Port Isolation Question

[alexfort93]

I've got three DGS-1210-10P switches that are being leverage for Dante Audio. However, I'd like to isolate port 8 on each switch to be on a separate VLAN as to not disturb the traffic by Dante.

Now, I believe I'll need stackable switches if I really want to do this easily, but is there another way to have the three switches connected and configure the same VLAN on port 8 of each switch? My networking knowledge is very basic, so please feel free to explain/clarify if I'm not making sense, or if you're suggesting for me to do something another way.

Thanks!

 

[sinisterDei]

I believe I'll need stackable switches if I really want to do this easily,

This isn't true at all. If you had a *bunch* of switches to handle this on, or a bunch of VLANs to configure, then sure a stack would be better so that you could just program them from a single interface. But you're only setting up two VLANs on each switch, and you've only got three switches, so that's not a lot of work. Defining a specific VLAN to explicitly operate on a port is called placing it in access mode.

You'll want to end up with two VLANs on each switch:

• VLAN 1 - the native VLAN. This is likely the default access mode VLAN for all ports.
• VLAN #### (you define the number, I'd go with something like 33 or equally oddball) - the isolated VLAN

However, you'll end up with a bunch more ports than just port 8 on each switch in the isolated VLAN. First-off, you've got three switches, and there's no way to connect three switches together using only 1 port on each switch; some switch is going to have to have two ports so that both other switches can connect to it.

Additionally, if you've got just port 8 on two switches, and ports 7 and 8 on one of them, well that's all your switches connected together but doesn't leave you any connectivity to get data in and out of the VLAN; it'll just be switches connected together with no computers connected. So you'll need to define additional ports on the switches to also be in access mode so you can connect your computers to them. It would look something like this crude drawing:

In the drawing, ports 6-8 on all switches are in the isolated VLAN in access mode, and you've got jumpers between 8-8 and 7-8 connecting all the switches together. You could then plug workstations or whatever you want into the green ports.

However, you've got a bit more work ahead of you. VLANs only deal with what's called layer 2 networking; IP address networking takes place a layer above that at layer 3. What that means in practical terms is that you would create an isolated network on ports 6-8 on each switch, and you would give those devices an IP address scheme that is on a different IP network from the native VLAN (ports 1-5), but without some kind of layer 3 gateway between the two networks, they won't be allowed to talk to each other. An easy point to do this would presumably be your firewall, which may be your only layer 3 device on the network. I can go into details on this part if you need.

Now, with all of that said, my guess is that this is all mostly unnecessary. Your DGS-1210-10P devices have internal switching capacity of 20 Gbps, and they've only got 10 1 Gbps ports (2 Gbps full duplex). In other words, even if you don't isolate the traffic with VLANs, each device connected to each port will receive the full benefit of a 1 Gbps (2 Gbps full duplex) ports with no real ability to interfere with the other ports. The only possible point of contention is likely to be on the jumpers between the switches; if you isolate things with the VLANs like you're planning, then each VLAN could get its own jumper so that the intra-switch traffic for each VLAN remains segregated and doesn't interfere with each other. You could set up the 8-8 and 7-8 jumpers with a trunked port that allows both VLAN 1 and VLAN 33 traffic to traverse it, but if you do that then what was the damn point anyways because you're back to having a shared resource in the 1 Gbps jumper between each switch.

I do networking as part of my job, feel free to send me a PM if you have any specific questions!

 

[alexfort93]

snip

Thanks so much--this was super informative. I believe the biggest thing is to avoid conflicts between the Dante Audio data and any other devices that would be connected (i.e. a WiFi router)