6
Votes

TL-SG105E / TL-SG108E How to Block Management VLAN

 
6
Votes

TL-SG105E / TL-SG108E How to Block Management VLAN

TL-SG105E / TL-SG108E How to Block Management VLAN
TL-SG105E / TL-SG108E How to Block Management VLAN
2023-11-22 13:46:24 - last edited 2024-08-28 09:16:31
Model: TL-SG108E   TL-SG105E  
Hardware Version: V6
Firmware Version: TL-SG108E(UN)_V6_1.0.0 Build 20230218

Business case: TL-SG108E can be used for basic QoS and Egress rate limiting.

Problem: The management interface is exposed on every VLAN, and DHCP is also taken from the first DHCP server to respond not from the specific management VLAN1.

Feature Request: Request to attach the Management Interface and DHCP to a specific VLAN or at least isolate it to only to VLAN1. 

 

 

Background

 

Aim: to pair an eero6+ with an SG108E and have the SG108E "smartness" compensate for the lack of features on the eero while still taking advantage of the eero6+ mesh wifi.
Note: the SG108E would give you 5 spare device ports, with this configuration.

 

The Ideal Setup:
+---------------------------------------------+
|        switch — SG105E / SG108E       |
+----------------.----------------------------+
|   VLAN 500  |            VLAN 1            |
+-------.--------+---------.--------.---------+
| port 1 | port 2 |  port 3 | port 4 | port 5  |
+--------+------+---------^--------^---------+
| NBN  | WAN | LAN  | DEVICE 1 — n |
+-------+-------^--------+-------------------+
            |    ROUTER    |
           +-----------------+

 

I was hoping that the management page for the switch would only be accessible from VLAN1. It turns out that it is accessible from any VLAN so long as you know its IP address. This kind of setup is not great having an external network (NBN) be directly interfaced as anyone on the other end of the cable (ISP) could potentially access the management page and with some time access the device.

 

That was the idea.
I've tried a few implementations of that idea. Starting with variants of the basic port vlan feature of the smart switch. That includes:

  • VLAN 1 : Ports 1,2 — VLAN 2 : Ports 3,4,5,6,7,8
  • VLAN 2 : Ports 1,2 — VLAN 1 : Ports 3,4,5,6,7,8
  • VLAN 2 : Ports 1,2 — VLAN 3 : Ports 3,4,5,6,7 — VLAN 1 : Port 8

 

No matter which port you plug in you may access the management interface. Do let me know if I missed something obvious.

 

Moving onto the more advanced 802.1Q VLAN mode. I tried the following variations:

  • VLAN 500 : untagged Ports 1,2 — VLAN 1 : untagged Ports 3,4,5,6,7,8
    Port 1-2 PVID : 500
    Port 3-8 PVID: 1
  • VLAN 500 : untagged Ports 1,2 — VLAN 600 : untagged Ports 3,4,5,6,7,8 — VLAN 1 : no members
    Port 1-2 PVID : 500
    Port 3-8 PVID: 600
  • VLAN 500 : untagged Ports 1,2 — VLAN 600 : untagged Ports 3,4,5,6,7 — VLAN 1 : untagged 8
    Port 1-2 PVID : 500
    Port 3-7 PVID: 600
    Port 8 PVID: 1

 

Then I read the manual and it describes the behaviour such as if a port receives a tagged frame it will read the tag and forward to the appropriate vlan. If a port receives an untagged frame it will add the pvid as a tag and forward as if it were tagged. This leads me to believe the implementation is very basic, which would be also fine, as I can force what I want by being 'clever'. And the 'very basic' assumption also fits with the fact the user interface allows you to enable more than one untagged vlan on one port simultaneously (which should be an error).

  • VLAN 500 : untagged Port 1 — VLAN 600 : untagged Port 2 — VLAN 1 : untagged 3,4,5,6,7,8
    Port 1 PVID : 600
    Port 2 PVID: 500
    Port 3-8 PVID: 1
    Note: the swapping of PVID on Port 1 and 2.

 

I had hoped that on receipt of an untagged packet on Port 2 it wold be forwarded to VLAN 500 and emerge untagged at Port 1 and similarly a receipt of an untagged packet on Port 1 would be forwarded to VLAN 600 and emerged untagged at Port 2. However this is not the case, vlan membership is controlled by the egress rule only (tagged/untagged/not member) despite the PVID value set, so traffic is blocked since the port pvid is corresponds to a non member and the description of the forwarding in the user guide is not exactly what it seems (omitted the blocking description). Note: this would have worked nicely as anyone trying to access the switch from the outside world on Port 1 would have had their response packets forwarded to Port 2 the router wan interface. Effectively dropping the data.

 

This finally led me to another tricky solution, making the ports an opposite tagged member of the other port, only to make each an opposite VLAN member, so the data would not drop.

