Vlan isolation setup

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Vlan isolation setup

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Vlan isolation setup
Vlan isolation setup
2022-11-30 01:54:40 - last edited 2022-11-30 01:58:48
Model: TL-SG108E  
Hardware Version: V6
Firmware Version:

Hello,

 

I've been using unmanaged switches from tp link for a long time and they have been great so far but the time has come to go to a managed solution. Unfortunately there aren't any good videos on youtube explaining how to setup vlans and dedicate ports and devices to them. So I really need the forums help. I just ordered my switch and expect it to arrive in a couple of days. Till then I need to get ready for the setup.

 

note: My design skills on the paper aren't great. Please don't mind the visual "blueprints" I am posting. It's just to make things easier to understand.

 

Let me tell you what I have at the moment.

 

 

ROOM 1:
ISP MODEM 192.168.1.1
AN UNMANAGED SWITCH
DECO 1 @192.168.68.1
NAS BACKUP 192.168.68.4

ROOM 2:
AN UNMANAGED SWITCH AND ON IT
NAS (MAIN) 192.168.68.3
PC 192.168.1.254
NVR 192.168.68.100

ROOM 3:
DECO 2 @192.168.68.something
ALARM HUB @192.168.68.101

 

The goal is to...

 

Isolate my PC and my NASes at VLAN 1
Isolate my NVR at VLAN 2 (for security reasons)
Isolate my Deco’s at VLAN 3 for IoT smart devices and mobiles (security reasons)
Isolate my Alarm HUB at VLAN 4 for the same security reasons

 

The big questions are:
Q1. Is it possible that I can see and manage devices at VLAN 2,3,4 without 2,3,4 devices being able to access VLAN 1?
Q2. Is it possible for PC and NAS 1 to be connected at a unmanaged hub and still work? (I can’t deploy another line! I am too old for that. Lol)
Q3. How can I do all this? I don’t really understand the menus.

 

Thank you.

 

  0      
  0      
#1
Options
8 Reply
Re:Vlan isolation setup
2022-11-30 11:34:18

  @BDKs 

 

1. ER605 currently does not support unidirectional ACL, ER7206 is supported, you can use ER7206 for related settings, see this:

How to implement VLAN unidirectional access through ACL configuration

 

2. Your current requirement requires you to set up multiple VLAN interfaces in the ER7206, and then set up the corresponding VLANs on the SG108E.

After setting up, you can connect an unmanaged switch behind the SG108E, and the unmanaged switch is able to filter the Tagged data.

 

How to create multi networks and manage network behavior with ACL

How to configure 802.1Q VLAN

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Vlan isolation setup
2022-11-30 11:48:50 - last edited 2022-11-30 11:49:12

  @Virgo Thank you for replying and for the links. I will check them out. (I am alredy actually)

 

I can now with certainty say "That's Greek to me". I don't have an ER605 neither an ER7206. That's routers right?

 

Did you mention them because of the unmanaged switch I said I need to have in my setup? If so; what if - just to avoid having another Router in my setup - just run another cable and have each device (PC and NAS 1) each one on their port. Will this make things easier?

 

My biggest issue is that I am not sure how the 802.1Q VLAN will be setup so I can both isolate but also manage my devices.

 

So complicated for a newbie.

  0  
  0  
#3
Options
Re:Vlan isolation setup
2022-12-01 10:19:54

Sorry for double posting but the switch will arrive in a few hours and I have to find out about tagged and untagged.

 

So let's say I create these Vlans.

 

192.168.50.xx for my PC and NASes

192.168.100.xx for my security systems

192.168.200.xx for my Decos

 

Will it be like that?

 

 

VLAN

Egress Rule

PVID

Port 1

VLAN 50

Untagged

1

Port 2

VLAN 100

Untagged

2

Port 3

VLAN 200

Untagged

3

 

But will I be able to access VLAN 100 and VLAN 200 from VLAN 50? I don't want VLAN's 100 and 200 to access VLAN 50 though.

  0  
  0  
#4
Options
Re:Vlan isolation setup
2022-12-01 13:38:38

  @BDKs 

 

Although TL-SG108E makes it possible to set up VLANs, it does not provide inter-VLAN routing or a DHCP server. You ISP modem, which really must be a modem-router combo, is not VLAN-aware so it will not help you with inter-VLAN routing or DHCP addressing for all VLANs.

 

Instead of TL-SG108E, you should’ve bought a routing switch that comes with a DHCP server. Alternatively, you may use a VLAN-aware router like ER605, or better ER7206, and disable NATting in the ISP modem-router if possible.

 

Kris K
  0  
  0  
#5
Options
Re:Vlan isolation setup
2022-12-01 13:43:30 - last edited 2022-12-01 13:45:09

  @KJK 

 

Are the TP Links Deco's able to do that?

 

I mean it will be like Internet > ISP Router > Deco to use the DHCP server > Managed Switch.

 

That's the original goal

  0  
  0  
#6
Options
Re:Vlan isolation setup
2022-12-01 14:57:31

  @BDKs 

 

I'm not familiar with them, but I don't think so. There are very few Internet WiFi routers that can do that.

 

Kris K
  0  
  0  
#7
Options
Re:Vlan isolation setup
2022-12-01 15:07:44

  @KJK 

 

I keep confusing VLANS with ports right now. I am trying to it up but it's so confusing.

 

Both "tagged" and "not member" feels like it cuts connection with the device but still I don't know.

 

I thought that VLANS were something like another subnet for example.

 

I wanted my PC to be: 192.168.68.254 and my NVR to be 192.168.100.1 but this is not the case.

I can see now that we need a DHCP server but since there are no "subnets" how the hell does it know what it should stop.

 

For example bellow. Trying to understand I keep VLAN ID's same as PORTS. So Port 3 is CCTV and PORT 8 my pc and I am trying to not let my pc access port 3 but it doesn't work. I don't get it. I feel so stupid. frown

 

  0  
  0  
#8
Options
Re:Vlan isolation setup
2022-12-02 03:55:26

  @BDKs 

 

Think about VLANs as virtual switches. Switches have ports, so do VLANs. You make a port part of a VLAN by marking it as Untagged or Tagged in that VLAN. However calling ports Untagged or Tagged is rather misleading. What these terms really describe is the type of Ethernet frames passing through that port, not the port itself. A tagged frame is one that contains a tag carrying the VLAN ID. An untagged frame does not contain such a tag.

 

Also, making a port member of a certain VLAN is not enough for the frame tagging process. In that, a PVID is used which needs to be set for each port individually. This is very important, since if you do not set those PVIDs correctly, your VLANs will not work.

 

You have ports to which you connect end-point devices, like PCs and printers. Those ports should be marked as Untagged since those devices do not send or need tagged frames. PVIDs of such ports should be set to the ID of the VLAN they belong to. Also, those ports should be members of just one and only one VLAN, unless you use some other special ways of VLAN assignments.

 

You can also have ports that connect VLAN-aware switches or routers together. Those ports will be members of multiple VLANs and should be marked as Tagged in those VLANs since they deal with tagged frames. A special case is the default VLAN where it is better to always mark its ports as Untagged and set their PVID to that VLAN ID.

 

That’s not really that complicated, isn’t it?

Kris K
  2  
  2  
#9
Options