure out how to handle them (like setting up a Linux Squid server 10 years ago... that was fun....or not). This time, I've got a little time to sort it out, but just can't seem to grasp what I need to do, so I'm looking for a little hand-holding.
I've recently discovered that "Wireless Isolation" does not mean "Isolation", despite what the folks at "www.wirelessisolation.com" say. Hey, it's on the Internet, so it's gotta be true, right? Well, my client wasn't amused either. What I have is a Cisco RVS4000 Router, and a WAP200 Access Point in place (separated by a ******** brand switch, which shouldn't be an issue, as I can connect the Wireless directly to a port in the RVS). What all this post means, is that I want to have 2 wireless networks, one used by the office personnel, and allowing full access to the Internet, and the local wired devices, and a second network available to the "guests" that come in the office, which only allows Internet access, and no access to internal devices at all.
I get that I need to setup two different SSIDs (check) on the WAP, and need to disable inter-vlan routing on the RVS, but I get part way through the discussion of VLAN port 1 and port 2, and run across something saying "Don't use VLAN 1, since it's reserved for trunk", or something to that effect, and then the difference between tagged, untagged, and trunk gets all garbled up, and before I know it, I'm climbing the tree trunk outside my window, trying to rip the tag out of my shirt.
So, I would greatly appreciate anyone's assistance pointing me to the right path,and then taking me by the hand and pointing out the sights along the way to my destination, pretty please :). Thanks for the help!
Not sure if I have to jump in, as you are reaching the end of the tunnel :-) . But because James are mentioning that RVS4000 terminology is little confusing, I will agree and will try to clarify it for him and did my best to make it clear for you as well.
By terminology there are 3 port modes, when we are talking about VLANs - Trunk, Access, General.
Tagging is just information carried in the packet showing to which VLAN this packet belongs. And this "VLAN checking" is happening on the port - for the incoming traffic as well as the outgoing.
When Trunk mode is used on the port, that means there should be one VLAN untagged, this is also the management, also called native VLAN. And all other VLANs assigned to that port should be tagged. Looking at the print screen you provided, this correspond to the Trunk Function
Access mode means that through this port will pass only packets which do not have tag. And because the traffic allowed will not have VLAN identification, logically you can assign only one VLAN on such port. Looking at your print screen this corresponds to Untagged Function.
General mode, allows all VLANs to be tagged, or all VLANs to be untagged. Let say that you can configure whatever VLANs you want there and someone else will take care of identifying the traffic. On the print screen this corresponds to Tagged Function
The second part of RVS4000 table, is regarding if there will be a tag put/checked for a VLAN packet or not. Or this VLAN will be not allowed to pass through the port - this is the Exclude Function.
Lets take for example port 2 on RVS4000. Through this port should pass (incoming/outgoing) packets for VLAN100 and VLAN200.
Lets assume that your Private network is 192.168.2.X. For example RVS4000 IP is 192.168.2.1 and the WAP200 IP is 192.168.2.2. And you have DHCP server range 192.168.2.100-200. And this is your VLAN100.
After that you have Guest SSID, which will be another IP range. Let say 192.168.3.1 will be RVS4000 IP and DHCP pool 192.168.3.100-200. WAP200 do not need to have IP from that range.
1. As WAP200 LAN port is Trunk mode by default, RVS4000 port 2 should be configured Trunk (as James already mentioned). Now as the router and the AP has an IP address form VLAN100, than this will be your native/ management VLAN. So VLAN100 will be untagged and, VLAN200 will be tagged. So whenever a packet is coming with no tag, the router will know that this packet is for VLAN100. The same logic is for the WAP200.
Thats why your privat SSID users do not even receive an IP. With this configuration RVS4000 is tagging VLAN100 packets when are sent to WAP200 and because WAP200 expects these packets to be untagged, it just drops it. The same is the other way - when a user from the private SSID is traying to obtain an IP, WAP200 sends untagged packet to RVS4000 and because RVS4000 is configured to accespt only tagged packets it just drops it.
2. Let me first say that port 1 configuration is correct (more or less :-) ). Now you are saying that the switch is unmanaged. The unmanaged switches (by default) do not support tagging. They are making passing only untagged packets. When a tagged packet arrive on a port it just drops it. So the possible configurations on port 1, where the unmanaged switch is, are: lake you did - Trunk, VLAN100 untagged and the other VLANs excluded. Or Untagged, VLAN 100 untagged.
Please, see attached how the configuration should be:
1. create VLANs 100 and 200
2. configure ports 1 and 2 in Trunk mode and PVID 100
3. assign VLAN200 to port 2 as tagged
4. and 5. When you configure the IP range for each VLAN, do not forget to configure as well DNS. If you leave it blank it will use as DNS the router IP 192.168.1.1, and because there is no interVLAN routing, the internet pages will not open - meaning no internet.
6. I would suggest to assign static IP on WAP200 from VLAN100, its easy to manage. Again be sure to put a DNS
7. change the default VLAN from 1 to 100, as shown and assign the VLANs to the SSIDs
Waiting for your reply.
Ok. In this case, you shouldn't have to configure anything from a VLAN perspective on the dedicated Internet port as it should be isolated from the internal switch.
So, if we were to look at it from an Layer3 point of view, you could view it this way:
Network 1 - Internet (a.a.a.a/a)
Network 2 - Internal Users (b.b.b.b/b)
Network 3 - Guest Users (c.c.c.c/c)
For Layer 2, you could view it this way:
Network 1 - Dedicated Ethernet port on RVS only.
Network 2 - vlan100
Network 3 - vlan 200
For Layer1, you could view it this way:
Network 1 - copper
Network 2 - copper and wireless
Network 3 - wireless
Now, since network 1 is your Internet, it gets its IP info from your ISP. Network 2 then has an IP address range that you have assigned. This used to be vlan 1 but will soon become vlan100. Therefore, you need to provide an IP range for network 3. Since both of these networks will be defined at Layer3 on the RVS, you can block network 2 from geting to network 3 and vice versa for security. Lastly, these two network ranges should default route out to the Internet. Since there will be no vlan200 on the brand x switch, the only port needing any tagging is port 2 on the RVS where the WAP will plug into. The WAP ethernet interface also needs to be tagged with vlan 100 and vlan 200 so both user and guest traffic can pass over the single port. The internal IP interfaces on the RVS will handle the routing to the Internet.
My suggestion is to take screen shots of all your config screens as well as do a config backup of each device you are making changes on. If all else fails, you can return the config to its previous state. Also, a good idea is to verify which devices can you can reach on the network before you make changes. Then, afterwards, make sure those same devices can be reached.