Hi, I have an RV220W router and a SG200-18 switch. I'm trying to configure my network to be as secure as possible...
The RV220W has the following VLAN configuration:
Port 1: Manage, DMZ, Business, Test, Diag, Home, and Nowhere (untagged)
Port 2-4: Unused (untagged) and DISABLED
All ports have been excluded from the default VLAN
The SG200-18 has the following VLAN configuration:
Port 1 (Trunk): Manage, DMZ, Business, Test, Diag, Home, and Nowhere (untagged)
Port 2-17 (Access): Unused (untagged) and DISABLED
Port 18 (Access): Manage (untagged) *being used to configure and manage the switch and router from a pc
All ports have been excluded from the default VLAN
I've set this up following the guidelines in the Cisco security best practices: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf
My questions regards hardening my network from Double-Encapsulated 802.1Q/Nested VLAN Attack. The whitepaper suggests disabling the Native/untagged VLAN from all trunk ports... Unfortunately the RV220W seems to require an untagged VLAN on every port (won't allow me to only have tagged vlans)... Can anyone suggest a more secure configuration given what I'm working with?
P.S. the switch allows me to configure a port in "General" mode where I can configure the Frame Type to "Admit Tagged Only" to only allow tagged traffic... I'm not sure if this would increase security??
Solved! Go to Solution.
Thank you for reaching the Small Business Support Community.
I see no better way to prevent this Double-Encapsulated 802.1Q/Nested VLAN Attack on the SG200 than excluding ports from native VLAN, which you already did, and changing the default VLAN to something else but VLAN ID 1. The "admit tagged only" feature definitely increase your security.
I hope this answers your question and please do not hesitate to reach me back if there is anything I may assist you with.
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.
Hi Marc, on the RV220W you should be able to tag the vlan as you like from the drop down options.
So you should be able to tag the default/native vlan on the sg200 while running a tag packet on the router as well.
To add a new VLAN, click
. Then enter these settings:
Enter a numerical VLAN ID that
will be assigned to endpoints
in the VLAN membership. The VLAN ID can range from 2 to 4094. VLAN
ID 1 is reserved for the default VLAN, which is used for untagged frames
received on the interface, and VLAN ID 4092 is reserved and cannot be
used. After a new VLAN entry is saved, the VLAN ID cannot be changed.
Enter a short description to identify this VLAN.
Inter VLAN Routing—
Check the box to enable routing between this and
other VLANS, or uncheck the box to disable this feature.
Check the box to enable this feature, or uncheck
the box to disable it. This setting determines whether or not clients can
access the Cisco RV220W Configuration Utility on this VLAN. To prevent
access to this utility from this VLAN, disable this feature.
For each of the ports, choose one of the following options:
—Used when connecting to switches carrying multiple VLANs.
—Access ports connecting to end devices like printers and
Please mark answered for helpful posts
Thanks for getting back to me. I'm a little confused by your response... Did you mean 'excluding ports from the DEFAULT VLAN' and 'changing the NATIVE VLAN to something else'???
As well, can you explain how the "admit tagged only" feature would increase security.
Thank you for getting back to me on this.
I tried exactly what you suggested during the initial router configuration and the RV220W wouldn't allow me to not have an untagged VLAN on any port... When I select the native vlan for port 1 (connected to switch), which I've named: Nowhere, and select tagged and click save, it loads for a while and then says in red that there must be one untagged vlan on each port, or something like that... That's why I posted this question. I believe it is possible to set all VLANs to tagged on the switch, but I didn't try because the security best practices whitepaper said:
"In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native
VLAN of all the trunks; don’t use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out
) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any
P.S. I'm running the latest firmware on both the router and switch. Another issue I found with the VLAN setup on the router is that I can't disable "Device Administration" on any of the VLANs. If I uncheck that option and choose save, it saves it, but then after a reboot the option is checked and enabled again... Not sure why there's an option to configure it if it can't be controlled.
Hi Marc, I'd agree it should... If the router has this limitation then you'd need to move everything off the untagged vlan. So you could technically use vlan 1 native as the untagged between devices and all else on the different vlans.
As I have it now, the default VLAN "Default" has been excluded from all ports (on both router and switch) and I have an empty VLAN called "Nowhere" set as the untagged/native VLAN for the ports that connect the router and switch (trunk). So this is the best I can do in terms of security?