Inter-VLAN routing with sdn switch only
Hi,
In addition to the TL-SG2428P I use a software Omada controler. My Internet rouer is a Fritz-Box.
I want to set up something similar to this TP-Link video: https://www.youtube.com/watch?v=-mkU3rI9coE
Summary:
3 Vlans:
* 1: infrastructure (controller, eap, switch, router)
* 10: marketing department
* 20: R&D department
each of these set up with an own ip-range.
Once this is set up in the video, it states that all vlans can communicate with each other and have internet access. But No routes or whatever were configured.
This does not work in my setup. I tried static routes and switch acl's. But nothing enables my vlans to talk to each other.
As I am lacking the router, I question myself: is this a router feature? And if so - does all routed traffic need to go through the router cable (video: Port 13 on the switch)?
Also: isn't that a huge security flaw, to enable inter-vlan communication by default?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@wuppi When the switches are managed by the controller I don't think they are doing layer 3 routing.
However, the Omada gateways allow traffic across LAN segments by default. This can be restricted by applying ACLs to the switches.
So what you are seeing in the video is probably a result of the Omada gateway allowing LAN traffic by default and automatically applying NAT to all LAN subnets so no further configuration is needed.
In your case, you have a different firewall so that firewall is either blocking the inter-vlan traffic or not configured to have networks on that vlan.
- Copy Link
- Report Inappropriate Content
@wuppi Hi
You can still make 3 VLANs communicate with each other, however if you still want Internet access, your Router must support multi-nets NAT(can do NAT for different subnets).
I find an example for you, although it is using standalone mode but you may refer to:
How to build up a multi-nets network via Multi-Nets NAT feature on TP-Link router with L2+/L3 switches
- Copy Link
- Report Inappropriate Content
@Somnus thank you for the example. But maybe you picked the wrong one? Yours requires a router too ...
- Copy Link
- Report Inappropriate Content
@wuppi Are you saying your firewall doesn't have the ability to inter-VLAN routing?
I am not sure what the capabilities of that particular switch are but to get the full layer 3 functionality of the Omada switches, you need to disconnect it from the controller. The controller is very limiting as it relates to L3 switch functionality.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
wuppi wrote
Is there a list / overview available, which L3 features are not available in controller mode?
That would be "Almost all of the L3 features"
There isn't much L3 switch functionality surfaced via the controller.
The only L3 switch functionality I have seen in the controllers is limited support for ACLs and the ability to add simple static routes.
- Copy Link
- Report Inappropriate Content
Hi,
I finally found this https://www.tp-link.com/us/support/faq/2936/
This looks like a lot is possible.
And also: I believe it got everything working!!
I need some more testing and playing with ACL - but it is promising. NO ROUTER used!
2 subnets:
Fritzbox: 192.168.0.1/24 (Internet) (VLAN 10)
.1 = Fritzbox (Internet Gateway, DHCP server for this net assinging gateway and dns to itself:192.168.0.1)
.2 = TL-SG2428P v4.0 (which is far too loud)
.x other clients
Guest: 10.10.12.1/24 (VLAN 20)
.1 = TL-SG2428P v4.0 (as DHCP server. Assigning Gateway = self 10.10.12.1 and DNS = 192.168.0.1)
.2 = client
Fritzbox static route:
IPv4-Netzwerk: 10.10.12.0
Subnetzmaske: 255.255.255.0
Gateway 192.168.0.2
That device is not VLAN aware, I believe it just forwards the packets.
The ports on the switch have the correct vlan's assigned.
Results:
I can ping from Fritzbox clients to "Guest" members (switch 10.10.12.1 and 10.10.12.2 and others)
Guests can ping the fritz box and other members in its network. They can also access internet.
So do I understand it correctly:
With Gateways and static routes, everything is wired together. Afterwards it can be restricted with ACL?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1737
Replies: 7
Voters 0
No one has voted for it yet.