seperate traffic different vlan's
seperate traffic different vlan's
Hi,
I am struggling to seperate more devices within my network. Have followed the manual on Tp-link site to put ports in different vlan's but when i do that like it says the laptop connected to that port does not get an ipadres nore it can go to the internet.
What i have done is followed this link https://www.tp-link.com/nl/support/faq/788
current port configs:
vlan 1 all ports (all ports in pvid 1 except 5 and 7)
vlan 2: port all ports except 5 en 7
vlan 3: ports 5 en 7 (ports 5 and 7 are in pvid 2)
The router which is the DHCP gatway is connected to port 24 (not vlan aware)
When i connect a pc to a port other then ports 5 en 7 it gets an ipadres and all is well, i can connect to all devices on all ports.
When connecting to port 5 or 7 the laptop does NOT get an ipadres nor an network connection, why not is the question?
How can i isolate ports 5 and 7 or even more ports so that on those ports IoT connected devices connect who can not reach the devices on the other ports?
The devices on port 5 and 7 most have access to internet and from my management pc i must see those devices but not vica versa.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@surfer1 From your last words it sounds like you have it working, but I'll state it again in a different way for confirmation.
For your example VLAN2 that you show. Assuming ports 2-12 are access ports (i.e. they only have one network VLAN), those ports should be PVID 2, and the untagged setting is correct (that you show in the screen grab).
For port 24, you've set the PVID to 1. Now in the VLAN setting page, VLAN 1 Untagged Port settings should have port 24 Selected, Tagged Port setttings should be Unselected. On VLAN 2,Untagged Port settings should have port 24 Unselected, Tagged Port setttings should be Selected. For the other VLANs (3 and 4), the settup is like VLAN 2.
I would suggest against having the switch perform DHCP. If you are doing interVLAN routing, you want the router to manage DHCP. Also DHCP setup is probably easier in the router UI.
- Copy Link
- Report Inappropriate Content
@surfer1 A couple clarification questions.
- Your VLAN setup on the switch as you've written them is in the table, is this correct?
Port | Untagged VLAN | Tagged VLANs | PVID |
---|---|---|---|
1-4,6,8-24 | 1 | 2 | 1 |
5,7 | 3 | none | 2 |
2. "DHCP gatway is connected to port 24 (not vlan aware)". Are you saying the DHCP does not do VLAN assignment?
First, generally your PVID and untagged VLAN should match on a port, so ports 5&7 should have a PVID of 3. This will make them a fully isolated network since they have no link to the gateway on port 24. Said another way, currently you have a subdivision in the switch on ports 5&7 to make a small 2 port switch. For VLAN 3 to get access to the gateway, add VLAN 3 to the tagged VLANs on port 24.
Second, could you clearify the statement about the DHCP "(not vlan aware)", as you need your gateway and DHCP both to be VLAN aware, if you are doing this function outside the switch. This switch is capable of doing the DHCP job, but you still need a gateway that is VLAN capable since the switch won't do interface routing.
- Copy Link
- Report Inappropriate Content
oo thx, so it is not possible to seperate the ports without a vlan aware router, maybe i install dd-wrt on the router which is vlan aware.
tou statement about the ports are correct but when i put port 5 and 7 pcid 3 they do not get an ipadres from the router.
now i understand it the switch cannot tag the ports that is the router does not understand this, when i pit ports 5 and 7 in vlan 1 also they will be tahhed in the default vlan according to the router.
- Copy Link
- Report Inappropriate Content
@surfer1 I'm sorry it is difficult to understand what you have written, but I think you are saying:
"tou statement about the ports are correct but when i put port 5 and 7 pcid 3 they do not get an ipadres from the router."
I think you are saying that - when you put port 5&7's PVID to 3 they don't get an IP address from the router. This is correct, PVID and VLAN are related. PVID is the "default" VLAN network for that port and tells the switch which DHCP to ask for a network address. Since VLAN 1 and 2 are connected to the router, only ports with a PVID of 1&2 will get an IP address.
The untagged VLAN setting tells the switch what VLAN to apply to any packets that come into the switch without a tag. So the PVID tells the switch which network is the default out going network on the port, and the untagged tells the switch which network is the default incoming network on that port. This is why generally the PVID and untagged VLAN on a port will match, there are very sophisticated cases when they won't, but this is not that case.
