New core switch

In January I had a problem due to having filled my core network switch. Since then I have deployed a very old Cisco switch into my air-gapped home lab which is also less than ideal as I have very different networking hardware on my main network and the lab. To make it easier to do meaningful testing and solve the capacity problem I have bought a used TP-Link T1600G-52PS switch to replace my existing T1600G-28PS. This post is concerned with configuring the new switch to be the same as the old, then swapping it and the old one over.

As both switches are the same base, the CLI and feature-set is pretty much identical which will make development in the lab for the home network easier. Both switches are supported in the TP-Link Omada software-defined-networking (SDN) management tool already deployed for our wireless networks, although this is an example of something I want to play with in the lab rather than risk breaking the live home network.

Initial setup

After a factory reset (hold reset button for >5s while powered on), I plugged a laptop into the switch on port 48 and statically configured it with an IP address of 192.168.0.2/24. Windows insisted I gave it a default gateway (unnecessary on a network with no external routes), so I put the switches default IP of 192.168.0.1 in.

After logging into the switch via a web-browser (http://192.168.0.1 and username/password of admin/admin), I upgraded the firmware to the latest version (4.0.6) which I have already downloaded to my laptop from the TP-Link website. After reboot, I set the admin password (it prompts automatically on initial login with the new firmware).

Global settings

To do the rest of the configuration, I connected to the switch via Telnet. I left port 48 alone while I did the configuration so it was on the default VLAN (VLAN 1) and could be used to get onto the switch via its default IP (192.168.0.1) until swapped out.

First step, as always was to enter configure mode:

T1600G-52PS>enable
T1600G-52PS#configure
T1600G-52PS(config)#

The first thing I set was the time then I configured NTP (only the timezone, UTC, is not default) - this will fail to get NTP date but will leave the switch configured for NTP when it is swapped with the existing switch:

T1600G-52PS(config)#system-time manual 04/13/2022-17:34:50
T1600G-52PS(config)#system-time ntp UTC 133.100.9.2 139.78.100.163 12
T1600G-52PS(config)#system-time dst predefined Europe

Next, I set the location (entirely cosmetic):

T1600G-52PS(config)#location "Birmingham UK"

Finally, I set hostname:

T1600G-52PS(config)#hostname core-switch
core-switch(config)#

VLAN creation

Next, I created all of the VLANs:

core-switch(config)#vlan 10
core-switch(config-vlan)#name Management
core-switch(config-vlan)#exit
core-switch(config)#vlan 20
core-switch(config-vlan)#name Main-Network
core-switch(config-vlan)#exit
core-switch(config)#vlan 30
core-switch(config-vlan)#name IoT
core-switch(config-vlan)#exit
core-switch(config)#vlan 31
core-switch(config-vlan)#name IoT-CCTV
core-switch(config-vlan)#exit
core-switch(config)#vlan 40
core-switch(config-vlan)#name Guest
core-switch(config-vlan)#exit

Switch management interface

Enable switch to DHCP on management VLAN:

core-switch(config)#interface vlan 10
core-switch(config-if)#ip address-alloc dhcp
core-switch(config-if)#exit

Router port

Configure port 1 for router:

core-switch(config)#interface gigabitEthernet 1/0/1
core-switch(config-if)#description router-ds9
core-switch(config-if)#switchport acceptable frame tagged
core-switch(config-if)#switchport general allowed vlan 10 tagged
core-switch(config-if)#switchport general allowed vlan 20 tagged
core-switch(config-if)#switchport general allowed vlan 30 tagged
core-switch(config-if)#switchport general allowed vlan 31 tagged
core-switch(config-if)#switchport general allowed vlan 40 tagged
core-switch(config-if)#exit

N.B. description will appear in show interface configuration. With this new switch I am setting them to match the labels on the cable plugged in.

Main network ports

Most of the switch’s ports (anything left empty) will be pre-configured as access ports for the main network. In the future I may revisit this decision (maybe they should be on the guest VLAN by default?).

