Instant On - Wired

Expand all | Collapse all

Newbe need help to get access to several Vlans on Instant on 1930 24G

  • 1.  Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 09-17-2021 10:37 AM
    Hi,

    The setup looks like:

    Vlan
    1 Router 1 Wan 1 192.168.0.x DHCP
    10 Router 2 Wan 2 192.168.2.x DHCP
    20 Camera 192.168.0.x Static
    30 Servers 192.168.0.x Static
    40 Storage 192.168.0.x Static

    I want to accomplish below:

    From one of the ports in the switch e.g port 10 I should be able to reach all Vlans. Also want to be able to let Vlan 20-40 to get IP from DHCP from Router 1.
    Can this be fixed without ACL? Also how to make this happen?

    ------------------------------
    Thomas Holmberg
    ------------------------------


  • 2.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 27 days ago
    Your servers and cameras should be on the LAN side of your network not the WAN.

    ------------------------------
    TerrenceT Tibbs
    ------------------------------



  • 3.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 27 days ago
    They are.

    Skickat från min iPhone




  • 4.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 27 days ago
    they are all on 192.168.0 according to your post

    Your router should be intervlan routing, so you would setup your  vlans and firewall rules for your vlans on your router to pass or block vlans/devices.

    You have all your vlans on the same subnet which won't work.
    create seperate subnets for each vlan. 
    vlan10 192.168.10.1
    vlan 20 192.168.20.1
    etc etc

    Leave WAN 2 alone and then keep your LANS for your vlans, your router will pass traffic from your WAN in to the vlans when you allow your firewall rules for WAN to all LANS etc.


    If you route on the switch with static routes you will only be routing at around 800mbps if lucky which would be slower than routing through your router, as this switch won't route at 10 gig. You would be better running pfsense etc then you will router on a stick at 5-10Gbps depending on model hardware. If you want 10gig routing on the switch you need to go full layer 3 and thousands of dollars.


    ------------------------------
    TerrenceT Tibbs
    ------------------------------



  • 5.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 27 days ago
    Tnx for the info.

    Ok so I have to setup same vlan on the router as well,  got it.
    And also check on I have to change IP range on each vlan.
    Guess that mean I have to setup a dhcp for each vlan then on the router IF Im not going to use static IP?
    Also mean I can turn off routing on the switch?
    So I need a router that can manage 10Gbe throughput and I Will get that all the way?




    ------------------------------
    Thomas Holmberg
    ------------------------------



  • 6.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 26 days ago

    Hi,

    ok let me help you setup from what I understand you are trying to achieve.

    Forget 2 routers you don't need 2.

    example

    Plug your PC into a LAN port on your router

    set your router ip and admin login  to 192.168.1.1


    Your WAN will be the internet ISP cable  coming in, leave that alone as the ISP will give you a static or dynamic IP at their end.
    Your LAN on your router will default to 192.168.1.1
    Plug your 1930 in from port 23, into your router on any LAN port

    Now plug your PC into port 24 on your switch, Use port 24 as good practice to keep your dedicated management port  well away from your other ports(i am presuming its a 24 port switch)
    If you have DHCP set on your Router it will give your switch an IP in the subnet range, if not then you need to assign an IP to the switch (highly recommended).
    Login into your HP switch and set the IP of the switch to "static" 192.168.1.2 use the same subnet as the default router subnet.
    Forget the HP cloud management, it's shite and will restrict what you can do, just use local management as you arnt running 100 switches.

    Reboot your router and Switch.

    Your router is now 192.168.1.1

    Your switch is 192.168.1.2

    Now login into your router and do the following
    This will vary depending on model etc.

    By default your LAN will be 192.168.1.x
    Your VLAN will be 1 by default even though its not assigned, this is standard practice.

    Create a VLAN 10, 20,30 on your router
    Assign an interface (can be all on the same port for now) to each VLAN and an IP range

    VLAN 1= default LAN and will be used for management (this isn't great practice) but your risk won't be high for home use so don't worry, just read about changing over to a dedicated VLAN for management when you are more confident or you will lock yourself out from your network.

