TL-SG108PE - System IP Setting and VLAN
TL-SG108PE - System IP Setting and VLAN
Hi, I've happily configured my switch with several VLANs. Some ports are set as client to connet devices on their own VLAN: DHCP works as expected. Other ports ad left tagged, trunk ports, where I attach other things (like a wifi ap which supports tagged vlan): DCHP works as expected.
What I don't understand is how to configure the switch itself VLAN. I'd like it to be on a VLAN of my choice, but it seems like it choses the VLAN he likes. I'm not sure what logic is behind that. If I look at the switch settings (System > IP Setting) I can only set DHCP enabled/disabled and then the IP with subnet mask and gateway, but no VLAN setting. How am i supposed to choose which VLAN to use with the switch itself?
Let me know if I make myself clear. Thank you.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
You mean a management VLAN, right? The TL-SG108PE has no managament VLAN setting as it's an Easy Smart Switch (now becoming relabeled as »Unmanaged Pro«). As long as you use the switch's IP you can reach it from any VLAN configured on the switch.
TL-SG2008 aka T1500G-8T as well as T1500G-10PS (the PoE version) have a management VLAN setting.
- Copy Link
- Report Inappropriate Content
@R1D2 thanks for you confirmation.
I saw that the switch basically get an IP from DHCP from a "random" VLAN allowed on the trunk port to the router. I'm wondering if I could disable ICMP for the switch mac address on the DCHP server, so that eventually it will be assigned an IP from the only VLAN I wil allow. Do you think this makes sense? Do you think it is doable? Thanks.
- Copy Link
- Report Inappropriate Content
I always recommend to use a static (fixed) IP for stationary devices such as routers (hehe) and switches. AFAIK you cannot disable ICMP in the switch (didn't ever check this), but what you probably could do is to map a static IP in the DHCP server and force this server as the authoritative server.
However, I always set a static IP in the switch itself, since when the network is growing, you someday want to do inter-VLAN routing etc.
And then you will need static IPs which do not depend on a static mapping in DHCP.
DHCP for a switch might be useful if a friend visiting you will always take the switch into his home when leaving and wants it to come up without configuration until he brings it back every other day.
- Copy Link
- Report Inappropriate Content
Whoever designed this didn't think very far ahead.
There should be a screen (perhaps on the screen with PVID settings) that allows you to specify which ports the internal "CPU" is connected to. It could default to all for ease of use, but as it is, if you have multiple vlans defined, and each vlan has a dhcp server, which one the TL-SG108E will obtain its ip address from is random (or more likely whichever dhcp server responds the fastest).
Also, there is no way to limit what vlans have access to the Web interface.
This should be solvable with proper firmware.
If they can't figure out how to do it, then they should at least allow limiting what ports have access, but in general that is not as useful as being able to specify the management vlan.
There were hints that limiting access to vlan 1 would prevent access, but that is not true (at least with TP-Link TL-SG108E v4 with firmware 1.0.0 Build 20181120 Rel.40749).
I think I will be returning two switches to Amazon. I thought they were a bargain, but now I see why they are so inexpensive. They can't be used in a business environment. (no access control to management interface, no https)
- Copy Link
- Report Inappropriate Content
if you need mgmt VLAN, HTTPS web UI, CLI, ACLs etc. you should be able to choose the appropriate switch by looking at the datasheet. For example, your requirements are met by a T1500G-10MPS smart switch.
Easy Smart switches are for newcomers/beginners to the world of managed switches who don't need advanced features of a fully manageable switch. See the product website for TL-SG108PE:
»It is designed specically for small businesses that require simple network management and PoE function.«
In my opinion the interface of an Easy Smart switch is intentionally connected to all VLANs b/c newcomers often lose access to the web UI when trying to set up a VLAN on a smart switch (the forum is full of questions about why access has been lost after creating a VLAN).
If there is something I would criticize on TL-SG108PE if I would be a TP-Link PM or QC then it's definitely the setting which lets users choose DHCP for IP assignment to the switch. No professional admin would use DHCP to assign a switch an IP.
BTW: a switch's internal CPU needs to be connected to all VLANs in every managed switch; what you mean is the Ethernet interface of the switch's mgmt layer (web server, console) visible to the outside.
- Copy Link
- Report Inappropriate Content
given your nickname you should be familiar with this statement: you either implement vlan or you don't. There is no "try".
What I mean is if you implement VLAN you should also implement VLAN for the switch "ethernet interface" IP. It's not a matter of DHCP vs static. What Bongo said is correct, whichever DHCP reply first, it wins. And you are wrong when you say that a static IP will do, because a static IP itself is meaningless if you don't know if VLAN tagging is on or off and what tag is used for the "ethernet interface". If I set a static IP to the switch but it is sent with the wrong tag (or no tag at all) the packet will not be routed where I need.
