Port isolation for VLAN switches

Posted on Edited on In , Symbols count in article: 2.4k Reading time ≈ 2 mins.

Sunset

Enterprise network management switches can use commands to physically isolate ports in the same VLAN. The home network management switch can only use one of the port mode and VLAN mode. Google did a bit and successfully used VLAN to realize the function of isolation from ports under VLAN.

Backgroud

JD Cloud wireless router, a CDN router that JD launched in December 2019. Use the personal network as a CDN node to upload resources, and then get points. Points can be exchanged for Jingdou, ratio 1: 1.

The JD Cloud router uses MTK processor, the wireless chip is a spoiled 7621, and 2.4G WIFI has external LNA and PA, which provides better signal coverage. 5G is built-in iPA and iLNA, but the signal quality is also good.

Problem

The latest version updated on January 9, 2020, 2.3.6.r1888, officially opened the CDN function. But because of its closed and buggy firmware, I was very disappointed.

Bug: The guest network is simply a network segment, but the main network and the guest network can ping each other and communicate normally.

DNS hijacking: Forcibly block all DNS (UDP 53 port) requests to the public network, and then respond by itself. That is, whether you initiate a DNS query to 114, Ali, or Tencent’s DNS server, the query results are returned by JD Cloud Router. For detailed testing, see my post in Enshan.

Because of its closed-source firmware, I’m not sure if it’s safe. I isolated it from the private network by VLANs.

Settings of Network Management Switch

Port Function

VLAN Settings

  • Packets can be received in which VLAN the port is in.
  • The PVID of the port is the number of VLAN to which it can send untagged packets.
  • To which VLAN a port belongs, you can forward tagged packets to that VLAN.
  1. Port 1: It belongs to VLAN1 and VLAN99
  • Receive: Can receive packets of VLAN1 and VLAN99.
  • Sending: Because its PVID is 1, it can only forward un-tagged packets to VLAN1.
  • Send: Because it belongs to VLAN99, it can forward tagged VLAN99 packets.
  1. Port 2: belongs to VLAN99, so it can only receive and forward packets of VLAN99.
  2. Port 3: belongs to VLAN1 and VLAN20.
  • Receive: Can receive packets from VLAN1 and VLAN20.
  • Send: Because the PVID is 1, so it can forward the untagged packets to VLAN1.
  1. Port 4/5: belongs to VLAN1, so it can only receive and forward packets from VLAN1.
  2. Port 6: belongs to VLAN1 and VLAN20
  • Receive: Can receive packets from VLAN1 and VLAN20.
  • Send: Because the PVID is 20, it can forward untagged packets to VLAN20.

According to the picture above (VLAN Settings), although JD Cloud (port 6) can receive messages from VLAN 1, it can only send data to the router (port 3), which makes it unable to perform communication with port 1/4/5 Communication.

Therefore, JD Cloud (port 6) is isolated from other port devices but can still access the Internet normally.

In this way, we use VLAN to realize the isolation of JD Cloud.

References:
VLAN Tutorial
Enshan