RV016 - Achieving Segregation and VLANS

Good afternoon, our company started out very small and is now growing very large to the point where I am looking at layering hosts to obtain more segregation and security for different areas/users within the company. I've been playing around with the VLAN feature in this router a long with the multiple subnets to see what the most ideal configuration situation would be.
Ideally I was thinking I would block out hosts for areas regarding security and use the VLANS built into the RV016 to isolate them from other users/areas on the network. HOWEVER it seems that the VLANS ONLY segregrate within the Device IP Address (RV016) and Subnet Masks realm. So for example, if my RV016 is setup with a standard Class C net of 192.168.1.1 host with a 255.255.255.0 sub, and I add a multiple subnet of 192.168.2.0/24, and I then assign a LAN port in the RV016 to say VLAN2, and all others to VLAN1, my device on ip 192.168.1.20 VLAN2 for example, is accessible by devices on the VLAN1 with ip 192.168.2.20. It appears to me that the VLAN functions on the LAN ports are NOT being applied to devices that are added or created under multiple subnets.
This is frustrating for me because ideally this is how I would prefer to use it so I can expand my network by adding more hosts and acheiving segregation and separation. Ideally this would be resolvable if I could modify the main device subnet mask to something OTHER than the 255.255.255.x settings that are preset in the device, disgarding the need for multiple subnets, and allowing VLANS to function as they are built into the device. It seems the only way I can truly get the security/separation I desire between devices on the VLANs and in the multiple subnets is to create deny ACL's within the RV016 itself.
Hopefully this makes sense. I guess I am wondering if there are other devices out in the market that will acheive what I want to do but not require some substantial elite network training degree to hand code everything in console/terminal? Any other suggestions appreciate to acheive what I explained above. Thank you for reading and your help.

This is exactly how I was hoping or assumed it should work as well but it does not seem to behave that way. HOWEVER, after posting this I did find an interesting possible solution. If you add a multiple subnet of 192.168.0.0 @ 255.255.0.0 and have the device at 192.168.1.1 @ 255.255.255.0 you THEN are able to acheive segregation under the VLAN functionality of the device. I need to look into this more, I'm sure it makes sense to someone, somewhere, but just not me at the moment. Brain is mush after troubleshooting different options and scenarios.

Similar Messages

  • Solution Manager Service Desk - Segregation and Customization of HR Tickets

    All -
    The Solution Manager Service Desk is a great tool for incident management in a system landscape that includes SAP, as well as other technologies.
    I wanted to find out whether tickets that contain sensitive information (HR-related) can be segregated and "hidden" from support team members that are not supporting any HR functions.
    Also, is there a way, assuming tickets can be segregated by function or support team, that the email message users receive upon the creation of the ticket can be custom tailored?
    Thank you in advance!
    Scott Watson

    Hi Scott,
    Yes it is possible and there are various ways to achieve it
    for e.g you can use the security concept below to hide from non relevant team members using
    authorization object CRM_ORD_LP
    check this link
    http://wiki.sdn.sap.com/wiki/display/SMAUTH/CRM_ORD_LP
    also this one
    http://wiki.sdn.sap.com/wiki/display/SMAUTH/UC00035
    hope this resolves issue
    Regards
    Prakhar

  • How do I transfer my data from one Game Center account to another without deleting all my achievements, scores, and friends?

    I want to get a profile picture on my gamecenter but it won't work.I now want to change it without deleting all of my achievements, scores, and friends. Please help me!

    You can't, all content is tied to the account that purchased / downloaded it and it can't be copied or transferred to a different account.

  • I want to delete my current exchange account. How can I achieve this and not lose stored information such as contacts, photos etc. please help. Thank you.

    I want to delete my current exchange account and replace it with my new one. How can I achieve this and not lose my contacts, photos, etc associated with this account? Please help..
    Thank you,

    Bad idea.
    What information do you want to share, exactly?  You can share contacts, reminders, and calendars with other iCloud users without the need for both of you to use the same iCloud account.  You can authorize both phones to use apps purchased under the same Apple ID without sharing an iCloud account.
    Sharing an iCloud account is a bad idea in general. There is too much opportunity for someone to damage or delete data that will affect both.