That said, the swich it's cheap and some of us can deal with it, but the implementation is wrong and for sure it could be fixed with a firmware update. If you don't it's because you don't want to. Also cutomers can decide to accept this limitation of return the switch as faulty. in In any case, please, accept the critics from your customers because this switch from this point of view is faulty indeed.
- Copy Link
- Report Inappropriate Content
g00dman wrote
In any case, please, accept the critics from your customers because this switch from this point of view is faulty indeed.
See, that's the problem. You don't even recognize that I'm just a user like you, I'm not from TP-Link. You are not my »customer«.
And for the switch's Ethernet interface of an Easy Smart switch: you can reach it through any VLAN. Believe it or not (or just test it). Since VLANs are implemented in layer 2, there is no such thing as »routing« in this layer. What's more, the 802.1Q standard does not dictate the implementation. It even doesn't define a »management VLAN« nor does it define how the switch's interface must behave. It just defines minimum requirements; any vendor is free how to implement the details. That's why the TL-SG108PE has »Port VLAN« and »MTU VLAN« in addition to »802.1Q VLAN«, the former two being a special preset of 802.1Q VLAN just created for ease of use (and much appreciated by my customers, whom I recommend to choose this priceworthy Easy Smart switch). Being a software developer with 35 years of experience in networking since early ARPAnet, please don't try to teach me what 802.1Q VLAN is and what not.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
You don't even recognize that I'm just a user like you, I'm not from TP-Link. You are not my »customer«.
And for the switch's Ethernet interface of an Easy Smart switch: you can reach it through any VLAN. Believe it or not (or just test it). Since VLANs are implemented in layer 2, there is no such thing as »routing« in this layer. What's more, the 802.1Q standard does not dictate the implementation. It even doesn't define a »management VLAN« nor does it define how the switch's interface must behave. It just defines minimum requirements; any vendor is free how to implement the details. That's why the TL-SG108PE has »Port VLAN« and »MTU VLAN« in addition to »802.1Q VLAN«, the former two being a special preset of 802.1Q VLAN just created for ease of use (and much appreciated by my customers, whom I recommend to choose this priceworthy Easy Smart switch). Being a software developer with 35 years of experience in networking since early ARPAnet, please don't try to teach me what 802.1Q VLAN is and what not.
We appreciate that you volunteer your time to help new users.
I can confirm you can reach the management interface through any vlan. That's the problem, there is no way to limit access.
There is a lot of untested speculation in reviews of the product on Amazon and youtube, including that the reason that access was allowed was because vlan 1 was not removed from the port that you wanted to restrict. But I have confirmed that even if every port is on its own vlan, you can access the management from every port. For example using this config:
You can plug into any port and have access, but there is no access between any two ports (no, I didn't test every of the 28 possible 8 choose 2 port combinations)
I can also understand TP-Link's decision to try to make the switch as idiot proof as possible, because when selling at this pricepoint, there will be a lot of buyers that have never used a fully managed switch, and TP-Link probably does not want to deal with people "locking themselves out" and having to listen to the moaning when a user has to press the reset button and lose their config they never took the time to backup.
And I can understand why the default for the factory config is to obtain an IP address via dhcp, especially since they chose 192.168.0.1 as the default ip address, which is likely to conflict with many home devices (including TP-Link's home routers).
And I agree that the only way to avoid having problems with the current TL-SG108E firmware if multiple vlans are used and there are multiple DHCP servers, is to configure a static ip address and disable the dhcp client.
I don't have the PoE version of the switch, I have the TL-SG108E v4, which I bought specifically for the vlan support. I have a Ubiquiti EdgeRouter X that has a vlan-aware switch with all 5 user accessible ports connected via the switch, the router is essentially a router on a stick.
The way the EdgeRouter X presents individual switch-ports as if they were interfaces directly connected to the CPU is by using high vlan numbers 4088-4094 for ports and switch0. The "CPU" has an internal connection to the switch (implemented in the same SoC) and the CPU is a member of all those vlans.
I speculated that the TL-SG108E was doing something similar to allow access to the CPU management interface from any defined vlan. And if that is the case, it should be relatively easy to remove specific ports from that hidden vlan. But since the TL-SG108E allows creating vlans from 2-4094, and vlan 1 is predefined (and I couldn't figure out any way to delete it), if they are using vlans to allow access to the CPU, they must be using one of the reserved (0,4095) vlans. Or they are using some other feature I am not aware of.
I just wish I could find third party firmware that would remove some of the limits on this switch. It could be much better.
Oh, and the firmware also has confirmed bugs. Google Not So Smart TL-SG105E The second curl example will lobotomize the TL-SG108E 8051 CPU while still allowing the switching function to work. I reproduced the effect with a TL-SG108E 4.0 with latest firmware updates 1.0.0 Build 20181120 Rel.40749.
