Netgate SG-1000 microFirewall

Author Topic: TP-LINK Smart Switches anyone?  (Read 79848 times)

0 Members and 1 Guest are viewing this topic.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #15 on: April 27, 2014, 02:20:52 pm »
I disagree for a couple of reasons.

There is no need for an uplink port such as you describe on a Gigabit switch since all ports are auto-MDX. Unless the switch has a single fibre or 10Gig port for that purpose, these dont.

I have never seen a switch that had VLAN capability that couldn't do a VLAN 'trunk'. Even those really cheap Netgear switchs that require a Windows utility to control them. (Edit: These are quite a bit cheaper though)

What would be the purpose of a switch that recognised VLAN tags but was unable use a trunk port?
1. You could divide the switch in to separate groups of ports that formed, in effect, separate switches.
2. You could possibly pass VLAN tagged traffic without stripping the tags.
Neither of those seem particularly useful in common applications.

The 'uplink' port referred to in the instructions is specifically for VLANs.

Just to define it by 'VLAN trunk' I mean a connection carrying traffic with multiple different VLAN tags such that when connected to a pfSense box each of those VLANs can appear as a separate interface.

Of course I still haven't used one so I stand to be corrected. ;)

Steve
« Last Edit: April 27, 2014, 02:27:19 pm by stephenw10 »

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2218
  • Karma: +204/-12
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #16 on: April 28, 2014, 07:44:44 am »
This HP model costs twice than the TP-Link, in my area. Also, is the HP fanless?

Guys, an "uplink" port on these cheap switches means only that it can be connected to another switch using straight cables, meaning the port is autosensing. These days, all the ports can be "uplinks"... Tagging of the traffic has nothing to do with this feature.

It is fanless. The TP-Link looks fine, feature wise. I only went with HP because my last job used HP and I had nothing but good experiences, plus I've read nothing but good reviews with customer support and warranty support.

Offline robi

  • Hero Member
  • *****
  • Posts: 971
  • Karma: +75/-2
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #17 on: April 28, 2014, 09:11:15 am »
Stephen, we're in the same boat. What I just wrote is that there's no "dedicated" uplink port these days anymore. Back in the old times (15 years ago) some switches and hubs had an additional dedicated uplink port (regardless of tagging features) where port connection was crossed internally, so that people could use straight cables to connect switches to each other or to routers. That port was nothing more than just the first or the last port on the switch duplicated to a cross-connected RJ-45 socket on the board, nothing more, and it was literally printed below it, the word "uplink". Pretty much like the SFP ports double ports 15 and 16 on the TL-SG2216. Maybe we could call these as uplinks dedicated - but only when using fibre optics.

Apart from that, you can use any port as "uplink" today, on these cheaper switces. Not on Ciscos, the Ciscos still require cross-cables to connect to each-other.

There are two types of TP-Links we're discussing in this topic:
Easy Smart Switches: http://www.tp-link.com/en/products/?categoryid=2878
Smart Switches: http://www.tp-link.com/en/products/?categoryid=223

I've looked into the manual of the TL-SG1016DE Easy Smart Switch, and the manual of the TL-SG2216 Smart Switch, and noticed quite a lot of differences. Perhaps I misunderstood, but it seemed to me that the Easy Smart model is not capable of transferring multiple VLANs through a port. What's the point of having such a switch I don't know, and I don't really care.
What I opened this topic for is to be sure which one to buy, to be as sure as possible that it will work with pfSense and tagged VLANs.

I ordered a TL-SG2216 yesterday btw. I'll test, and if it's OK, I'll order a second one later. And of course will post back here my experiences. This will not answer wether the TL-SG1016DE Easy model can or can't do this, however.

« Last Edit: April 28, 2014, 09:14:12 am by robi »

gonzopancho

  • Guest
Re: TP-LINK Smart Switches anyone?
« Reply #18 on: April 29, 2014, 01:20:36 am »
Yes, a lot of the HP switches are fanless.   I have one.  :-)

I saw one of the TP-Link switches at the local Fry's.  Seemed interesting.


Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #19 on: April 29, 2014, 06:43:20 am »
I'm sure the TL-SG2216 will be fine for what you need.
I think I'll probably get a TL-SG108E when they become generally available in the UK. They're so cheap that they are comparable to an unmanaged switch from other manufacturers. Looking at the manuals for the TL-SG108E and the TL-SG1016DE (both Easy Smart type) the 16 port appears to have some sort of web interface but I fear the 8 port may be Windows utility only. With the demise of XP I no longer have a Windows box readily available.  :-\
Anyway if get one I'll let you know for sure what it can and can't do.  ;)

Steve


Offline verigoth

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +1/-1
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #20 on: April 29, 2014, 07:00:20 am »
Apart from that, you can use any port as "uplink" today, on these cheaper switces. Not on Ciscos, the Ciscos still require cross-cables to connect to each-other.

I'm not sure which Cisco switches you're using but every one I've used that was made in the last decade has worked just fine using straight-through cables on "trunk" links.

Let me know how you like the TP-Link - I've been eyeing the TL-SG3216.

Offline robi

  • Hero Member
  • *****
  • Posts: 971
  • Karma: +75/-2
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #21 on: April 30, 2014, 03:23:57 pm »
OK trying to figure it out, seems to be able to do what I need but it's a bit cumbersome:
TP-LINK: How to configure 802.1q VLAN on Smart Switches?

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2218
  • Karma: +204/-12
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #22 on: April 30, 2014, 08:01:55 pm »
Apart from that, you can use any port as "uplink" today, on these cheaper switces. Not on Ciscos, the Ciscos still require cross-cables to connect to each-other.

I'm not sure which Cisco switches you're using but every one I've used that was made in the last decade has worked just fine using straight-through cables on "trunk" links.

Let me know how you like the TP-Link - I've been eyeing the TL-SG3216.

I agree. I cannot remember the last time I saw a non-auto MDI-X port on a 1gb switch. Even the cheapest of the cheap can detect. My integrated NIC even supports detecting and adjusting for wrong polarities. You can actually mix up the solid and striped wires on the crimp and it'll still work, just get the colors correct.

Offline robi

  • Hero Member
  • *****
  • Posts: 971
  • Karma: +75/-2
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #23 on: May 01, 2014, 04:10:11 pm »
Tested TL-SG2216 with a pfSense box, it works handling multple VLANs on a port.

Tp-Link has a substantially different approach to implementation of the 802.1Q VLAN standard seen from the user's perspective, but the results seem to be the same as the other swithces.

The main idea is (as can be probably seen in the article I linked in the post above) that you have to consider the VLANs as the "owners" of the ports, and not the other way around, as Cisco thinks of it. Because of this, you can't simply define a port as a "trunk" (cisco-like, containing all VLANs) or an access port. You have to add the ports to the various VLANs, and the way you add it to them causes traffic to pass through accordingly.

You can add a port to a VLAN in three ways, from the outgoing (egress) perspective of the port:
- "Untagged": traffic coming in, which has no VLAN tag, will go into VLAN specified at PVID option. Traffic going out will have no VLAN tag
- "Tagged": traffic coming in, which has the VLAN tag set, will go into that VLAN. Traffic going out will have the VLAN tag set accordingly.
- "Not member": port does not handle traffic with tag number of the selected VLAN.

It's like multidimensional matrix where you have to tick the corresponding rows and columns between the VLAN and the ports.

As you see this approach makes it a bit more difficult to have an overview of how to set it up but it's possible.

Here's an example where you'd set up port 16 as a Cisco-like trunk (port containing multiple VLANs, 10 and 20) and ports 2 and 3 as access ports for VLANs 10 and 20 respectively.

1. First you define all your existing VLANs in the network. In the web interface go to menu VLAN→802.1Q VLAN→VLAN Config and create VLAN 10 and VLAN 20.