  • How do I add a Subnet and vlan with a catalyst 3550 and RV120

    Hello Friends.
    I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
    This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
    I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
    In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
    The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
    DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
    There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
    VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
    There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
    I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
    I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
    I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
    I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
    Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
    I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
    Any advice on how to do this?
    As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

    Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
    To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
    With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
    If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

  • Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

    In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
    (logical) on top of Datacenter (physical).
    Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
    If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

    Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
    I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
    -kn
    Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

  • WLC2112 with Guest / Web-Auth and vlan

    Hi
    I'm trying to configure my WLC with guest SSID and vlan 10.
    The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
    Please help.
    Management IP Address 192.168.14.252
    Software Version 6.0.182.0
    Emergency Image Version
    I have tried with ver. 5.2 also -

    I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
    Don't know if that helps, or not.

  • Help with wireless controller and VLANs

    Hi I'm trying to setup a wireless controller in preparation for a large site go live later this year. I'm struggling to get the controller and the WLAN using the correct VLAN. I want the controller on VLAN 100 and the clients on the WLAN on VLAN 200.                 
    My thought is that I would need a config similar to:
    Switchport for wireless controller management port set to trunk VLAN 100 and 200 with no native VLAN set.
    The management interface on the controller set to VLAN 100.
    A dynamic interface created on VLAN 200.
    When setup like this I can get to the controller on its management address but only from VLAN100 not from another VLAN on site or from other sites over the WAN.
    I have setup a WLAN which is set to use the dynamic interface on VLAN 200.
    I have set the AP to use HREAP and set the native VLAN as 200 and added the dynamic interface into the VLAN mappings
    When I connecting a client to the WLAN I get an address on VLAN 100.
    The switchport for the AP is set to native VLAN 100 and trunk 200 – this setup works for standalone APs at other sites.
    What am I missing?
    Also any idea why the management interface address is not routing? The netmask and gateway are set correctly.
    Thanks
    Paul

    Just to add to Steve's post... You only need to create a dynamic interface for vlan 200 if you have ap's also in local mode.  If your ap's are in H-REAP/FlexConnect mode, you don't need a dynamic interface for vlan 200.
    In you H-REAP/FlexConnect ap, you would set the wlan to vlan mapping there and the switchport configuration would be a trunk allowing vlan 100 (im assuming your native vlan for your ap) and vlan 200.  You should see something like the following:
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • VRF configuration on subinterface and VLAN subinterface

    Hi
    Can I configure VRFs on subinterface (physical and VLAN) basis in a normal BGP/MPLS VPN configuration.
    Thanks
    VK

    Hi Sultan,
    You are very welcomed, i'd be more than glade to help you out your confusion, below is the output of one of my lab PEs, and moreover i've in production customers running with this setup, i've never faced the issue you are describing, if you can regenerate the test you are describing we can elaborate on it:
    interface FastEthernet0/0
    no ip address
    interface FastEthernet0/0.1
    encapsulation dot1Q 101
    ip vrf forwarding a
    ip address 101.101.101.1 255.255.255.252
    interface FastEthernet0/0.2
    encapsulation dot1Q 202
    ip vrf forwarding b
    ip address 202.202.202.1 255.255.255.252
    This is a 7200VXR (NPE-300) running "c7200-p-mz.122-25.S14.bin".
    BR,
    Mohammed Mahmoud.

  • IPMP and VLANs

    I would like to have two NICs in IPMP configuration and public connections tagged with VLANs.
    I know the naming convention when one VLAN tag assigned to the physical NIC but I do not quite understand how to add multiple VLAN tags to one NIC and VLAN tags to pseudo interfaces.
    Here is the configuration I have:
    /etc/hostname.e1000g8
    netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-6 netmask + broadcast + failover up
    /etc/hostname.e1000g9
    netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-7 netmask + broadcast + failover up
    netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-12 netmask + broadcast + failover up
    netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-13 netmask + broadcast + failover up
    netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-14 netmask + broadcast + failover up
    ... and here how it looks like once configured:
    e1000g8: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 13
    inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
    groupname ipmpgroup4
    ether 0:50:56:23:29:c8
    e1000g8:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 13
    inet 10.10.1.116 netmask ff000000 broadcast 10.255.255.255
    e1000g9: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 14
    inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
    groupname ipmpgroup4
    ether 0:50:56:24:f:2e
    e1000g9:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
    inet 10.10.1.117 netmask ff000000 broadcast 10.255.255.255
    e1000g9:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
    inet 10.10.1.118 netmask ff000000 broadcast 10.255.255.255
    e1000g9:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
    inet 10.10.1.119 netmask ff000000 broadcast 10.255.255.255
    e1000g9:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
    inet 10.10.1.120 netmask ff000000 broadcast 10.255.255.255
    Regards
    Leonid

