Hi,

I am starting a topic very similar to this one, which was locked without resolution.

I currently operate several TL-SG2428P in standalone mode at a few sites, and would like to manage by adopting to an OC200.

At one site, a few ports of the switch are used to handle traffic of an untrusted network (two ports in this example). To mitigate risk, I am utilising the 'Port isolation' feature in combination with the 'Forwarding port list'. This essentially allows me to isolate the two untrusted ports from the rest of the switch, and they are only allowed to talk to each other, as only one port is selected on the 'forwarding port list' for each isolated port.

E.G.

Isolate: Port A, Forwading Port List: Port B

Isolate: Port B, Forwading Port List: Port A

I would like to connect all sites & switches to an OC200 (site-to-site VPN means all remote sites can be managed by one OC200) in order to simply management.

I've adopted a switch as a test, and can see that the 'port isolation' feature operates a little differently than standalone mode; i.e. an isolated port cannot talk to any other isolated port, but can talk to ALL other ports. This is useful in the linked thread scenario, where two client devices should be isolated from each other but should be able to both talk to a NAS for example, however this does not work for my use case.

Definition of port isolation in standalone interface:

You can configure the port isolation on this page.

Port isolation is used to restrict a specific port to

sending packets to only the ports in a configured forwarding port list.

Definition of port isolate in OC200 interface:

With this feature enabled, this

port becomes an isolated port and 

cannot communicate with any

other isolated port.

Is there any way to achieve what is currently in place with the switch in standalone mode? I would rather not rely simply on VLANs due to theoretical VLAN hopping attacks.