Need help understanding Easy Smart Switch 802.1q config.
Hardware Version :
Firmware Version :
ISP :
Easy Smart Switch Configuration Utility Ver. 1.0.4.3
Easy Smart Switch TL-SG1024DE 3.0 with Firmware 1.0.1 Build 20170530 Rel 39402
The "802.1q VLAN" page allows creating associations between VLANs and ports. The ports can either be marked as Tagged, Untagged, or neither (meaning "non-member" port). I have assumed these to be "Egress Rules" which apply to packets being transmitted.
My understanding of "Egress Rules": A port marked as Tagged will pass packets containing the VLID and INCLUDE that VLID unaltered in packets transmitted on the port. A port marked as Untagged will pass packets containing the VLID but will REMOVE the VLID from transmitted packets transmitted on the port (packets are transmitted without a VLID).
The "802.1q PVID Setting" page allows setting a PVID for each port. I have assumed is this is the "Ingress Rule" for the port.
This is my understanding of "Ingress Rules". Any untagged packet received by the port will be tagged with the assigned VLID.
Based upon my experiments trying pings between nodes on ports using various egress and ingress rules, my assumptions and understandings do not seem to be the case.
Can someone please explain how the tagged/untagged port associations work and what purpose does the PVID assignment serve?
Thank you!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
tx350z wrote
The "802.1q VLAN" page allows creating associations between VLANs and ports. The ports can either be marked as Tagged, Untagged, or neither (meaning "non-member" port). I have assumed these to be "Egress Rules" which apply to packets being transmitted.
Strictly speaking, they apply to ingress and egress traffic. If a tagged frame arrives on a tagged port, the tag is unaltered and if the port is a member of this VLAN, it is being forwarded, else it is dropped.
If an untagged frame arrives on a tagged port, the PVID is added to the frame and handled like a tagged frame (see above).
My understanding of "Egress Rules": A port marked as Tagged will pass packets containing the VLID and INCLUDE that VLID unaltered in packets transmitted on the port. A port marked as Untagged will pass packets containing the VLID but will REMOVE the VLID from transmitted packets transmitted on the port (packets are transmitted without a VLID).
Correct.
The "802.1q PVID Setting" page allows setting a PVID for each port. I have assumed is this is the "Ingress Rule" for the port.
That's correct for so-called "access" ports (member of exactly one VLAN) only. On so-called "trunk" ports (member of several VLANs), a tagged frame will keep its tag if it is not equal to the primary VLAN ID (PVID). If it equals the PVID, the tag gets removed from the frame on egress on most switches, but there are also other switches on the market (even some older TP-Link ones), which keep the tag on egress. On more expensive switches such as the T series you can choose either way and probably on TL-SG108E you could do so by assigning the trunk port to the native VLAN as untagged, but I have not tested this (yet).
That's why it is important to upgrade the Easy Smart Switches to latest firmware: after one year of feature requests R&D could be convinced to let users remove ports from the Default-VLAN.
This is my understanding of "Ingress Rules". Any untagged packet received by the port will be tagged with the assigned VLID.
Yes and no. The 802.1Q standard defines a native VLAN, which must be able to handle untagged frames: If untagged frames arrive on a trunk port, they must be tagged with the native VLAN ID. Whenever such (originally untagged) frames leave the switch on any other port (which can only be an access port assigned to this native VLAN or a trunk port), the tag must be removed.
That almost certainly was the reason for TP-Link to always keep all ports in the Default_VLAN aka native VLAN. But since this caused many troubles with existing network topologies, the changed it in the way that ports now may be removed from the Default_VLAN, which perfectly makes sense.
Based upon my experiments trying pings between nodes on ports using various egress and ingress rules, my assumptions and understandings do not seem to be the case.
Update the firmware of TL-SG108E or else you will go crazy. I did so and hardly recovered from this. :D
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
On so-called "trunk" ports (member of several VLANs), a tagged frame will keep its tag if it is not equal to the primary VLAN ID (PVID). If it equals the PVID, the tag gets removed from the frame on egress on most switches, but there are also other switches on the market (even some older TP-Link ones), which keep the tag on egress. On more expensive switches such as the T series you can choose either way and probably on TL-SG108E you could do so by assigning the trunk port to the native VLAN as untagged, but I have not tested this (yet).