2. Select in the list VLAN 10. In the table below (VLAN Membership) select "Untagged" for port 2 and set PVID to 10. This will make port 2 catch all the traffic and push it into VLAN 10. Also select "Tagged" for port 16. This will make port 16 push out VLAN 10's traffic with vlan tag set in the headers.

3. Select in the list VLAN 20. In the table select "Untagged" for port 3 and set PVID to 20. This will make port 3 catch all the traffic and push it into VLAN 20. Also select "Tagged" for port 16. This will make port 16 push out also VLAN 20's traffic with vlan tag set in the headers.

That's it! You have now both VLANs tagged traffic present on port 16.
I tested this by creating these VLANs on a pfSense box's nic, added some static IP addresses to these new interfaces in pfSense, connected that nic to port 16, and I was able to ping them separately from PCs connected to ports 2 and 3.

One thing to consider though.

Port 16 is also a member of VLAN 1, which is the default VLAN of the switch, factory preset. It passes the traffic of VLAN 1 untagged, together with the tagged VLANs 10 and 20. This allowed me to ping pfSense's box nic directly from any other port than 2 or 3 (because these all belong to VLAN 1 by default). I tried to avoid that by removing port 16 from VLAN 1 (setting it to "NotMember"), but it wouldn't let me do that, because port 16's PVID is set to VLAN 1. Changing the PVID first to any other VLAN allowed me to remove it from VLAN 1, but unfortunately broke the functionality, as it only forwarded traffic belonging to that other VLAN.
So it seems that you have to keep a dummy VLAN (can remain VLAN 1) where your cisco-like "trunk" ports have to be untagged - in this case it's probably advisable to remember not to put any sensitive traffic on that VLAN which can be accessed on the port untagged.

The TL-SG2216/TL-SG2424/TL-SG2424P/TL-SG2452 switches also have a CLI interface (both Telnet and SSH). I looked into the CLI Reference Guide and quickly noticed that the majority of the commands are similar to Cisco's! Moreover, the security approach is very similar, it's got User EXEC Mode, Privileged EXEC Mode, Configuration Modes just like the Cisco Catalyst series. Very funny, here's how I re-created the above example from CLI interface:

Quote
login as: admin
Further authentication required
admin@x.x.x.x's password:

TL-SG2216>

TL-SG2216>enable

TL-SG2216#

TL-SG2216#conf

TL-SG2216(config)#

TL-SG2216(config)#vlan 10

TL-SG2216(config-vlan)#exit

TL-SG2216(config)#interface gigabitEthernet 1/0/2

TL-SG2216(config-if)#switchport general allowed vlan 10 untagged

TL-SG2216(config-if)#switchport pvid 10

TL-SG2216(config-if)#exit

TL-SG2216(config)#vlan 20

TL-SG2216(config-vlan)#exit

TL-SG2216(config)#interface gigabitEthernet 1/0/3

TL-SG2216(config-if)#switchport general allowed vlan 20 untagged

TL-SG2216(config-if)#switchport pvid 20

TL-SG2216(config-if)#exit

TL-SG2216(config)#interface gigabitEthernet 1/0/16

TL-SG2216(config-if)#switchport general allowed vlan 10 tagged

TL-SG2216(config-if)#switchport general allowed vlan 20 tagged

TL-SG2216(config-if)#exit

TL-SG2216(config)#exit

TL-SG2216#copy running-config startup-config
 Start to save user config......

 Saving user config OK!


TL-SG2216#

I was looking at the web interface too after entering the commands, refreshing the page in the browser showed all the steps just like I would have done them there. Very nice.

I think this switch suits my needs so I'm definitely considering purchasing a second one.
Further investigations I need to do are related to multicasting, I have high hopes there related to multimedia content, because I see there's quite a lot configuration possibilities.

Another very positive aspect of TL-SG2216 is that it runs really cool. At living room temperature you can hardly notice any heating on the top/surface with your hand.

