I started down this path because I wanted to isolate 2 problem IoT devices that if attacked and compromised, may grant access in some way to the rest of my network.
This started me thinking about my network needs. I use Dropbox a lot and OneDrive both solve the issue of networking among computers on my network.
So in my case I started to think about isolation and what would need to be isolated from each other.
I used guest networks for the wifi devices. This works for my 2 google home devices and a chromecast-ultra. They have to be on the same guest network to work.
My principal internet use is video streaming. I tweak and tune for best streaming dependability. I want to isolate both of my Android media boxes. They can easily be hacked or hit with malware, according to the reading about Kodi and MobDro.
So setting up vlans with a graphical user interface is easy. TP-Link has web access or a windows configuration utility tools for configuration of vlans (Just a side note I do everything on Ubuntu using Chromium as a browser).
Here is the system information page of the webui for a TL-SG108E smart switch from Amazon.
View attachment 17677
As you can see it gets an IP address from the router. When you initially plug in the switch it grabs an IP from the router via DHCP. The address of the switch can be set to static and any address used.
Lets jump to VLANs, here is the 802.1q vlan page where you can setup what you need. My configuration should point out a few obvious things.
View attachment 17678
For basic vlanning to work the switch needs a default vlan so that without any configuration it will work as a plug and play switch. Each newly created vlan needs port1 (The up-link port in my case) added to each separate vlan to give the device internet access. The access granted by the gateway address. In the above configuration each newly created vlan is separate from the other and means those devices cannot communicate with each other, only with the router.
The next page designates the vlan id needed for the vlan to communicate outward. Kind of like a gateway. Each vlan has it's assigned port. PVID stands for Port Vlan ID, you are assigning the port to a vlan id.
View attachment 17679
Just these settings and it will work. Consider that this is the North switch in my case. I also have a South switch. These two switches are in different areas of my house with a single ethernet line connecting them to each other through a switch directly connected to my router. AX88U.
So my topology is like this: Fiber to the home>>>>ONT (optical network terminal or where light becomes Ethernet)>>>>TL-SG105E-Smart Switch>>>>Router>>>>North and South Switches (Both TL-SG108E)>>>>client devices.
Next and I'm sorry to say no screen shots but I think by now you should have a sort of grasp of what I was doing. Next I needed to setup a vlan ahead of my router so it could get a DHCP address from my ISP. With Fibre to Ethernet taken care of, you don't require a modem only the vlanned switch to link up with my ISP's DHCP network. So for me it was to create a vlan with id of 1000 and tagging the port (in my case port1 as it is my up-link port) that faces the ONT as it's next hop device. The switch itself can have an IP but must not have a defined IPv4 IP address (It doesn't need it and could cause problems). You set the switch up by assigning it an static IP and subnet mask. I used 172.16.1.3 and 255.255.0.0 and left gateway blank, you access it by manually configuring your computer's network adapter with something like 172.16.1.2 and 255.255.0.0 and again no gateway, and connect direct to the switch with your cable. The ISP's network allows the switch and passes the IP to the router. And it all works.