    VLAN 10 = 192.168.10.1 camera
    VLAN 20 = 192.168.20.1 servers
    VLAN 30 = 192.168.30.1 storage

    If you want DHCP on each VLAN then setup the DHCP for each VLAN on your router, if you don't do this you will need to assign each device its own IP or it won't know which subnet to be attached to. Personally if you are new to all this I would leave DHCP switched on for all your VLANS/Subnets on your router and let the router hand out the IP. Then you can set static IP on your router for each device by MAC address later to allocate dedicated IP's.
    Let your router do the routing and the switch do the switching.

    e.g.
    it's good practice to keep your vlans in sync with your subnets, just to help you in 3 months when you forget everything.

    server ip 192.168.20.10
    camera ip 192.168.10.10
    storage server 192.168.30.10

    Setup your firewall rules for now, just allow any to any, this well let your router speak to all VLANS on the interface , when you understand firewall rules more you can start to lock down your network by restricting what devices can talk to each other across your VLANS.


    Once you have done this then login into your switch at 192.168.1.2

    Create VLANS 10,20,30 on your switch


    assign the ports for example


    port 1 - vlan 10 untagged

    port 2 - vlan 20 untagged

    port 3 - vlan 30 untagged

    Now create your trunk port to pass all the vlans from the router to the switch down 1 port (cable)

    assign vlan 10,20,30 to port 23 on your switch as tagged (important if you don't do this you wont pass any vlans apart from VLAN 1)


    plug camera into port 1
    plug server into port 2
    plug storage nas into port 3

    From your PC  if you are on windows type cmd into the search bar

    open terminal

    type 

    ping 192.168.1.1
    this should give you your router

    ping 192.168.1.2

    give you your switch

    ping 192.168.10.10 

    give you your camera

    ping 192.168.20.10

    give you your server

    ping 192.168.1.30.10

    give you your nas storage

    now that everything is talking you can check your ping from your router using the same method. you should be able to  ping your switch, router, and all devices from your pc. 

    Assign as many ports as you need to each vlan on your switch.


    If you want 10gig on your nas then just use one of the 10gig ports on your switch and just change the port number assigned for the VLAN.

    Same for your PC just connect up to the 10 gig port on the same vlan as your NAS then you will have full wire speed from your nas to pc.


    Ta





















    ------------------------------
    TerrenceT Tibbs
    ------------------------------



  • 7.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 26 days ago
    Routing at 10gig is going to cost you 5k plus to do reliably without have a Powerstation and sounding like Heathrow T5 in your garden, you can buy old 10gig L3 switches but they are power hogs and will deafen you and send you mental if they are in your house.

    Pfsense on a xeon box with some mellanox 10 gig cards will get you 5gbps after that its big bucks so try and connect your nas to the same vlan as your pc etc for full wire speed then it won't need to hit your router.

    cheers

    ------------------------------
    TerrenceT Tibbs
    ------------------------------



  • 8.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 26 days ago
    Hi,

    Wow and wow. This was exately what I wanted even though Im not that new to network so first part was not new to me.

    Totaly agree about the HP cloud managment but plan was to config everything in local and then switch it over to cloud to have an Nice overwview in an app. 

    Its everything about Vlans. I think I got it all except a few things. I guess I need to config the trunkport on both the router and switch?

    Do I need to connect an aditional cable for the trunkport e.g port 22 or will port 23 be used according to your guide?

    To understand: so if I use same Vlan it Will not need to intervlan routing on the router only do the switching on the switch and therefore I dont need any router with 10Gbe as long as I dont need to jump between different Vlans?

    Port 24 Will be my managment port because I tagged the Vlanson this port? 

    I already locked myself out trying to get away from Vlan 1 once so will do this later as you said. :)

    I saw you could setup dhcp on the 1930 when is this used then?

