t1600g-28ts multiple vlans per port schema
I am quite new to VLAN setup and I'm not sure if what I am trying to do is not possible or if I am doing something wrong.
I have a T1600G-28TS configured as this:
VLAN100 (STUDENTS): 1-18,24 (untagged)
VLAN101 (TEACHER): 1-24 (untagged)
VLAN102 (INTERNET): 1-24 (untagged)
PVIDs:
1-18: VLAN100
19-23: VLAN101
24: VLAN102
I'd like that teachers could access to resources in VLAN100 (students).
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Carles wrote
I am quite new to VLAN setup and I'm not sure if what I am trying to do is not possible or if I am doing something wrong.
I have a T1600G-28TS configured as this:
VLAN100 (STUDENTS): 1-18,24 (untagged)
VLAN101 (TEACHER): 1-24 (untagged)
VLAN102 (INTERNET): 1-24 (untagged)
PVIDs:
1-18: VLAN100
19-23: VLAN101
24: VLAN102
I'd like that teachers could access to resources in VLAN100 (students).
VLANs are a mechanism to isolate networks from each other, which use common resources (switches, cables) for transmission.
To achieve a strict isolation between three logical subnets, you would have to assign ports 1-18 as members of VLAN 100 only, 19-23 as members of VLAN 101 only and port 24 as a member of VLAN 102 only. To route traffic from one of those isolated subnets into another, you would have to use inter-VLAN routing. To control permissions to use certain routes you would have to use access control lists (ACLs).
That's pretty heavy stuff for a beginner.
Rule 1: In general, it makes not much sense to assign an untagged port to more than one VLAN at a time. With your config, if a teacher's system sends a packet to a student's system, it gets assigned VLAN 101 and will be forwarded to those student's system. If this system then sends data back, it gets assigned to VLAN 100, so the teacher's system never will see this reply.
Rule 2: Always use the appropriate mechanism for a given task. If you need isolated networks, use VLANs. If you need interconnectivity, use either a common network or a router (or inter-VLAN routing in the switch). If you need access control, use a firewall (or ACLs in the switch).
- Copy Link
- Report Inappropriate Content
First of all, thanks a lot for your answer, because it confirms what I was suspecting and it will save me hours trying to achieve something through the wrong way.
I understand the suggested configuration in order to isolate the three subnets. Nevertheless, with this configuration the ports 1-23 should not have internet access. I suppose that, in that case, all ports would be members of VLAN102 (based on https://tp-link.com/us/faq-328.html example)
Another question is that if I would need to add a trunk port (to connect a second switch), I don't find the way to specify the link type of the port. Is automatically recognized as a trunk when a port belongs to several VLANs?
(the hardware version is 2, if necessary)
- Copy Link
- Report Inappropriate Content
Hi Carles
As for the Trunk port, in TP-Link Switch, it can be achieved by General with Tagged setting.
In another words, if you want to config port 1 as a Trunk port, all you need to do is change the port type to General and set the Egress rules of the port to TAG.
Hope this can help you.
- Copy Link
- Report Inappropriate Content
Carles wrote
I am quite new to VLAN setup and I'm not sure if what I am trying to do is not possible or if I am doing something wrong.
I have a T1600G-28TS configured as this:
VLAN100 (STUDENTS): 1-18,24 (untagged)
VLAN101 (TEACHER): 1-24 (untagged)
VLAN102 (INTERNET): 1-24 (untagged)
PVIDs:
1-18: VLAN100
19-23: VLAN101
24: VLAN102
I'd like that teachers could access to resources in VLAN100 (students).
Hi,
You do not need to use VLANs. Just use Port-Isolation.
- Copy Link
- Report Inappropriate Content
Tried to configure port 1 as a trunk port, changing it to TAG in the VLANs and it works like a charm. Thanks!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3601
Replies: 5
Voters 0
No one has voted for it yet.