    Does anybody familiar with setting up multiple VLANs tags on network interfaces in Solaris 10?
    Regards
    Leonid

  • AP541N cluster and VLAN

    Hi.
    Simple but not obvious question.
    I've added separated wifi for guest with VLAN ID 300. Now I have 2 more access points. They are in cluster but only one is connected to smart switch SLM2008.
    Should I need to connect all of them to smart switch? I do not understand how cluster and VLAN work.

    Hello Tomasz,
    Yes. I guess you need to connect all APs to the switch (same bridged network). Clustering only makes all your AP act as one single entity ( you don't have to connect to the second AP In a cluster separately. Same wireless configuration will do).
    Refer Clustering section under the below manual for further details:
    http://www.cisco.com/en/US/docs/wireless/access_point/csbap/AP541N/administration/guide/AP541Nadmin.pdf#page139
    Hope this helps,
    Vijay
    Please rate useful posts.
    Sent from Cisco Technical Support iPad App

  • Difference between bridge-group and VLAN

    Hi all,
    I don't understand very well the difference between bridge-group and VLAN...
    Could someone explain me or give me a site which could help me?
    Thx U by advance!

    Khay
    bridge-group is used on a router to enable bridging on an interface. In terms of functionality a bridge-group is very similar to a VLAN. For example if you create bridge-group 1 and assign it to interfaces FastEthernet 1/0 and 2/0 and you create bridge-group 2 and assign it to interfaces FastEthernt 1/1 and 2/1 it is like creating 2 VLANs. Devices in bridge-group 1 (interfaces 1/0 and 2/0) can communicate with each other but not with devices in bridge-group 2 (intefaces 1/1 and 2/1).
    HTH
    Rick

  • Aironet 1252 doesn't broadcast SSID and VLANs

    Best regards.
    I have an autonomus AP Aironet 1252 (software version: 12.4(18a)JA1)
    I configured 3 SSID and VLANs, but the AP doesn't broadcast SSID, the vlans are working fine because I tested configuring manually the hide SSID on laptops.
    Also the AP broadcasts the SSID whe only one SSID is configured!!!
    How I can do the AP to broadcast all SSIDs?
    Thanks in advance.

    From the command line of your AP.
    Change each SSID as follows.  You want to turn off "guest-mode" and enable "mbssid" at each SSID.  Guest-mode will only broadcast one SSID, you must use mbssid  to allow all SSIDs to broadcast.
    #config t
    #dot11 ssid
    #no guest-mode
    #mbssid
    Now from each radio
    #int d0
    #mbssid
    #int d1
    #mbssid

