VLAN Setup Help


Recommended Posts

Hey guys,

 

I'm trying to create a VLAN so that I can separate the home network from my lab network. I'm having issues getting it to setup properly.

 

I'm able to ping the switch IP via VLAN 1 (192.168.1.221) and 10 (10.1.10.221) but I can't ping any computers across VLANS or reach the internet on VLAN 10. The PC on VLAN 10 has a static address (10.1.10.25/24) with the switches IP (10.1.10.221) as the gateway.

 

ASUS RT-AC66U Router w/ ASUS-Merlin Config:

 

IP Address: 192.168.1.1/24

DHCP (VLAN 1): 192.168.1.100-200 -- 192.168.1.221 (Gateway)

Static Route: 10.1.10.0/24 - 10.1.10.221 (Gateway)

 

HP v1910 Switch Config:

 

post-4233-0-15070600-1423643164.jpg

post-4233-0-86045800-1423643162.jpg

post-4233-0-62615000-1423643163.jpg

 

I'm not sure what i'm doing wrong at this point.

Link to comment
Share on other sites

Can you draw a diagram for the layout? Is the switch managed? If the router is aware of both VLANs (and so both IP networks) does it have routing turned on (you need a router configured to move data between different IP networks).

Link to comment
Share on other sites

native vlan needs to be untagged and the 2ndary vlan needs to be tagged. some APs require that. 

 

then on the AP the native vlan ssid (main one) gets untagged and then the guest or lab ssid gets tagged for the 2nd vlan. 

 

adjust firewall rules accordingly

Link to comment
Share on other sites

Can you draw a diagram for the layout? Is the switch managed? If the router is aware of both VLANs (and so both IP networks) does it have routing turned on (you need a router configured to move data between different IP networks).

 

Here is a quick diagram I made:

post-4233-0-46012400-1423682031.jpg

VLAN ID	Subnet	        GW/VLAN Interface IP	DNS
1	192.168.1.0/24	192.168.1.221	        192.168.1.1
10	10.1.10.0/24	10.1.10.221	        Unknown

The switch is a HP 1910-24G Layer 3 lite managed switch. I have created a static route on the ASUS to the new subnet (10.1.10.0/24). I'm perfectly fine with starting from scratch if that helps.

 

I've been using this guide to configure the network: http://www.smallnetbuilder.com/lanwan/lanwan-howto/32098-how-to-use-a-layer-3-switch-in-a-small-network

 

native vlan needs to be untagged and the 2ndary vlan needs to be tagged. some APs require that. 

 

then on the AP the native vlan ssid (main one) gets untagged and then the guest or lab ssid gets tagged for the 2nd vlan. 

 

adjust firewall rules accordingly

 

I'm fine with the wireless being on the default vlan as its for home use only.

Link to comment
Share on other sites

I don't think that switch is layer 3, does it do intervlan routing?  If not then you would have to have trunk port between it and the router, and the router would need IP in that other vlan, and the router is your layer 3.

Link to comment
Share on other sites

But if he wants the switch to do the routing, would have to add the routes to router as well, and allow any firewall rules to allow that other subnet.  And have to setup NAT for it as well, etc.  Much easier to just use that switch as layer 2 and have the router do the routing.

Link to comment
Share on other sites

I don't think that switch is layer 3, does it do intervlan routing?  If not then you would have to have trunk port between it and the router, and the router would need IP in that other vlan, and the router is your layer 3.

 

Yes it does do intervlan routing. If I create 2 vlans on the switch (vlan 10 and 20) and have devices on both vlans i'm able to ping each of them but still not able to ping anything on vlan 1.

 

Looks like that 1910 does intervlan routing...it is probably like the sg300 where you have to enable layer3/router mode, but it seems to me that it may be a manual process.

 

http://h17007.www1.hp.com/us/en/networking/products/switches/HP_1910_Switch_Series/index.aspx#tab=TAB2

"Static IPv4/IPv6 routing

Link to comment
Share on other sites

OK, what I would do is use the switch as your gateway, not the router. 

