Is it possible to configure individual ports on a managed switch to block specific VLAN traffic?
I've been trying to read up on this but I haven't found a definitive answer yet. Our home network is based around an Edgerouter Lite and Ubiquiti access points, connected with some Netgear GS108T and GS724T managed switches (courtesy of good pricing on Craigslist). I'd like to set up some VLANs for guest Wi-Fi and IoT devices, but until I can overhaul and rearrange the physical wiring the network will still need to use two unmanaged switches. I understand that this can negatively impact the VLAN operation. The primary goal (for now) with the VLANs is to allow traffic from specific SSIDs (eg Guest and IoT) to access the Internet, but not reach the rest of the network. Any unmanaged switches can be assigned to locations where no guest or IoT access is needed.
(The purpose of this project is to increase network security, so that guests can't access the NAS and other personal devices, as well as to isolate IoT devices. It is almost certainly overkill for our location and the actual network use - primarily family - but a big part of this is also for my own fun and education.)
2 Answers
The short answer is yes.
Is it possible to configure individual ports on a managed switch to block specific VLAN traffic?
It's rather the inverse: on a typical managed switch, only explicitly whitelisted VLANs will be passed through a port. So you get that behaviour more or less by default.
still need to use two unmanaged switches
While many (most?) unmanaged switches will pass VLAN-tagged packets along, there will be no isolation between ports on that switch. Rather, since you don't need isolation in the unmanaged portion of the network, you're better off treating them as "untagged"/"access" ports, like you would any other machine directly connected to that port.
Here's a brief (and maybe inaccurate, but good enough for home use) primer on VLANs.
A port can be set as "tagged" for any number of VLANs. This port will then pass packets for those VLANs with a 802.1Q tag. They are generally used for communication between VLAN-aware devices, such as routers, managed switches, and your UniFi access points. e.g. if port 3 is set for tagged VLANs 1, 10 and 100, it'll pass packets for only those VLANs and with the 802.1Q tag both incoming and outgoing.
A port can be set as "untagged" for a VLAN. These pass outgoing packets with the 802.1Q tag removed. Generally a port is only "untagged" for one VLAN. e.g. if you have port 4 set for untagged VLAN 10, it'll pass packets from VLAN 10 out that port with the tag removed -- appearing as a non-VLAN network for any devices on the other side.
You have a "PVID" on each port. This is the VLAN tag assigned to untagged incoming packets. Generally this should be set to the same value as the "untagged" VLAN for that port, so you have both outgoing and incoming traffic on that port handled on the same VLAN. Some switch management software will do that automatically.
Following that, the unmanaged switches should be connected to an untagged/PVID'd port on the managed switch for whichever VLAN you want the unmanaged switches to be on.
Is it possible to configure individual ports on a managed switch to block specific VLAN traffic?
Yes, and that's literally how VLANs are used most of the time. You're talking specifically about 802.1Q VLAN tagging, and every switch with 802.1Q support will show you a table where you can configure which port belongs to which VLAN IDs.
(This is why managed switches are necessary for VLANs, generally.)
until I can overhaul and rearrange the physical wiring the network will still need to use two unmanaged switches. I understand that this can negatively impact the VLAN operation
If the switch's upstream port belongs to a single untagged VLAN only (doesn't have any tagged VLANs), then it will not have any negative impact at all. Then all other ports of the switch will just automatically be on the same VLAN.
On the other hand, if the port has tagged VLANs then it's more complex. Unmanaged switches are able to carry even VLAN-tagged traffic, even if they don't understand it, but doing so can have negative impact.
In particular, Windows is really bad at receiving VLAN-tagged packets, although Linux and BSDs are fine with it. Other problems which can occur are reduced security (VLAN-hopping) and the switch's inability to keep separate MAC tables for each VLAN, but they aren't critical most of the time.
This can also work "good enough" when every single device connected to that unmanaged switch is itself VLAN-aware. For example, it's not a problem to connect three VLAN-capable Wi-Fi access points through an unmanaged switch, even if tagged VLANs are involved – because all those APs understand VLAN tags and they all would have the same VLAN membership anyway.
Hopefully-irrelevant note: VLAN tags add extra 8 bytes to the packet size, and all switches along the way must be able to carry the larger packets. All modern switches – managed or not – will do this just fine. However, if you have an unmanaged switch dating back to 20 years ago, it could be limited to exactly 1500 bytes and chop off the rest (or discard the entire packet).
5