Assuming the latest firmware is in installed, how do the TL-SG108E and TL-SG1024DE handle tags equal to the PVID? The option switch you mention in the T series seems like a simple feature and should maybe find it's way to the TL series switches?
- Copy Link
- Report Inappropriate Content
tx350z wrote
I found my 108E's needed the firmware update. All is good there. However, my TL-SG1024DE's firmware all appear to be up to date (1.0.1 Build 20170530 Rel.39402) and there is no option to remove ports from Default_VLAN. Is there a firmware update coming for the 1024DEs?
Best would be to contact TP-Link support and ask for correction of SG1024DE firmware, too. See Rain's post here: http://forum.tp-link.com/showthread.php?96245-TL-SG-108E-V2-VLAN-1-tagging&p=227797&viewfull=1#post227797
Assuming the latest firmware is in installed, how do the TL-SG108E and TL-SG1024DE handle tags equal to the PVID? The option switch you mention in the T series seems like a simple feature and should maybe find it's way to the TL series switches?
See also the recent update of my post above: probably you can choose even on TL-SG108E to define the exact behavior (tagged/untagged egress) for Ethernet frames tagged with the native VLAN. I have not tested this, since in my VLAN-only environment there are no untagged frames coming in or going out over trunk ports. A native VLAN is only relevant if you have servers such as some HP models, which communicate certain protocols untagged even on trunk ports, or if a server uses QoS priorities encoded in VLAN frame headers, but does actually not use VLANs.
Also see this FAQ related to the port behavior: http://forum.tp-link.com/showthread.php?103981-(FAQ_Ethernet-Switching)How-Do-I-Decide-the-Link-Type-of-a-Port-When-Configuring-VLANs&p=229035&viewfull=1#post229035
- Copy Link
- Report Inappropriate Content
I'm just going to do initial config of new switches with a directly connected workstation. Like you, I will have no untagged packets on trunk ports. The only snag seems to be when 802.1q is enabled on a new switch. Since there are no VLANs defined at that moment, connectivity to the switch is lost if the workstation is not directly connected or it's access port is not configured for VLID 1. That's a small issue I can live with.
- Copy Link
- Report Inappropriate Content
tx350z wrote
Since there are no VLANs defined at that moment, connectivity to the switch is lost if the workstation is not directly connected or it's access port is not configured for VLID 1.
This can be tricky if the switch uses a mgmt VLAN, which is not directly accessible, but only through a trunk port. But the TL-SG108E's web UI can be reached through any VLAN if you use the static IP. So if you have at least one access port (untagged), you always can manage it. Just plug your laptop into an access port and set a static IP on your laptop, too. That's really easy (thus Easy Smart Switch ;)).
Those switches are ideal for small networks and small budgets. I use two of them for my family's home network to separate private, guest and IoT networks from each other. Together with a Linux-based router the VLAN capabilities of the switch are very useful. And bandwidth limits for guest access are helpful, too.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
Strictly speaking, they apply to ingress and egress traffic. If a tagged frame arrives on a tagged port, the tag is unaltered and if the port is a member of this VLAN, it is being forwarded, else it is dropped.
If an untagged frame arrives on a tagged port, the PVID is added to the frame and handled like a tagged frame (see above).
I just inherited responsibility for a TL-SG1016DE 2.0 that has the 802.1q configuration pictured here:
Note that every port is tagged for either one or two VLANs (5 and/or 6), and every port is untagged for VLAN 1 and either VLAN 5 or VLAN 6. The PVID table is a follows:
A couple of these ports connect to other tp-link Easy Smart Switches (pending wire-tracing, I predict ports 1 and 12), but others go to directly-connected hosts (not VLAN-aware) and a couple of VLAN-aware WiFi access points. So... can someone talk to me about something like Port 7? It is tagged for VLAN 6 but its PVID is for VLAN 5. What happens to tagged traffic coming in to that port? Does it have to be tagged for VLAN 6? If untagged traffic arrives, I see that it is given a VLAN 5 tag. But what traffic (tagged or untagged) will be allowed out on Port 7? Which frames going out will be tagged ... only VLAN 6 traffic? Does traffic for VLAN 1 and VLAN 5 go out untagged?
Thank you for helping to clarify!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 8316
Replies: 7
Voters 0
No one has voted for it yet.