- Copy Link
- Report Inappropriate Content
Hello @Bongo,
yes, the ER-X has individual Ethernet ports which can be combined to a switch (I use several ER-X and EP-R6, too). They use pure software VLANs implemented in the Linux kernel. For example, eth0 is the physical interface; using this interface doesn't tag traffic sent over the IF. To make it a tagged port, one has to create a virtual interface (e.g. eth0.2 to force tagging with VLAN ID 2). Creating a switch interface on ER-X is done by bridging pysical or virtual ports in a software bridge. An IP can (and needs) to be defined to either the phy interface or the virtual interface or the bridge interface. This means that you can reach the router's web UI through all VLANs, too, like in TL-SG108E/PE – the router doesn't support a management VLAN either. However, since it's a router yoy can easily deny access to the router's IP and its web UI for a given VLAN; it's done by firewall rules.
A switch such as TL-SG108E/PE has no individual Ethernet interfaces, it uses a chip which implements the switch in hardware. VLAN handling is done by the switch chip, not by the software. One of the differences between a switch in hardware vs. a switch in software is assigning a trunk port to a Primary VLAN by setting a port's PVID to force tagging of untagged traffic on ingress. Having a trunk interface on ER-X (say, eth1.4, eth1.5, eth1.6) still allows untagged traffic on eth1, it can't be forced to go into a VLAN. Setting a PVID P on such an interface X creates a VIF namd ethX.P. All ethX interfaces are always connected with the CPU, all ethX.P are always connected (bridged) with its physical base interface ethX and/or with a virtual interface such as switchX or switch X.P.
Most annoying problem with TL-SG108E V2 was the fact that ports couldn't be removed from the Default VLAN 1, but the community could eventually convince TP-Link's R&D to change this with firmware for switch V3 released in January 2018. This firmware can be installed also on V2 hardware. The hardwired membership in Default-VLAN 1 before this fix was causing packet leaks between VLANs. You can still find the forum thread discussing the VLAN 1 problem here, it's pinned in this subforum.
To summarize: a TL-SG108E/PE doesn't allow to assign the switch's interface to a certain (mgmt) VLAN, while on ER-X you can do so by blocking access to the router's mgmt layer using firewall rules.
You could try to convince TP-Link to change the TL-SG108E/PE firmware to include a mgmt VLAN setting, but I think its not a technical matter, but rather product policy. If Easy Smart switches would offer all those functions of a Smart switch, the Easy Smart swithc would compete with somewhat more expensive models such as T1500G-10PS/MPS.
But keep in mind that in early days of networking managed switches had been really expensive (15,000 to 20,000 bucks was no uncommon price back then), so nowadays we can be happy to get managed switches for affordable prices; the cheap ones with only some VLAN functionality, the more expensive ones with more VLAN functionality.
If you find real bugs, just send them to TP-Link's support, I'm sure R&D will fix bugs.
As for OSS software: you can easily install OpenWRT on ER-X, but I don't know an easy way to install OSS software on a switch such as TL-SG108E/PE. Given today's prices for switches it isn't even worth the effort – porting own firmware is a very time-consuming task not to speak of the efforts needed to support such a firmware then.
- Copy Link
- Report Inappropriate Content
Hello @R1D2,
Thanks for the detailed reply, I have read some of your other posts in the this forum, and you are a real asset to the forum.
What you are describing is the method that must be used on routers without dedicated switch chips, like the ER-8 or ER-4, that have indiviual ethernet controllers on every routed port. And using the bridge interface just makes them an expensive, low performance switch, which is not what they were designed for.
Since you have an ER-X and the EP-R6 (which is essentially an outdoor version of the ER-X SFP), you can try this on either one, since they are both based on the MediaTek MT7621A SoC, which has a 32bit MIPS CPU and a dedicated portion that is an switch chip. I use fw v1.10.10 because v2.0.6 has problems on the MediaTek SoC based routers.
You can configure the ER-X switch in vlan-aware mode, and put vlans (with up to one pvid for untagged, or one or more vids for tagged frames). These vlans don't require an associated vif, and if the vif doesn't exist, the router is unaware of them. However, these vlans will still be switched without the assistance of the CPU. The only involvment of the CPU is in configuring the switching registers in the switch chip, the switch chip does the heavy lifting in dedicated silicone circuitry.
Since you have an ER-X and the EP-R6 (which is essentially an outdoor version of the ER-X SFP), you can try this on either one, since they are both based on the MediaTek MT7621A SoC. I use fw v1.10.10 because v2.0.6 has problems on the MediaTek SoC based routers.
Log into the CLI and enter the following commands:
/sbin/switch
/sbin/switch dump
/sbin/switch vlan dump
/sbin/switch pvid dump
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 19287
Replies: 15
Voters 0
No one has voted for it yet.