"switch cannot tag the ports that is the router does not understand this, when i pit ports 5 and 7 in vlan 1 also they will be tahhed in the default vlan according to the router"
The router needs to be able to see all three VLANs to apply the routing to the internet. When your router also provides DHCP, then the subnet will be allocated to the VLANs when they are set up in the router. If your router currently does not do VLANs, it will typically ignore the VLAN tagging and apply the single DHCP network address to all clients, this is why you get an IP address on ports 5&7 when the PVID is set to 1 or 2, but you don't get internet out because of the Untagged VLAN mismatch.
- Copy Link
- Report Inappropriate Content
I've checked the specs of TL-SG3428 and the list of its features is quite long. It includes a DHCP server as well as IPv4 static routing so your switch can supply IP addresses in all VLANs and do inter-VLAN routing. You do not need any additional hardware or software, but it looks to me that there is quite a bit of learning ahead of you. :)
- Copy Link
- Report Inappropriate Content
@KJK Yes the SG3428 has those abilities, but I interpreted surfer1's intent to have VLAN 3 access the internet and be isolated from the other VLANs which is not what this switch can do.
- Copy Link
- Report Inappropriate Content
Did you check port 5,7 PVID? They should be 3
And all ports should be untag.
Note: VLAN1 should contains all ports including port 5,7
- Copy Link
- Report Inappropriate Content
Yes the SG3428 has those abilities, but I interpreted surfer1's intent to have VLAN 3 access the internet and be isolated from the other VLANs which is not what this switch can do.
When i look at your answers it is not clear to me if it is possible what i want or not without a capable vlan router.
The only thing that i want is that IoT devices like camera's or a gateway of a smarthome cannot reach my computers in the LAN. I have a computer which monitors all devices so that must be possible that that computer can reach ALL devices.
pc connected to sg-3428 port 1
tp link router connected to port 24
laptop connected to wifi en wifi tplink deco connected to port 3
camera connected to port 5
gateway smarthome connected to port 7.
The smarthome does not need access to the LAN so not to pc or laptops. the other way around it must be possible to monitor the IoT devices.
Like i have now: some IoT devices are connected to a guest wifi and cannot connect to the devices in the other wifi or lan but when i connect a IoT device to a switchport the device can reach the pc for example and thats not what i prefer, when something is hacked it is to easy to hack my pc for example.
When i put ports 5 and 7 into pvid 3 it will make no difference but i will try it the coming days when i find the time.
I understand Cisco logiq not the pvid logiq, but the question is, is above possible without a vlan aware router. All devices are connected to the switch not the router. Before the router is also a modem / router connected but on that first router DHCP is disabled and nothing is attached only the 2e router which does DHCP to all devices.
- Copy Link
- Report Inappropriate Content
@surfer1 Ahh so some terms that will help. Cisco "access port" is a TPLink port with a single PVID and untagged VLAN ID matching. Cisco "trunk port", is a TPLink port with "access port" like settings, plus one or more tagged VLANs on the port. Use the 802.1Q VLAN configuration pages for best interaction with other devices.
To make things easy, it would be best to use a router for the VLAN-to-VLAN interface, because the router can do statefull Access Control Lists (ACL) and firewall control. The router would also be easiest for Layer 3 routing to the internet, if the IoT network needs it.
Use of the SG3428 for VLAN-to-VLAN routing can be done with IP groups, but it is not statefull (many very-explicit ACL rulles are needed) and there is no firewall. Any traffic from the IoT LAN would need to transfer to the Main LAN to access the internet, and would defeat the purpose of the VLAN control.
If you chose to use a router for VLAN interface, the IoT VLAN needs to be trunked between the router and the switch. Any port for IoT only will be set like an access port. This is to provide DHCP service.
If the IoT LAN does not need internet access, the SG3428 can be set to provide DHCP service for the IoT LAN by making a Layer 3 Interface, and ACLs will be needed in the switch to grant and block access between the IoT LAN and other LANs.
- Copy Link
- Report Inappropriate Content
Hi thx for your answer this is clear to me.
That is: set the same vlan's on the router and dhcp on the router for each different vlan. Then the uplink port lets say this is 24 on the switch where the router is connected to must be a trunk port or a port which allowes all vlans (that is the vlans which are set) and the port on the switch with the IoT devices (which needs internet) must be configured into the vlan for the internet, lets say 3 is Internet vlan then the port with the IoT device needs to be set on vlan 3 and pvid 3 but also vlan 1 because of the routering thing.
- Copy Link
- Report Inappropriate Content
@surfer1 One small correction, IoT access ports do not need VLAN1, that would make it a trunk port. The router will provide internet to VLAN3. The router trunk port will tag VLAN3 to switch trunk port 24. The switch will connect the IoT access port to trunk port 24.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1616
Replies: 15
Voters 0
No one has voted for it yet.