    Not home before later next week so just waiting to try it all out.

    Tnx a lot for all help so far!


    ------------------------------
    Thomas Holmberg
    ------------------------------



  • 9.  RE: Newbe need help to get access to several Vlans on Instant on 1930 24G

    Posted 26 days ago
    Hi,

    Wow and wow. This was exately what I wanted even though Im not that new to network so first part was not new to me.

    Totaly agree about the HP cloud managment but plan was to config everything in local and then switch it over to cloud to have an Nice overwview in an app. 

    This wont work as the config will be deleted when you go over to cloud and you will lose many functions.

    Its everything about Vlans. I think I got it all except a few things. I guess I need to config the trunkport on both the router and switch?

    No need for a trunk port on router just add the vlans to the interface(port) they will be dealt with as a trunk unless your router as a certain trunk function.

    Do I need to connect an aditional cable for the trunkport e.g port 22 or will port 23 be used according to your guide?

    Port 23 will be fine but if you want LACP you can add a second port using LACP and the TRUNK function on the 1930 but remember TRUNK on HP means link aggregation of ports NOT TRUNK as VLAN TRUNK CISCO. 
    You would create a trunk1 under the trunk function on 1930, then add port 22 and 23 to the trunk1.
    Then you would assign all your vlans to that trunk as LACP. ~This will then load balance the 2 ports for you to achieve a maximum bandwidth of 2Gbps, but it would depend on the hashing algo the switch uses, in the real world it won't always give you 2 gig, but will act as a failover if1 cable or port goes down. 
    Personally I would just build a pfsense box from an old desktop or dell r220/r210 and add a cheap HP SFP+ plus card and just connect up to your router with 10 gig fibre straight to your switch, then you have 10gig bandwidth with super low latency and can router across vlans at 5gbps+..



    To understand: so if I use same Vlan it Will not need to intervlan routing on the router only do the switching on the switch and therefore I dont need any router with 10Gbe as long as I dont need to jump between different Vlans? - CORRECT

    Port 24 Will be my management port because I tagged the Vlanson this port? no port 23 should have been tagged with all your vlans
    Use port 24 as good practice to stay away from accidentally unplugging your management port for something else and locking yourself out of the switch. Its a physical thing more than anything. Also then you can start with port 1 for your devices which makes things easier to track from a human perspective. Same with link agg, always use the end set of ports just to keeps you ports 1 and up free. Its not a set rule but as your network grows and your cables increase its easier to remember. The main things is, is to stick to a protocol and keep it the same. I always use the end SFP ports on a switch in order for e.g. 25 is line in from switch 28 is line out to next hop. I just do it like this so when it goes wrong at 2am and your half asleep you have a protocol you stick with. nothing special but helps when it goes wrong.





    I already locked myself out trying to get away from Vlan 1 once so will do this later as you said. :) Unless you are scared about someone breaking into your house and plugging their laptop into a port on your switch I wouldn't worry too much. If you use vlans it will make it harder for them to find stuff but if they really know what they are doing they will batter your firewall with some clever shite and get in anyway, so keep your private valuable files on LAN only with no physical link to the WAN if you are really bothered. Management on a bespoke VLAN is more about say a network in a university where some little turd comes along with his laptop and plugs into a default vlan port and gets access to your router and switch admin, again keep strong passwords.

    I saw you could setup dhcp on the 1930 when is this used then? It can be used to serve DHCP from the switch but I can't see why you would need that if you need your WAN connected to LANs and home use kind of thing, you could use it for a load of ip phones or an scenario where you have a dedicated room full of equipment and you want to manage it just from the switch, but its easier for what you are doing to manage it all from the router as its all in one place. Its more of an L3 thing which your 1930 isn't so don't worry too much about it.

    Not home before later next week so just waiting to try it all out.

    Tnx a lot for all help so far!


    ------------------------------
    Thomas Holmberg
    ------------------------------

    ------------------------------
    TerrenceT Tibbs
    ------------------------------