Discard ingress tagged traffic on the T1500G-8T V2 switch
I have a T1500G-8T V2 switch, using firmware 2.0.5 Build 20200109.
I define 3 VLANs as follows:
- VLAN 1 = System = All ports untagged
- VLAN 2 = Only LAN = Ports 2-6 untagged
- VLAN 3 = Only Internet = Ports 1, 7-8 untagged
Then I configure the PVID like this:
- PVID (from port 1 to 8) = 1, 1, 1, 1, 2, 2, 3, 3
All ports are configured to Ingress Checking = Enabled, and Acceptable Frame Types = Admit All.
I connect devices which should access both the Internet and other LAN devices to ports 1-4, including my router that is connected to port 1. This works because all ports are members of VLAN 1, so anything connected to ports 1-4 gets a PVID of 1, and it can reach any other port.
I connect devices which should access only to other LAN devices (but NOT the Internet) to ports 5 or 6. This works because devices connected to these ports get a PVID of 2, so they can only talk to any other member of VLAN 2, but my router is connected to port 1 which is not a member of VLAN 2, so it is not reacheable by ports 5 and 6.
I connect devices which should access only the Internet (but NOT other LAN devices) to ports 7 and 8. This works because devices connected to these ports get a PVID of 3, so they can only talk to any other member of VLAN 3, including my router which is connected to port 1. The rest of LAN devices are not members of VLAN 3, so these two ports cannot talk to them.
Let's say a device is connected to port 2, so it shouldn't reach the Internet. However, if this device tags (by itself) its outgoing traffic with VLAN 1, this traffic will ingress the switch with VLAN 1 (because, as I said at the beginning) all ports are configured to Acceptable Frame Types = Admit All, so it will be abble to talk to any other port, including port 1.
Similarly, if a device is connected to port 7 it shouldn't reach the devices connected to ports 2-6. However, if this device tags (by itself) its outgoing traffic with VLAN 1, it will be abble to talk to any other device on the LAN.
As you can guess, this behavior defeats VLAN isolation because any device can make itself a member of VLAN 1 just by tagging its outgoing traffic, so the security of my LAN gets compromised.
I've tried to remove ports 5-8 from VLAN 1, but then everything gets ruined because devices connected to ports 1-4 cannot see devices connected to port 5-8, so VLAN 2 members cannot talk to LAN devices connected to ports 2-4 (and vice versa), and VLAN 3 devices cannot talk to the router.
If I could configure the switch to accept only untagged traffic in some ports, those ports would be protected from this kind of attack, because the port would discard any rogue tagged traffic automatically, but I cannot find how to do it on my TP-Link switch.
Does anybody know how can I configure the switch to make a port to accept only untagged traffic, so a rogue device cannot spoof the VLAN?