Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RV016 VLANs communicate with each other

While configuring two VLANs on the RV016 I found out that both networks can communicate with each other.

Reading several messages about this issue I saw the solution would be ban all traffic from each other by using the firewall on the router.

Although I find that solution upsetting (they needn't talk to each other .... period!), I did setup firewall rules so this wouldn't happen.

However, this still does not prevent this issue. When I receive an IP address on my computer from VLAN 1 and then change my IP address to one in the range of VLAN 2... I will be allowed into VLAN 2 doing al kinds of stuff on VLAN 2, while I wasn't even supposed to be on this VLAN.

(an other reason why using a firewall is upsetting).

Now I've read the manual and it distinctly sais:

"There is no communication betwen devices on seperate VLANs"

(page 96 http://www.cisco.com/en/US/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf)

So as they do talk to each other without the firewall we can say that this is a bug which needs to be fixed.

The workaround for this bug is buggy as well, since you can manually alter the IP address on your device and become a member of another VLAN.

Now I am using the latest firmware and didn't find any other way to prevent devices from VLAN 1 to enter VLAN 2.

Does anyone have any other way to forecome this problem so my VLANs are 'safe' ?

Everyone's tags (2)
4 REPLIES
Green

RV016 VLANs communicate with each other

Hi bart, this is only a port base vlan. There is no tagged vlan in your packet header. This behavior is considered expected hence the requirement for firewall rules.

If you need a more technical explanation, I'd recommend to read up about untagged vs tagged vlan traffic.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

RV016 VLANs communicate with each other

Hi Bart,

What does your network topology look like? It sounds like you have some sort of VLAN leakage due to plugged 2 untagged VLANs into each other.  As Tom said, this is expected behavior.  If you are plugged both VLANs into the same switch without segmenting them of course you can reach both.  Best method would be to plug the 2 ethernet cables into a managed switch and configure the ports your are plugging into as access ports in the appropriate VLAN.

Let me know if you have any further questions.

Tom Watts wrote:

Hi bart, this is only a port base vlan. There is no tagged vlan in your packet header. This behavior is considered expected hence the requirement for firewall rules.

If you need a more technical explanation, I'd recommend to read up about untagged vs tagged vlan traffic.

-Trent Good ** Please rate useful posts! **
New Member

RV016 VLANs communicate with each other

Hey Trent & Tom,

Thanks for your information. We do not put the VLANs in the same switch this would indeed create the issue.

Out network looks like this:

We have central RV016 switch in a colocation. Then we have two locations lets call them Location1 and Location2. The locations also have this RV016. All locations (including the central router) are connected with VPN. The central router has a network with IP range 10.10.0.*. Location1 uses IP range 10.10.1.* and Location2 uses IP range 10.10.2.*.

Now I tested it again on Location1 and I found out I cannot reach the VLAN1 of Location1, but can access VPN and reach the networks of the central router and Location2.

Here is what I did:

I use port 7 on the router for VLAN 2. This port is directly patched to the wall outlet so no switches etc.

In this wall outlet I have a wifi station which will provide internet access to customers to ensure they cannot reach out network. It delivers it's own IP range (192.168.1.*).

Now I disconnect my ethernet cable to ensure I don't have a network connection in Location1. I connect to Wifi getting a dhcp lease. I am now on VLAN 2 I go into my network settings and change my IP address to 10.10.1.150 and set my gateway/router to 10.10.1.254. This is within the IP range of VLAN 1.

When I open my console I can't ping to IP 10.10.1.2 (which is used by our local server) but I can ping to 10.10.0.2 (the server in the colocation) and I can also ping to 10.10.2.2 (the server of Location2).

And my firewall settings should prevent this since it has a deny all traffic from source 192.168.2.0 ~ 192.168.2.255 to destination 10.10.0.0 ~ 10.10.255.255

And also the other way around:

Deny all traffic from source 10.10.0.0 ~ 10.10.255.255 to destination 192.168.2.0 ~ 192.168.2.255

So I should not be able to ping to those networks. Not according to the Firewall. Not according to the (separated) VLAN. However in my humble opinion the router should take care of that even without the firewall settings.

Best,

Bart-Jan

New Member

RV016 VLANs communicate with each other

I take it by the silence that this problem is not solveable and can be seen as a bug?

747
Views
0
Helpful
4
Replies
CreatePlease login to create content