Omada SDN with Non-Omada L2 Switch

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada SDN with Non-Omada L2 Switch

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada SDN with Non-Omada L2 Switch
Omada SDN with Non-Omada L2 Switch
2022-10-30 15:06:25
Tags: #VLAN & Multi-Networks #Switch ACL
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.2.2

I would like to segment my network such that devices plugged into an L2 switch that are on separate VLANs are unable to communicate.

 

Network Topology

Software Controller

Router ER605 v1.0

AP: EAP610 v1.0

Switch: TL-SG1024DE

 

I have not been able to get Switch ACLs working, so I have set up a Test VLAN specifically to try to segment the network. It is configured as follows:

TL-SG1024DE VLAN 110

Tagged Ports: 1

Untagged Ports: 2

Port 2 PVID: 110

 

TL-SG1024DE port 1 is plugged into port 2 of the ER605

AP610 is plugged into port 3 of the ER605

 

Test VLAN

Purpose: Interface

LAN Interfaces: All checked

VLAN: 110

Gateway/Subnet: 192.168.110.1/24

DHCP Server: Checked

DHCP Range: 192.168.110.1-192.168.110.254

DNS Server: Auto

Lease Time: 120

Default Gateway: Auto

 

Switch ACL

Status: Enable

Policy: Deny

Protocols: All

Ethertype: Unchecked

Rule:

Source Type: Network = Test

Destination Type: Network = LAN

Binding Type: Ports

Ports: All Ports

 

EAP ACL

Status: Enable

Policy: Deny

Protocols: All

Rule:

Source Type: Network = Test

Destination Type: Network = LAN

 

I have a Test SSID that is set to be part of the Test (110) VLAN and not set as a guest. I have a Raspberry Pi I have plugged into port 2 of the TL-SG1024DE. Nothing seems to stop me from being able to ping a computer on the LAN network. If I disconnect the ethernet from the Raspberry Pi and connect to the Test SSID, everything works as expected. I am not able to connect to devices on the LAN network. In both cases, I get an IP address in the 110 subnet as expected.

 

I would like to be able to segment traffic between ports on the switch. For example, I would like port 2 to not be able to ping a device on port 3. Is this some sort of limitation where traffic is not routed through the ER605 for devices connected to the switch, or am I missing something in the ACL that is keeping this from working as desired?

 

This post seems related and indicates my suspicion that it is related to my non-Omada switch:
https://community.tp-link.com/en/business/forum/topic/275432

 

This post seems to indicate it might be possible, but it isn't clear if the non-Omada switch is part of the equation for the ACLs

https://community.tp-link.com/en/business/forum/topic/578150

  0      
  0      
#1
Options
2 Reply
Re:Omada SDN with Non-Omada L2 Switch
2022-10-31 12:41:31

  @FakeApple 

 

It seems that you are doing the settings via Omada Controller. However TL-SG1024DE is not an Omada switch and can not apply the settings from the controller.

 

You can try Gateway ACL.

 

Another solution is to replace the switch with an Omada switch like TL-SG2008

  1  
  1  
#2
Options
Re:Omada SDN with Non-Omada L2 Switch
2022-11-01 00:56:01

  @Somnus 

This context was helpful. I was assuming that switch ACL included the switch in the ER605, but now I understand that the 3 different ACL groups are applied to the different Omada components. It seems that I will either need a different router/gateway or a different switch.

  0  
  0  
#4
Options