ER605 switching capabilities
Hi,
I have an ER605, an OC200 controller, 3 SG2008 switches (one with PoE), and an unmanaged switch.
1 of the managed switches is brand new and I was wondering about the optimal way to add it to my network.
I just bought it because I have been running out of ports...
My physical setup is entirely driven by my house wiring (everything that can be wired is wired) that converges to a single "structured media center" enclosure (Leviton terminology).
On the LAN side, I have the ER605 connected to my main SG2008 switch.
That switch fans out traffic to the entire house (plus OC and AP).
One room has many clients so I have another managed switch there.
Ditto in yet another room but all clients belong to the same VLAN so an unmanaged switch is sufficient there).
The main switch has 3 ports used for network infrastucture (up-link, OC, AP), leaving only 5 rooms to be serviced...
It was cheaper to add another 8 port switch so that's what I got.
Also of note, I have 5 VLANs to isolate clients along purpose boundaries (LAN, business, fun, media, IOT) with proper gateway ACLs.
Now I'm left with 2 options:
#1: plug the new switch directly in the router (still have 2 free ports there)
#2: reuse a port of the main switch
As I see it, I have the following considerations to take into account:
C1: option 1 pushes some "switching" traffic to the router if I have a VLAN spanning the 2 switches connected to the router (I might be able to avoid that for now but it may become difficult later).
C2: per previous point, since the router could be acting partially as a switch, beyond load, there are things like enforcing switch ACLs that come to mind (I don't really want to test this now, and I'm not even sure it's really a concern as long as I don't plug clients directly in the router (which I do now as a workaround)).
As I understand it, all inter-VLAN traffic (not much) reaches the router today and will continue to do so with either option.
As of now, I'm leaning towards attempting to assign VLANs to one switch or the other and plug both switches into the router.
That leads to optimal usage of ports.
Am I missing something?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @EricPerl
Thanks for posting in our business forum.
1. Read this: Data Center Network Switch Design - Switch Layer Hierarchy
2. Unless you run a problem with switching problem on the router. Okay to connect the devices on the router.
Ports on the router as LAN, they are switching ports in essence.
- Copy Link
- Report Inappropriate Content
Hi @EricPerl
Thanks for posting in our business forum.
1. Read this: Data Center Network Switch Design - Switch Layer Hierarchy
2. Unless you run a problem with switching problem on the router. Okay to connect the devices on the router.
Ports on the router as LAN, they are switching ports in essence.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A , thanks for the reply.
I had not looked at that article. My humble network did not seem to require a proper data center network architecture 😊
I'll keep my remarks to things I've experimented with (I still don't know much about networking):
The article mentions implementing ACLs at the aggregation layer. I'm not aware of a way to indicate which switches should bother with "switch ACLs". It seems they apply to all switches at the site...
In fact, per my understanding (please correct me if I'm wrong), all switch ACLs could be enforced once at the edge, with the major major caveat that a switch probably does not know whether it is at the edge or not... so the ACLs are checked at all switches (tho denied packet don't make it past the first enforcement layer).
Also, I don't believe one has full native/tagged/untagged network assignment capabilities on the router LAN ports. In any case, the UX is not the same for these ports (no profile).
Which brings me back to an unanswered question: since the LAN ports of the router are switching ports, are switch ACLs evaluated there?
That would almost be easier to test in an environment without tp-link switches... Would traffic going through the router LAN ports be subjected to switch ACLs?
This said, the article had me question whether I should have plugged my "cave" switch directly in the router (the router would behave as aggregation layer).
All of my switches are essentially access switches but I've made my main switch (by the router) a hybrid aggregation+access.
I actually had done this specifically to not bother the router with LAN traffic...
I assume an ER605 does not need the additional burden and would make a poor aggregation layer even in a modest network (I and others failed to find actual switching bandwidth specs separate from routing bandwidth specs).
Yet another option (possibly the cleanest) would be to now make the main switch a pure aggregation switch (no clients connected, apart from OC). That would work in theory although I'm going to run out of ports again soon (up-link, OC, AP, 2 access switches => 3 ports left unused).
[ "acct" with one c goes against community rules??? replaced by behave...]
- Copy Link
- Report Inappropriate Content
Hi @EricPerl
Thanks for posting in our business forum.
EricPerl wrote
Hi @Clive_A , thanks for the reply.
I had not looked at that article. My humble network did not seem to require a proper data center network architecture 😊
I'll keep my remarks to things I've experimented with (I still don't know much about networking):
The article mentions implementing ACLs at the aggregation layer. I'm not aware of a way to indicate which switches should bother with "switch ACLs". It seems they apply to all switches at the site...
In fact, per my understanding (please correct me if I'm wrong), all switch ACLs could be enforced once at the edge, with the major major caveat that a switch probably does not know whether it is at the edge or not... so the ACLs are checked at all switches (tho denied packet don't make it past the first enforcement layer).
Also, I don't believe one has full native/tagged/untagged network assignment capabilities on the router LAN ports. In any case, the UX is not the same for these ports (no profile).
Which brings me back to an unanswered question: since the LAN ports of the router are switching ports, are switch ACLs evaluated there?
That would almost be easier to test in an environment without tp-link switches... Would traffic going through the router LAN ports be subjected to switch ACLs?
This said, the article had me question whether I should have plugged my "cave" switch directly in the router (the router would behave as aggregation layer).
All of my switches are essentially access switches but I've made my main switch (by the router) a hybrid aggregation+access.
I actually had done this specifically to not bother the router with LAN traffic...
