Can't separate VLANs on a switch

Posted on 2010-11-09
Last Modified: 2012-06-27
hello, i need to create few separate VLANs on a network. so nobody will be able to share in other's VLAN computer. the switch is TP-LINK TL-SL2452WEB. Activated VALN mode: Port VLAN (Port-based VLAN), in Port VLAN Setting: VLAN 1 Group contains all user except of them from VLAN2, and VLAN2 contains 5 members that are not in VLAN1. so now i login from another computer that is in VLAN1, to a computer that is in VLAN2 but it must not.. maybe some additional settings are required?
Question by:SiliconeSoul
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
LVL 57

Expert Comment

ID: 34101120
I took a quick look at the switches doc and it appears that it does NOT do any L3 (IP) functions.  Which means you must have a router someplace else within your network that is routing traffic between VLAN 1 and VLAN 2.

So the simple solution is to code a ACL on the router that prevent traffic from being routed between those two IP subnets.

Expert Comment

ID: 34101192
You Just Have to put the PVID on the Port to Vlan configuration, That's it.


Accepted Solution

joseleonardo earned 250 total points
ID: 34101194
This is an Example
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

LVL 57

Assisted Solution

giltjr earned 250 total points
ID: 34101252
I don't think that is what he is asking.

So, to make sure I understand the question.

You have VLAN 1, say IP subnet, and VLAN 2, say IP  subnet

You want to prevent computers in VLAN 2 from accessing computers in VLAN 1.  Is that right?

If that is true, then someplace you have a router that routes traffic between the two IP subnets and you need create a ACL on that router that blocks traffic.

Now, if you are just asking how to assign a VLAN to a specific port, then joseleonardo post does show you how to do that.

Author Comment

ID: 34101615
By default all ports are asigned to VLAN1... i unchecked ports that i want to belong to VLAN2.. and Under VLAN2 checked them back... i still can acces to their shared computer.. also all computers belongs to one subnet if i move all port to VLAN3, and few that i want to separate to VLAN2..... i can't access computers from VLAN2, BUT me and they don't have internet... that comes from a router to GB Port. cause i can't asign one port to different VLANs. Also to configure a VLAN on a router is more difficult for me. router is MikroTik RB-450G.
LVL 57

Expert Comment

ID: 34101673
Each VLAN needs to be a unique IP subnet.  So the computers on VLAN2 need to be in a different IP subnet.

If the computers on VLAN2 only need to access other computers on VLAN 2, then just don't give them a default route.  However, remember this means they can only access other computers on VLAN 2, this means NO Internet access for them.

Author Comment

ID: 34101834
ok, if i will config computers that are on VLAN2 to subnet so i will need to connect internet to that subnet? that means i need to connect another port from router to a port on switch and make that port also to belong to VLAN2?
LVL 57

Expert Comment

ID: 34102139
I've glanced at your router and although it may be a bit difficult, it looks like it can do what you need.

You will need to use two of the interfaces on the router.

One you can leave configured as is and use for VLAN1.

The other one you will need to configure it with an IP address on VLAN 2.  See:

Then connect it to a port on  your switch that is configured with VLAN 2.

Then on the filter you will need to configure a ip filter that blocks/denys traffic between the IP subnet for VLAN 2 and the all IP addresses on VLAN 1.  See:


Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question