  • VLAN 500 : untagged Port 1, tagged Port 2 — VLAN 600 : untagged Port 2, tagged Port 1
    Port 1 PVID : 600
    Port 2 PVID: 500
    VLAN 1 : untagged 3,4,5,6,7,8
    Port 3-8 PVID: 1

 

Expectation: a switch should not output on the input port. Thus,
- Untagged enter on Port 1, PVID 600, will exit on VLAN 600 untagged on Port 2. 
- Tagged 600 enter on Port 1, will exit VLAN 600 untagged on Port 2.
- Tagged 500 enter on Port 1, will exit VLAN 500 tagged on Port 2.
- Untagged enter on Port 2, PVID 500, will exit on VLAN 500 Port 1 untagged.
- Tagged 500 enter on Port 2, will exit VLAN 500 untagged on Port 1.
- Tagged 600 enter on Port 2, will exit VLAN 600 tagged on Port 1.

 

Anyway, while this tricked to the switch into not blocking the untagged packets, the switch still responds to requests but as tagged on the same port, so the expectation that it would not was not correct, also this cross config has the side effect of allowing tagged traffic to be responded to from the management interface as well.

 

The reason I'm making this post is because I am a bit burned out after all this testing and I can't think if there is another tricky solution or not. Again, I am looking for passthrough communications in port 1 and 2 as if it were a straight cable, while also blocking the management interface on those ports. Do let me know if you think a different config would work for that.

 

This feature request (option to isolate the management interface to VLAN1 and take DHCP only on VLAN1) could be solved by a firmware update.

#1
Options
23 Reply
RE:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-11-22 13:57:22 - last edited 2023-11-22 13:58:32

Management and DHCP should have to option of isolation on VLAN1 at the very least.

#2
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-11-23 02:22:17 - last edited 2023-11-23 02:25:14

Hi @Majibow 

Thanks for posting in our business forum.

Not sure what you are asking for.

This model does not get feature updates for a function like Management VLAN.

 

1. Why would you use eero as if it is AP? It is not my main concern but this leaves me with an image of an incorrect setup at least. Your choice.

2. Management VLAN is a feature on the L2+ or L3 switch. How to configure Management VLAN in Omada SDN Controller (4.4.4 or above)

Do you understand the same concept as I do?

This is a feature of the Omada series models. L2+ or L3 switch.

 

3. 802.1Q VLAN is capable of isolating the network. How does your network not isolate them?

How to configure 802.1Q VLAN on TP-Link Easy Smart/Unmanaged Pro Switches

Your network diagram and verification steps?

 

4. Continue the 2.. If you want to do a Management VLAN, without the proprietary feature on SDN, you should have a router capable of creating the VLAN interfaces. Do you have one? (You also need the router in the FAQ in 2.)

How to Configure Management VLAN on TP-Link Smart and Managed Switches Using the New GUI

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#3
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-11-23 03:47:47

Hello  @Clive_A 

 

Thank you for taking the time to reply. 

 

The issue with the switch is that its login management interface is accessible from any port on the switch. At a miniumum the switch should be able to limit its own management interface to just one port or ideally one VLAN, ie. VLAN1.

 

For example, currently the switch on default configuration, every port can communicate with every other port and every port may login to configure the switch. But lets say I don't want that, lets say I want just 7 switch ports and 1 management port on a segregated network such that no user would be able to access the login page. Example config:

 

Port 1 on VLAN1 

Port 2,3,4,5,6,7,8 on VLAN2 

 

Then none of the users connected via ports 2,3,4,5,6,7,8, should be able to change any settings on the switch. This is what I want, this is what the switch needs. At present this is not possible as the switch responds to login on every vlan. 

 

Port 1 would be considered a secure port as that is the way the network is physically wired and the rest of the ports 2,3,4,5,6,7,8 have connections to wallplates which any user is able to access as is, hence, insecure. 

 

Similarly for DHCP, the switch will take the first IP address it can get which may be the DHCP server on VLAN1 or it may be the DHCP server on VLAN2. At present this can be mitigated with static addressing however this will not stop a user from manually addressing their own device and communicating with the switch from any port. 

 

Feature request: the option to enable isolation of the DHCP Requests and Management Interface to VLAN1. 

#4
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-11-23 06:00:32

Hi @Majibow 

Thanks for posting in our business forum.

Majibow wrote

Hello  @Clive_A 

 

Port 1 on VLAN1 

Port 2,3,4,5,6,7,8 on VLAN2 

 

Then none of the users connected via ports 2,3,4,5,6,7,8, should be able to change any settings on the switch. This is what I want, this is what the switch needs. At present this is not possible as the switch responds to login on every vlan. 

 

This is Port Isolation on L2+.

Same thing in the last link I offered earlier which is blocked on layer 3.

 

Based on the current status quo, it has a very small chance to add this feature.

 

 

For the second link I gave you, if you set all other ports into other VLANs, with a different PVID, are they still able to access the switch while they are placed in a different VLAN? Like to see a screenshot of your config and your test results by ping.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#5
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-11-23 11:34:09 - last edited 2023-11-23 11:39:20

Hi  @Clive_A 

 

Thanks again for responding. 