  • 3750-x and vlan dot1q tag native command

    Hello,
    I have a 3750-X stack with the following HW & SW revisions:
    Cisco-3750-x-stack>show version
    Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9NPE-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    sCopyright (c) 1986-2013 by Cisco Systems, Inc.
    Compiled Wed 26-Jun-13 01:47 by prod_rel_team
    ROM: Bootstrap program is C3750E boot loader
    BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
    Cisco-3750-x-stack uptime is 1 day, 6 hours, 56 minutes
    System returned to ROM by power-on
    System restarted at 20:27:32 UTC Tue Mar 29 2011
    System image file is "flash:/c3750e-universalk9npe-mz.150-2.SE4/c3750e-universalk9npe-mz.150-2.SE4.bin"
    License Level: lanbase
    License Type: Permanent
    Next reload license Level: lanbase
    cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
    Processor board ID FDO1524K1J2
    Last reset from power-on
    2 Virtual Ethernet interfaces
    1 FastEthernet interface
    104 Gigabit Ethernet interfaces
    4 Ten Gigabit Ethernet interfaces
    The password-recovery mechanism is enabled.
    512K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address       :
    Motherboard assembly number     : 73-12553-05
    Motherboard serial number       : 
    Model revision number           : A0
    Motherboard revision number     : C0
    Model number                    : WS-C3750X-48P-L
    Daughterboard assembly number   : 800-32727-01
    Daughterboard serial number     : 
    System serial number            : 
    Top Assembly Part Number        : 800-31324-02
    Top Assembly Revision Number    : C0
    Version ID                      : V02
    CLEI Code Number                : 
    Hardware Board Revision Number  : 0x03
    Switch Ports Model              SW Version            SW Image
    *    1 54    WS-C3750X-48P      15.0(2)SE4            C3750E-UNIVERSALK9NPE-M
         2 54    WS-C3750X-48P      15.0(2)SE4            C3750E-UNIVERSALK9NPE-M
    Switch 02
    Switch Uptime                   : 1 day, 6 hours, 56 minutes
    Base ethernet MAC Address       : 
    Motherboard assembly number     : 73-12553-06
    Motherboard serial number       : 
    Model revision number           : A0
    Motherboard revision number     : A0
    Model number                    : WS-C3750X-48P-L
    Daughterboard assembly number   : 800-32727-03
    Daughterboard serial number     : 
    System serial number            : 
    Top assembly part number        : 800-31324-03
    Top assembly revision number    : B0
    Version ID                      : V03
    CLEI Code Number                : 
    License Level                   : lanbase
    License Type                    : Permanent
    Next reboot licensing Level     : lanbase
    Configuration register is 0xF
    I am trying to setup native vlan tagging using the command "vlan dot1q tag native".   I am entering this when I am in privileged exec mode, and then config mode.   When enter vlan ? it does not show dot1q as an option.   Any thoughts on what I might be missing?   What I am trying to achieve is all ingress untagged traffic (from my Meru controller) will be tagged with VLAN tag 101 as it progresses through my network, and any tagged traffic on vlan 101 which is destined for the port where my Meru controller is located will be delivered to the Meru controller untagged.   I can set this up in this manner on a SG300 Cisco switch, and I believe this is what "vlan dot1q tag native" will achieve if I am understanding correctly.
    I welcome suggestions on both why the "vlan dot1q tag native" won't work, and on what I am trying to accomplish.
    Thx
    Bryan

    Hi Aaron,
    Thank you for the quick reply.  
    The Meru controller uses untagged traffic to talk between the controller and the APs.   It also uses tagged traffic to talk between the controller and the VLANs which I have associated with each of the SSIDs.   I am trying to find a way to do what is normally done with an access port, but do that with an LACP group (801.Q trunk).   Where the untagged traffic entering the network from the controller gets tagged as VLAN 101 as it transits the network, and then traffic which is delivered to that 801.Q trunk on VLAN 101 has the tag removed, but all other traffic entering that port will be appropriately tagged, and the tagged traffic along with the tags well egress from that port to the Meru controller.    I have done this before on a Cisco SG300 switch, but not on the 3750-X core in my home.   If I can't make this work I can front end the Meru controller with an SG300 but now I will be introducing another potential point of failure.
    Also, do you have any idea why the "vlan dot1q tag native" would not be accepted by the IOS version on this switch stack?
    Thx
    Bryan

  • 3005 address pools and vlan

    I have two questions:
    1.Can a 3005 concentrator with a Private interface on a 10.10.10.0/24 subnet provide a pool of addresses to clients that are on a 10.10.50.0/24 subnet?
    I tried this and could not communicate with anything. I received an address, but could not ping anything on the remote network.
    All needed routes were in the concentrator.
    2. If a concentrator is providing addresses from a pool (all on the same subnet, concentrator private and clients),and I wanted to VLAN the subnet,
    Is all that is needed to make sure the concentrator Private interface is in the VLAN?

    1. Yes, you can achieve this as long as Private interface knows how to reach the 10.10.50.0/24 subnet, i.e route is known/available via router/L3 switch.
    Make sure you allow icmp on the filter on the Public interface.
    2. You can either put the Private interface to/under that Vlan, or you have a L3 device (router/L3 switch) that enable inter-vlan routing.
    HTH. Pls rate all useful post(s).
    AK

Maybe you are looking for