 

192.168.1.221 would be the gateway for all of your devices on the 1.x network. 

 

The switch should also have an ip on vlan 10.  That would be the gateway for the 10.1.10.x network (10.1.10.221)

 

The switch should be able to tell traffic where to go.  There should be a default gateway on the switch and that would be your router, 192.168.1.1

Link to comment
Share on other sites

But that switch is not doing nat, so that asus router not going to have a clue about 10.1.10 - and would send traffic out its default (internet) to get to it..  So if you want to use the switch as downtstream router then the asus has to know about it, and also nat it for internet access.

 

While downstream routers might make sense in a large network for a home with 2 segments - it way over complicating it.  The asus should be the only layer3 device.

 

Also if you let the router do the layer 3, you gain the ability of full firewall between segments.  While that switch might do some intervlan routing I doubt it has full layer 4 ACL support.

 

So your switch can setup untagged port on 10, trunk connection to router - router has the svi for 10 vlan and would be the gateway.  Also it would then know to nat that network, etc.  But I am not sure on the full feature set of that merlin software?

 

Use it as an AP and run pfsense on one of your esxi/hyperV boxes now you have full control ;)

Link to comment
Share on other sites

The switch doesn't have to do NAT.  On a basic setup like this, what would be the point?  The nat device is the asus (192.168.1.1)....hell I would have the switch on 3 vlans...one for the outside network equip, one for the computer side and one for the vmware. 

 

 

Something like 192.168.1.x outside network equipment, 10.1.0.x vmware, 172.16.1.x computer

 

Router has ip 192.168.1.1

Switch has 192.168.1.10 with a default route to 192.168.1.1

Switch also has 10.1.0.1 and 172.16.1.1 on the proper vlans. 

 

The asus would have to have a static route for 10.1.0.x and 172.16.1.x an point to 192.168.1.10 for both of those routes.  Should be easy enough to do.

Link to comment
Share on other sites

"The switch doesn't have to do NAT."

 

Agreed..  Which was just backstory to why it needs a route ;)  If it did do nat, then you wouldn't need to route.

 

But I still think that a downstream router is useless..  Just have the asus do all the layer 3.

Link to comment
Share on other sites

The switch doesn't have to do NAT.  On a basic setup like this, what would be the point?  The nat device is the asus (192.168.1.1)....hell I would have the switch on 3 vlans...one for the outside network equip, one for the computer side and one for the vmware. 

 

 

Something like 192.168.1.x outside network equipment, 10.1.0.x vmware, 172.16.1.x computer

 

Router has ip 192.168.1.1

Switch has 192.168.1.10 with a default route to 192.168.1.1

Switch also has 10.1.0.1 and 172.16.1.1 on the proper vlans. 

 

The asus would have to have a static route for 10.1.0.x and 172.16.1.x an point to 192.168.1.10 for both of those routes.  Should be easy enough to do.

 

This is exactly what I would want to do. I do want more vlans for things like iscisi, vmware, etc. but for now I want to make sure that it works with one vlan.

 

"The switch doesn't have to do NAT."

 

Agreed..  Which was just backstory to why it needs a route ;)  If it did do nat, then you wouldn't need to route.

 

But I still think that a downstream router is useless..  Just have the asus do all the layer 3.

 

When you say that the asus needs to do all layer 3 what exactly do you mean? 

 

I would love to do pfsense but at this point i can't guarantee the uptime of the hyper-v/vmware servers as they are my test machines. I have a Dell C6100 that i got on the cheap and have 4 nodes for it. While i can dedicate a node to pfsense (run on usb w/o hard drive) it seems like a waste of power.

Link to comment
Share on other sites

When you say that the asus needs to do all layer 3 what exactly do you mean? 

I mean that your vlans are on that asus and it does the routing between the segments/vlans/internet.  The switch would be just layer 2.

Link to comment
Share on other sites

No the ASUS Merlin firmware is not able to do vlans. I think i would need to load Tomato or DD-WRT on there for that.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.