I have done some data forwarding integrity test trough TSW202 with lastest firmware “TSW2_R_00.01.04_WEBUI.bin” and found bad behaviours of the switch.
Basic functional switching rule is forward only VLAN traffic registered in VLAN table, when uplink is not isolated tagged port. Traffic out of the VLAN table or with different ehertype, has to be droped. But reality is the switch is forwarding everything to all ports, when traffic is not conform with VLAN table while VLANs specified in VLAN table are forwarded fine. Port isolation feature can help isolate untagged ports between each other, but cant help filter invalid traffic with VLAN id not specified in VLAN table or different ethertype. Is it possible to do some modification in firmware to accept this basic expectation ?
How about QinQ support? Is it possible to get user modified ether type for accepted tagged frames? Basicaly 802.1q says outer TPID 0x8100. But 802.1ad says 0x88a8 for outer provider tags when QinQ is used. Depending on the rest of the network can be case sensitive use 0x8100 or 0x88a8 etc.
In reply to William Brewster:
I am mainly Cisco/juniper/Ericsson switching platform user and Teltonica is new for me. My test case uses TSW202 with a single tagged nonisolated trunk uplink LAN port and the rest of LAN ports has untagged isolated role. We are isolating clients, not uplinks. When port isolation solves general forwarding between two or more isolated ports, all can still forward to nonisolated port. And also everything comming from nonisolated port can be forwarded to all isolated ports. Thats why uplink port has to have nonisolated tagged role. There can be expected only tagged traffic, because of uplink. And in my point of view, based on standard Cisco/Juniper/Ericsson forwarding behaviour, there is not posible to forward trough uplink port anything, what is not conform with VLAN table and valid ethernet type, means TPID 0x8100, or 0x88a8 depending on chipset and firmware capability. Because uplink port is configured to handle only VLAN tagged traffic and valid VLAN id is specified in VLAN table.
So, there is not problem with untagged port role, because it coresponds. Untagged = access port in my understanding. It means everything comming to untagged port is labeled with VLAN tag based on VLAN table and then is traffic forwarded trough with this VLAN id. Tagged port expect traffic with VLAN id and only forward this also based on VLAN table. When traffic with different VLAN id appears on the tagged port, or TPID is not conform to general chipset specification (=different than 0x8100), this traffic has to be dropped. Example in Ericcson implementation. There is this all invalid traffic forwarded to specific factory defined VLAN id. For example id 4095 and then discarded.
The problem with TSW202 is, that all traffic not conforming VLAN table, is still forwarded to all ports. And its mainly security problem. This cant solve port isolation, because tagged ports = trunk ports = uplink ports, has to be nonisolated in principle. The question is, if there exist chance to modify TSW202 behaviour leading to more secure forwarding rules for handling tagged traffic trough the swich, which could fully corespond to standard forwarding behaviour of the world wide used switching platforms like Cisco/Juniper etc.