I assume an ER605 does not need the additional burden and would make a poor aggregation layer even in a modest network (I and others failed to find actual switching bandwidth specs separate from routing bandwidth specs).
Yet another option (possibly the cleanest) would be to now make the main switch a pure aggregation switch (no clients connected, apart from OC). That would work in theory although I'm going to run out of ports again soon (up-link, OC, AP, 2 access switches => 3 ports left unused).
[ "acct" with one c goes against community rules??? replaced by behave...]
Technically all ports that are not marked as WAN are switching ports. I am only referring you to this knowledge but not meaning it will be classified into the SW ACL.
Do they all belong to the switch? Nope.
In the Omada Controller, the system still distinguishes the product by class. Not technically, theoretically, or terminologically.
Please do not try to be too literal and twist the meaning. Please make sure you understand the term and that we are on the same page so as to discuss this further.
Switch is a switch, a separate product with a different design ideology. Switching port means it is used for data switching but does not literally belong to the switch ACL which is a different concept of a product.
A switch contains switching ports but a router is not a switch but with switching ports because they are used for data switching.
Most concepts I bring up can be found with a Google search. It would be concise and easy to understand with several articles.
Regardless of what you have, if you follow the basic network hierarchy, you will have an uplink switch that populates other layers. The overall throughput will be no more than 1Gbps.
Concurrent speed of the router should be enough for local switching. If NAT, that NAT throughput.
TBH, I find it hard to understand and follow some of your expressions. It's too personal. Not a general term which I think I can correctly grasp your meaning.
Follow the article and it will basically answer all of your questions. Regardless of whatsoever network you have, large or small, you basically still follow this principle of hierarchy because it is a universal principle and will not go haywire ever. All the problems with the switch are all coming from incorrect connections, poor network design and carelessness.
It would not waste my time explaining this further as the guide has done that.
You can connect the switch and ports based on your preference as long as it works but if there is a problem, you should at least do a self-examine over asking because everyone would first point out your network design failure. You don't listen, then it is your job to fix it. Sometimes it is a problem with the design or hierarchy.
Just point out why it is important to follow the principle.
- Copy Link
- Report Inappropriate Content
@Clive_A ,
Before expansion:
I was running out of ports, hence the client plugged directly in the router. Also, the main switch had a hybrid role (some aggregation, some access).
After network expansion:
The map would be more useful to me if the labels fully expanded (one of the sides is clipped).
There is no client connected directly to the main switch so ignore that glitch.
Otherwise, the hierarchy is properly maintained. The main switch just does aggregation. The other switches do access only.
With this design, I believe I keep all LAN traffic away from the router (apart from the small inter VLAN traffic).
Adding more wired clients would require a hierarchical compromise (I only have free ports on the main switch. Not all clients were active when the snapshot was taken).
But that would not be a compromise on functionality.
The only other option is to connect all the switches directly to the router, and that's why I started this thread in the first place.
I believe it would work functionally, but I'm not so sure about the less obvious ramifications.
I care because I want to learn and to avoid unintended consequences down the line.
There is at least one consequence: more LAN traffic going through the router, in particular streaming (up to 4k video) traffic from my media center.
The less obvious one I care about is VLAN isolation.
I'm having trouble wrapping my head around the consequences of what you're writing in your reply. I'll follow up on that after I do more research/learning.
There might be other consequences I don't even know about...
FWIW, I'm doing what I can to express myself clearly. English is not my primary language and I'm not an expert at networking.
My primary area of expertise is software. Plenty of precise nomenclature there too...
If there are specific statements that are not clear, feel free to point them out going forward. I'm not going to rephrase an entire post.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A,
By now, I've reread your last reply multiple times and did some additional research.
Switching port has yielded nothing beyond port of a switch.
Your statement "A switch contains switching ports but a router is not a switch but with switching ports because they are used for data switching."
does not really feel that clear and concise.
On a router, a port connected to a switch on the LAN side is also used for traffic to and from the WAN.
It can also be used for LAN to LAN traffic, and even that is not also data switching (eg inter VLAN routing).
During inter VLAN routing, the same LAN port can even be used in both direction. That doesn't really make it a routing port as well, right?
Doesn't this mean that a port is just a port (sending/receiving packets) and that switching or routing happens in another "layer", typically involving another port?
In any case, you also state the ACLs apply to the physical devices (by type) rather than to a behavior (routing or switching).
When a router performs some switching, it leads to a situation where exceptions exist depending on the location of the clients on the network.
I tested it (an edge case where 2 clients are connected to the router directly) and the switch ACLs indeed don't apply.
I'll grant you that this use case is indeed an edge case, and as long as it's the only consequence (I don't know enough to come up with another example), it's probably not a big deal.
As is, it certainly is less dangerous than the other ACL exception I know about (EAP ACLs that don't apply to devices connected to the same AP & antenna).
Personally, at this point, I might resort to connecting my 3 managed switches directly into the router.
I'll monitor resource usage for a while to make sure I'm not going to get a surprise down the line.
- Copy Link
- Report Inappropriate Content
Update: I'm experimenting with OPNsense in transparent filtering bridge mode inserted between the router and main switch.
For this to be effective, the main switch has to be used for aggregation...
For future reference, I found this thread informative too:
ER605 access control not working - Business Community (tp-link.com)
In standalone mode, the ER605 seems to have features intended to control switching behavior occurring at the router.
Or maybe not, since the OP can't get them to work...
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 474
Replies: 6
Voters 0
No one has voted for it yet.