 


Clive_A wrote

Based on the current status quo, it has a very small chance to add this feature.

 

VLAN is Layer 2 and it is completely appropriate for a configurable switch to be selective about which VLAN it allows itself to communicate over.

 

I understand the TL-SG105E and TLSG108E are very basic devices, but as is they can NOT be used in an untrusted customer facing environment. They can only be used in a fully trusted environment since the management interface is exposed on every port for ANY configuration. If you have access to a device, please feel free to try any and every configuration and you will see the logon page is always accessible.

 

To be clear unlike some of the L2+ switches shown in the links you provide, this device does not need to provide multiple configuration options, it is sufficient for the device to take as input the single integer vlan number as the only place it should be allowed to communicate with DHCP and Management Interface (both web page and management protocol of Easy Smart switches).

 

I have drawn a mock-up (red) of how I would implement this feature:

 

 

Please note that the Effective VLAN = 0 is the current switch behaviour. 
The desired switch behaviour would be Effective VLAN = 1.

 

I hope you can relay this request to the devlopment team. Thank you.

#6
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-12-19 16:03:57

  @Majibow 

 

This is how I blocked the management site from my Son's VLAN.

 

Go to ACL, Switch ACL,

 

Choose your source,  then under destination select IP-Port Group.

This port group has the IP subnet of the ip address of your omada controller / 32    the the ports that your controller uses. eg. 8044,8043, 8034 etc.

 

Add this with all protocols, ACL binding ports nad all ports. 

 

#7
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2023-12-20 02:05:03

Hi @Exhausted 

Thanks for posting in our business forum.

Exhausted wrote

  @Majibow 

 

This is how I blocked the management site from my Son's VLAN.

 

Go to ACL, Switch ACL,

 

Choose your source,  then under destination select IP-Port Group.

This port group has the IP subnet of the ip address of your omada controller / 32    the the ports that your controller uses. eg. 8044,8043, 8034 etc.

 

Add this with all protocols, ACL binding ports nad all ports. 

 

 

Great post! But he's not using an Omada switch though. So, SW ACL is not really an option for him.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#8
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2024-01-09 07:42:47

@Exhausted Thanks for the comment but as Clive mentioned its not an Omada Switch its a TL-SG108E Smart Switch which doesn't currently have the option.

 

@Clive_A I am following up to see if you submitted the request to the development team with the mock up implementation as outlined in my previous post. Wondering if its on the road map at all, no specific timeframe just wondering if it was accepted as a reasonable feature enhancement... for security reasons. 

#9
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2024-03-11 16:11:23 - last edited 2024-03-11 17:33:51

  @Majibow 

 

I got the same requirements regarding a distinct management VLAN. There have been other users out there for 6+ years complaining about the very weird way TP-Link implemented the management interface (no SSL/TLS, DHCP-client on every interface, accessible from any port/VLAN): https://www.reddit.com/r/HomeNetworking/comments/7yiu55/issues_with_management_vlan_on_tplink_tlsg108e/

Unfortunately, TP-Link does not seem to bother. The given answers are either inappropriate or ignorant. The feature should be fairly simple to be implemented as you pointed out in your mockup.

 

I've given up on waiting for TP-Link to fix the issue. There are other entry level smart mangement switches available like DGS-1100-08V2 (Management VLAN) or GS1900-8-EU0102F (Management VLAN + SSL/TLS) with proper implementation of the management interface.

#10
Options
Re:TL-SG105E / TL-SG108E How to Block Management VLAN
2024-03-12 02:39:51

Hi @imoula 

Thanks for posting in our business forum.

imoula wrote

  @Majibow 

 

I got the same requirements regarding a distinct management VLAN. There have been other users out there for 6+ years complaining about the very weird way TP-Link implemented the management interface (no SSL/TLS, DHCP-client on every interface, accessible from any port/VLAN): https://www.reddit.com/r/HomeNetworking/comments/7yiu55/issues_with_management_vlan_on_tplink_tlsg108e/

Unfortunately, TP-Link does not seem to bother. The given answers are either inappropriate or ignorant. The feature should be fairly simple to be implemented as you pointed out in your mockup.

 

I've given up on waiting for TP-Link to fix the issue. There are other entry level smart mangement switches available like DGS-1100-08V2 (Management VLAN) or GS1900-8-EU0102F (Management VLAN + SSL/TLS) with proper implementation of the management interface.

Both series you listed are smart-managed, which equals the SG200X models. They support full L2 and are capable of certain L3-related stuff.

 

(TL-)SG108E or any SG10(0)XE are considered as easy smart.

Unmanaged > Easy Smart > Smart Managed > Managed.

I have pointed out that Management VLAN exists on Omada SG200X series or above.

If you find this absurd to understand, please kindly consider a different solution for your network.

 

 @Majibow

I have received zero acknowledgment from the switch team on it. I think currently the situation stays the same. Based on the market and what competitor does, the team keeps the status quo.

 

I have explained how the products are classified and what they should do in each tier.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#11
Options