VLAN Setup / connection

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

VLAN Setup / connection

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
VLAN Setup / connection
VLAN Setup / connection
2020-05-26 21:31:17
Model: TL-SG108PE  
Hardware Version: V2
Firmware Version: 1.0.1 Build 20191204 Rel.71847

Hello,

 

I have a scenario where I need 2 different networks to communicate as follows:

 

VLAN-30= Internet

VLAN-10= Network 01

VLAN-20= Network 02

 

  1. VLAN-10/20 to communicate to VLAN-30 (Internet)
  2. VLAN-20 to communicate to VLAN-10/30

 

The customer on VLAN 20 wants to be able to ping and access an IP (Access Control System) on VLAN 10 but the customer does not want VLAN 10 to be able to get into VLAN 20

 

Network setup I have been provided

VLAN-10

10.31.127.100

255.255.255.0

10.31.127.1

 

VLAN-20

192.168.31.253

255.255.224.0

192.168.0.1

 

What I have done so far:

  • Enabled 802.1Q VLAN
  • Created VLAN 10 w/ Untagged port(s) 01
  • Created VLAN 20 w/ Untagged port(s) 01/08
  • I went into 802.1Q PVID setting and set port 1 to VLAN 10
  • I went into 802.1Q PVID setting and set port 8 to VLAN 20

 

From this point I do not know how to test or verify that I have done any of this correctly. Any assistance is greatly appreciated.

  0      
  0      
#1
Options
5 Reply
Re:VLAN Setup / connection
2020-05-26 23:07:13 - last edited 2020-05-26 23:30:47

 

Reign wrote

The customer on VLAN 20 wants to be able to ping and access an IP (Access Control System) on VLAN 10 but the customer does not want VLAN 10 to be able to get into VLAN 20

 

The TL-SG108PE does not support Inter-VLAN routing. You need to do this on a router.

 

Also, it's best to use a stateful firewall to specify Inter-VLAN / Internet access control, since it let's you define rules much more easily compared to switch ACLs.

 

  • A stateful firewall let's you accept a request to a certain service and will automatically accept answers from this service.
  • With ACLs you have to describe data flow (that means not only for requests, but also for replies to those requests) to achieve the same.

 

What you want to set up is an one-armed router (aka router on a stick):

 

  • The router already has a WAN network (Internet), thus it is not needed to feed its traffic down to the switch layer.
  • The router defines two LAN networks LAN1=10.31.127.0/24 and LAN2=192.168.0.0/19, they are assigned to VLAN 20 and 30.
  • The router has two IPs, one inside LAN1 and one inside LAN2.
  • The DHCP server running on the router manages two IP pools, one for each network LAN1 and LAN2.
  • The router's firewall controls forwarding between all three networks (to WAN/Internet or from/to VLAN).
  • Use a trunk from the router to the TL-SG108PE, both ports – of the router and the switch – need to be member of all VLANs (20, 30). This means that the router must output tagged frames already. Here starts your VLAN!
  • The TL-SG108PE has one IP, e.g. from LAN1.
  • Access ports are either in VLAN 20 or in VLAN 30, but never in both VLANs. PVID must equal VLAN ID.
  • Only the trunk to the router is member of both VLANs 20 and 30.
  • This uses TL-SG108PE and its VLAN capabilities to isolate both networks and to save two switches, two routers and double costs for cables between them.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:VLAN Setup / connection
2020-05-26 23:14:45

@R1D2 so the small managed switch I have realistically only takes care of the VLAN allocation so to accomplish what My customer is looking for they (I) would need to get a router as well? 

  0  
  0  
#3
Options
Re:VLAN Setup / connection
2020-05-26 23:25:42

 

Reign wrote

so the small managed switch I have realistically only takes care of the VLAN allocation so to accomplish what My customer is looking for they (I) would need to get a router as well? 

 

TL-SG108PE is an entry-level Easy Smart Switch for users starting with VLANs. It's not a Managed Switch. This are Managed Switches.

 

Inter-VLAN routing and ACLs are even supported by upper-class Smart Switches, but only Managed Switches include e.g. a DHCP server.

 

If you want to do Access Control really the hard way, I recommend to use a fat Managed Switch. If you want to get it done into just no time, use a one-armed router.

 

But for Internet access you will need a router somewhere anyhow.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:VLAN Setup / connection
2020-05-26 23:34:13

@R1D2 Dang it, then I am in over my head on this one, I don't have the skillset for managed switches. I though this one was a managed.

 

Thank for the link to the managed switches.

 

So let me ask you this so I can think somewhat positive, the smart switch I am working with, what is the point of it? I know it handles Vlans, tagged and untagged. But I can find an explanation for dummies lol. All other links I have been to explain it in terms I am not yet familiar to.

 

If you know of any useful links that I may read or watch, I'm all open. 

  0  
  0  
#5
Options
Re:VLAN Setup / connection
2020-05-27 10:31:27

 

Reign wrote

So let me ask you this so I can think somewhat positive, the smart switch I am working with, what is the point of it?

 

The Easy Smart Switches are for users who want a VLAN-aware switch with some other features such as IGMP snooping, bandwidth control and a few others, but don't need the full functionality a managed switch offers.

 

For VLAN basics, see https://www.inteltech.com/blog/how-do-vlans-work/ or other tutorials on the web.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options