TP-Link TL-SG3210, 8-Port, Managed Switch

Product Name: JetStream™ 8-Port Gigabit L2 Lite Managed Switch with 2 SFP Slots
Product Code: TL-SG3210

This is a cheap 8-port Gigabit switch if you consider its capabilities. It can be configured in many ways via the web interface or (in an automated way) via a CLI interface (Telnet / SSH like). It comes in a sturdy metal case and has a 5 years limited warranty.


As shown on the product web site:


The PDF manual states a couple of specifications that you can read here. Alternatively check the more detailed specifications found on the product web page.

SFP Modules

SFP stands for Small form-factor pluggable transceiver. These modules allow connecting the switch to other switches or network interfaces via optical fibers. The following modules are available from TP-Link:

  • TL-SM311LS
    Gigabit SFP module, Single-mode, LC interface, Up to 10km distance
  • TL-SM311LM
    Gigabit SFP module, Multi-mode, LC interface, Up to 550m distance
  • TL-SM321A
    Gigabit WDM Bi-Directional SFP Module, single-mode, LC connector, TX:1550nm/RX:1310nm, 10km
  • TL-SM321B
    Gigabit WDM Bi-Directional SFP Module, single-mode, LC connector, TX:1310nm/RX:1550nm, 10km

The most interesting SFP module for me is the TL-SM311LM for multi-mode fibers. According to Geizhals (German) it costs 33 EUR.

TP-Link TL-SM311LM SFP Module

The TL-SM311LM is a 1000Base-SX SFP module with an LC ("Lucent") Connector.

I found the specifications of the TL-SM311LM on its product page (same page in German).

Buying optical fibers:
  • In Germany:
    • Search for lwl lc 20m for example.
    • Search for LWL 4XLC50-1.

Serial Port

These are the settings for the RS232 serial terminal:

Bits per second Data bits Parity Stop bits Flow control
38400 8 None 1 None

You can use the screen command to connect: screen /dev/tty.usbserial 38400

How I'm using it

Map of my network topology with the switch: VLANS etc.


  • Don't enable the Blat Attack DoS Protection when you want SIP VoIP packages to be forwarded by the switch. I enabled all the DoS protection methods and wasn't ably to make any calls anymore. It took me some time to debug the problem and find out that this was due to the fact that the switch silently discarded all my UDP SIP packages. (I saw them on my local network but I used two ports of the switch to filter my uplink uplink internet connection where the packages got lost). The description of the Blat Attack protection says: "The attacker sends the illegal packet with its source port and destination port on Layer 4 the same and its URG field set to 1. Similar to the Land Attack, the system performance of the attacked Host is reduced since the Host circularly attempts to build a connection with the attacker." In my case the source and destination ports were the same (5060 / SIP) but not the src and dest IPs. Anyway... Now it works.

Missing IPv6 support

The switch doesn't really know about IPv6. It forwards IPv6 packets and respects the configured VLANs but other than that it is pretty dumb.

The feature I'm missing most on the TL-SG3210 (and the whole product line) is IPv6 management (such as ACLs). One of the most important features is rogue router advertisements prevention via ACL. Only a few very expensive (>1000 USD) switches have these features as of now. And then it's still not very save. Here is a thread about configuring router advertisement blocking with a custom ACL on D-Link switches.


The linux kernel module bonding implements LACP when loaded with the parameter mode=4 (or mode=802.3ad).

Resources on LACP:


To enable SNMPv1 with read-only access without password for the 'community' public:

snmp-server community public read-only viewDefault
show snmp-server

To deactivate:

no snmp-server community public


snmpwalk -v 1 -c public -O e IP.OF.SWITCH
# or
snmpwalk -v 2c -c public -O n -O e IP.OF.SWITCH