I’m cheap. Most of my switches aren’t manageable. I know that they are cheap now. My switches are still cheaper.

On the other hand, I recently required a device on a separate network. Having just one NIC on my linux machine, I naturally wanted to use VLANs for that; all it needs is a switch in VLAN mode, where each of the ports (except for one, the “master” port) is on a separate VLAN. All packets coming from one of these ports will get tagged with the port number as the VLAN ID, leave the master port tagged. Packets in the other direction (from the master port) must be already tagged, and will leave on the designated port, after being stripped from their VLAN tag.

This is pretty much the mode that most routers use - they only have a single CPU port (the “master” port), and a number of “WAN” and “LAN” ports. Depending on the switch configuration, switching between the individual ports might or might not be possible. For example, usually you don’t want your ISP (which is attached to the WAN port) being able to control your LAN. So in that case, you want to have two VLAN groups, with all LAN ports being on one group, the WAN port(s) being on the other group, and the master port being on both groups. In my case, I wanted to have 7 groups (one for each port), so all of the ports could talk only to the CPU, but not with each other.

I’ve ripped open the next best switch I’ve had - a Netgear FS-108 (WARNING: My switch is an older model. I don’t know if they might have cost-reduced their hardware, and are using a different hardware now.). It uses an RTL8309SB 10/100Mbit 8+1 port switch IC, for which I’ve luckily found a datasheet. Reading trough the datasheet, there are three possible modes:

• A stand-alone mode without eeprom, configured by a lot of strapping pins.
• A host-managed configuration, where you can configure the IC over a SPI-like interface
• An eeprom-configured mode, where an attached eeprom holds the (static) configuration

Out of the box, the switch doesn’t use VLANs at all - which was to be expected, since it’s a SoHo switch. However, the switch does support VLANs, in all of the 3 modes. In stand-alone mode, where the configuration is made by strapping the LED pins to either high or low, a VLAN mode can be enabled, which puts the “MII”-Port (the 9th, unused port, that doesn’t have a Phy) into master mode, and all other ports into separate subnets. This is almost the mode that I need - expect that I don’t want the 9th port as master, but the 8th. Unfortunately, this configuration cannot be changed in stand-alone mode.

The host-based mode would be interesting, too, but I went for the easier route of the eeprom mode. I’ve added an EEPROM (24WC04, which I’ve ripped from a Dreambox remote) to pins 54 (SCL) and 55 (SDA). But I couldn’t see any I2C traffic. I’ve checked the datasheet, and in fact, I had to pull the “EnEEPROM” pin (113) high, which was pull-down (with a 4k7 resistor) by default. Just removing the resistor was enough to make the pin sampled as high. I saw I2C traffic. The switch didn’t work anymore, since the eeprom content was just bogus.

I’ve programmed the eeprom with the proper values - fortunately, the datasheet covers the eeprom content just fine, and list default values. I’ve modified the VLAN settings, used a Dreambox’s I2C port to program the eeprom (in fact, any Linux device with i2c-dev should do, or just use your favorite microcontroller - I recently fell in love with the mbed). See this tool. You have to specify the i2c bus number (and probably have to modify the path to not use devfs. oops.)

With the integrated configuration, each port uses the VLAN ID 0..6. This might be a bit unfortunate, so you might want to change that - it’s byte address 14, 31 etc.

I’ve figured out that the eeprom would read all-zero, while the command would write ok. It turned out that I was missing the required pullup resistor for SDA. I’ve added it (4k7 Ohm), and it worked fine. Note that the whole switch digitally operates at 1.8V levels. There is a 3.3V regulator, which I’ve tapped to get the supply for the eeprom. But the eeprom still has to work with 1.8V logic levels - which worked fine for me.

I was a bit constrained on headers and wires, that’s why it looks a bit ugly. Yes, that was the only reason, it can’t ever be related to my l33t soldering skills. No way.

After finishing, I’ve tried it. I attached the switch to my network - and it didn’t work. It looked like my other network switch filtered VLAN tags. But I’ve nailed it down to my Apple Time Capsule, which in fact uses a similar configuration (switch IC in “router” mode to have separate LAN and WAN networks). Since it’s not possible to have two tags, the switch replaced the existing tag, and stripped it when outputting the frame. I’ve changed the network topology so that the Time Capsule wasn’t anymore in the path, and it worked fine - my other switch wasn’t a problem at all, and didn’t touch the VLAN tag. See screenshot. I now have 7 virtual networks at my desktop.

If you want to replicate this hack:

1. Find a switch that uses the same IC than mine. There should be hundreds.
2. Grab an eeprom, and use my linux tool to program eeprom using i2c-dev to program the eeprom. Or just extract the static configuration and use your favorite eeprom programmer.
3. configure your network to make use of the VLANs.