Edit: my switch shipped with the very first firmware version, v1.0_20120528. The first thing I did was to upgrade to versions v1_130925 and v1_131031. Reason was that config file of the first version is not compatible with further versions (as stated on the manufacturer's website and read in a review too), + a good couple of new features are present in the updates.
« Last Edit: May 01, 2014, 04:35:31 pm by robi »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #24 on: May 01, 2014, 05:27:32 pm »
Thanks for the write up.  :)
The VLAN config looks almost identical to that of most other small managed switches (in my very limited experience). All except Cisco perhaps.  ::)

Steve

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 474
  • Karma: +7/-0
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #25 on: May 01, 2014, 08:52:36 pm »
Looks pretty good to me. Has most of the features that you would want and the back plane is fast enough to support all the ports transmitting a full bandwidth. Has support of VLAN tagging and LAG as well as rapid spanning tree. I think you will be good. The only thing I didn't see which is a shop stopper is radius support. If I could offer some suggestions.

When you connect to switches together via a tagged port (Cisco call it trunk port, but more proper to call it a tagged port) you should not put untagged traffic on the same port. If you have untagged traffic on a tagged port then make sure that both switches have the same pvid on both sides otherwise you will have traffic from one vlan getting onto another.

P.S.

Modern Cisco switches will automatically cross over the connection just make sure  you have the command: mdix auto under the interface

Offline robi

  • Hero Member
  • *****
  • Posts: 971
  • Karma: +75/-2
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #26 on: May 02, 2014, 04:54:31 am »
I agree that my view may be distorted, as my (not so wide) experience on VLANs was almost exclusively based on Cisco Catalyst series. That's still what they teach nowdays on CCNA training... And, to be honest, Cisco's implementation is indeed very confortable and easy to maintain.

What I'm missing from this TP-Link VLAN implementation, is something like Cisco's VTP (VLAN Trunking Protocol), where you can set master/slave relationship between switches, and if you add a VLAN to the master switches, it will automatically created on the slaves too. This makes it easy and fast to maintain if you have dozens of switches connected to each other, plus minimizes mistakes.

I can of course live without VTP in my lab, but I think it's trivial to have it in a corporate environment.
« Last Edit: May 02, 2014, 04:56:14 am by robi »

Offline robi

  • Hero Member
  • *****
  • Posts: 971
  • Karma: +75/-2
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #27 on: May 02, 2014, 05:03:38 am »
When you connect to switches together via a tagged port (Cisco call it trunk port, but more proper to call it a tagged port) you should not put untagged traffic on the same port. If you have untagged traffic on a tagged port then make sure that both switches have the same pvid on both sides otherwise you will have traffic from one vlan getting onto another.

I didn't find a way to avoid that. As I wrote, it seems you can't have a port with tagged-only traffic, a PVID must be set. That means you'd have to sacrifice a (dummy) VLAN number to catch the untagged traffic. Not a big problem as you can have up to 512 VLANs simultaneously (on the Smart series).

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #28 on: May 02, 2014, 06:34:17 am »
They can't use VTP since that's a proprietary Cisco protocol. Wikipedia suggests the standards based equivalent is GVRP or MVRP. Neither appear to be supported.  :(

Steve
« Last Edit: May 02, 2014, 06:39:22 am by stephenw10 »

Offline charliem

  • Sr. Member
  • ****
  • Posts: 565
  • Karma: +43/-1
    • View Profile
Re: TP-LINK Smart Switches anyone?
« Reply #29 on: May 02, 2014, 08:58:08 am »
They can't use VTP since that's a proprietary Cisco protocol. Wikipedia suggests the standards based equivalent is GVRP or MVRP. Neither appear to be supported.  :(

Steve

Then next model up, ie, full layer 2 managed switch like TL-3216, do appear to support GVRP.  Haven't read deep enough to see what else you get with those over their 'smart switch' line.  Seems like the TL-SG2216 is pretty capable.