The TL-SG108E comes with a resource CD, which contains a utility (the Easy Smart Configuration Utility) that you will need to install in order to configure the switch (there is no web-based interface available for this switch). Unfortunately, the utility only runs under
Windows (it does not seem to work with Linux even with the WINE emulator), so a Windows computer running XP Service Pack 3, or later, is required. For the rest of the configuration, you will need to have this computer connected to the switch via an Ethernet cable.
Note
Note that switch configuration differs from pfSense configuration (and for that matter, configuration of any router) in one significant way:
whereas you can configure pfSense from anywhere on the network, to configure a switch, you must be on the same subnet as the switch.
When you run the TP-LINK Easy Smart Configuration Utility for the first time, the utility will display a table called Discovered Switches, which will show any switches the utility was able to find. This will include any switches to which the computer is connected, as well as any switches which were uplinked to those switches. If you click on the entry for the switch you want to configure, you will be prompted for the login credentials of the switch. We enter the admin username and password and click on the Login button.
Once you are logged in to the switch, the configuration screen will have several tabs. We click on the Switching tab, which initially displays a table showing the status of each of the switch's eight ports. We first need to configure a trunk for the switch, so we click on Port Trunk on the left sidebar menu.
Note
Note that link aggregation is employed, with trunks assigned in pairs.
The Trunk Config page.
On the Port Trunk page, we can configure up to two trunks, each having a minimum of two ports and a maximum of four ports.
Mirroring and mirrored ports cannot be added to a trunk group. We only need one trunk, so we select Trunk1 in the Trunk ID drop-down box. Then we click on ports 1 and 2 in the graphic below the drop-drop-down box (you can select whichever ports you want for the trunk, as long as they don't conflict with any other port assignments) and then click on the Apply button. A confirmation dialog will appear, and we click on the Yes button in this dialog box. Trunk configuration is now complete.
Now we can begin VLAN configuration, while being mindful of the fact that two of the eight ports have already been allocated for the trunk. We click on the VLAN tab at the top of the page. The three VLAN options offered on the sidebar menu are: MTU VLAN, Port Based VLAN, and 802.1Q VLAN.
MTU VLAN is an option that allows us to have a single uplink port instead of having trunk ports, giving us an additional access port to which we can connect nodes. It is suitable if you want each port to be on its own VLAN. Since this is not what we want, we will not use this mode.
Port Based VLAN is a VLAN configuration option in which Ethernet frames entering and leaving the port are not tagged. The VLAN to which a port is assigned in the switch configuration is what determines which VLAN to which the traffic should be sent. Since this is not the mode supported by pfSense, we will not use it.
802.1Q, however, is the official IEEE standard for tagging VLAN traffic and is supported by pfSense. Therefore, we will utilize this method and we click on the 802.1Q VLAN option on the sidebar menu.
Note
Note that we have assigned three ports to each of the two VLANs.
The 802.1Q VLAN configuration page.
The 802.1Q configuration page has two sections: Global Config, where the only option is to enable or disable 802.1Q VLANs, and the 802.1Q VLAN Setting section, where we can enter information about our VLANs. Since we want to enable 802.1Q VLANs, we select Enable from the drop-down box and click on the Apply button, once again pressing the Yes button in the confirmation dialog box.
In the 802.1Q VLAN Setting section, we enter several parameters. They are:
VLAN (1-4094): This should match the VLAN ID(s) of the VLANs you created during the pfSense portion of the configuration.
VLAN Name: These can be any arbitrary names, but administration will be easier if the names match the names assigned to the VLANs in pfSense.
Tagged Ports: These ports are the ports on which outbound traffic will have 802.1Q tags attached. Therefore, they should match the trunk ports assigned during the previous step. We select 1 and 2 as the tagged ports.
Untagged Ports: These are the ports on which outbound traffic will have any 802.1Q tags removed. They should match the inbound ports for the VLANs. We are going to allocate three ports for each of our two VLANs, so we set ports 3 to 5 as the untagged ports for VLAN 2 (the DEVELOPERS VLAN), and we set ports 6 to 8 as the untagged ports for VLAN 3 (the ENGINEERING VLAN).
We enter VLAN ID, VLAN Name, Tagged Ports, and Untagged Ports for each of the VLANs, pressing the Apply button after the
information for each VLAN is entered and clicking on Yes in the confirmation dialog box.
The next step is to click on 802.1Q PVID Setting on the left sidebar, which sets the PVID, or Port VLAN ID, of the port. This ensures that when the switch receives a packet without a VLAN tag, it adds a VLAN tag for the VLAN matching the PVID before sending the packet to the trunk ports. On the TL-SG108E, setting the PVID is necessary for 802.1Q tagging to work, and setting the PVID also determines the broadcast domain for a port – broadcast packets received by a port will be sent to all ports with a matching PVID.
The PVID Setting page.
Since ports 3 to 5 are being used by VLAN 2 (DEVELOPERS) and ports 6 to 8 are being used by VLAN 3 (ENGINEERING), we want to set ports 3 to 5 to 2 and ports 6 to 8 to 3. To do this, we check on the checkboxes for the ports we want to set, enter the PVID in the edit box at the top of the PVID column in the table, and click on the Apply button, once again clicking on Yes in the confirmation dialog box.
Now that switch configuration is complete, we click on the Save button in the upper right of the page and click on Yes in the confirmation dialog.
At this point, both pfSense and the switch are configured, and the VLANs should be functioning. We now have two VLANs,
DEVELOPERS and ENGINEERING, with the following attributes:
Both VLANs have access to the Internet
Both VLANs can access all other subnets, including each other DHCP is enabled on both interfaces
This may not match your VLAN requirements, but you can make adjustments if necessary. In particular, you can alter the firewall rules to block access to other subnets if necessary.