To do the bulk of the configuration in one go (N.B. will come back and do port 48 once the switch has been swapped and can be accessed via the management VLAN):

core-switch(config)#interface range gigabitEthernet 1/0/2-16,1/0/21-24,1/0/26-40,1/0/47
core-switch(config-if-range)#switchport pvid 20
core-switch(config-if-range)#switchport general allowed vlan 20 untagged
core-switch(config-if-range)#no switchport general allowed vlan 1
core-switch(config-if-range)#exit

Label up occupied ports for main network:

core-switch(config)#interface gigabitEthernet 1/0/2
core-switch(config-if)#description raspberry-pi
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/13
core-switch(config-if)#description hp-laser-printer
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/36
core-switch(config-if)#description lobby-1
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/37
core-switch(config-if)#description master-bed-1
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/38
core-switch(config-if)#description lounge-1
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/39
core-switch(config-if)#description dining-1
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/40
core-switch(config-if)#description reserved-lobby-2
core-switch(config-if)#exit

N.B. I am going from a nearly full, which was full until one of my servers died and four ports were freed by removing it and migrating my lab to a separate air-gapped network, 24-port switch to a 48-port one, so it is expected that approximately 1/2 of the ports will be empty.

Central heating wireless-access point (WAP)

For some reason our Honeywell EvoHome will not connect to my newer wireless access point so I have one of my old pair of ASUS RT-AC66Us setup to provide a wireless network just for that. This ASUS device is just configured as a stright-through access-point (with an appropriate SSID and WPA setup) onto the internet-of-things (IoT) network which, in part, exists for untrustworthy embedded devices.

Configuring the port for the WAP:

core-switch(config)#interface gigabitEthernet 1/0/45
core-switch(config-if)#description heating-wap
core-switch(config-if)#switchport general allowed vlan 30 untagged
core-switch(config-if)#switchport pvid 30
core-switch(config-if)#no switchport general allowed vlan 1
core-switch(config-if)#exit

Desk switch port

On my desk, I have a NETGEAR GS105PE semi-managed power-over-ethernet (PoE) powered switch, into which I plug my machines and work laptop (the latter of which is on the guest network). It is configured with its management interface (sort of) on the management network so its port needs the guest, management and main networks configured:

core-switch(config)#interface gigabitEthernet 1/0/46
core-switch(config-if)#description laurences-switch
core-switch(config-if)#switchport acceptable frame tagged
core-switch(config-if)#switchport general allowed vlan 10 tagged
core-switch(config-if)#switchport general allowed vlan 20 tagged
core-switch(config-if)#switchport general allowed vlan 40 tagged
core-switch(config-if)#exit

Microserver iLO port

This is the only port currently that is untagged onto the management network, for my remaining HP Microserver’s out-of-band management interface (which HP brands “integrated lights-out” or “iLO”):

core-switch(config)#interface gigabitEthernet 1/0/25
core-switch(config-if)#description hp-microserv-ilo
core-switch(config-if)#switchport general allowed vlan 10 untagged
core-switch(config-if)#switchport pvid 10
core-switch(config-if)#no switchport general allowed vlan 1
core-switch(config-if)#exit

PoE WAPs

The majority of our wireless is provided by four TP-Link EAP225s which are powered via PoE from the core switch. The core switch and router (as well as some other critical hardware I would not like to go down hard) are UPS protected, so this arrangement gives us continuity of internet access for around 20-30 minutes during a power outage.

Like the main network ports, the ports these are plugged into are configured identically so can be done together:

core-switch(config)#interface range gigabitEthernet 1/0/41-44
core-switch(config-if-range)#switchport acceptable frame tagged
core-switch(config-if-range)#switchport general allowed vlan 10 tagged
core-switch(config-if-range)#switchport general allowed vlan 20 tagged
core-switch(config-if-range)#switchport general allowed vlan 30 tagged
core-switch(config-if-range)#switchport general allowed vlan 31 tagged
core-switch(config-if-range)#switchport general allowed vlan 40 tagged
core-switch(config-if-range)#exit

Then the individual ports just need naming:

core-switch(config)#interface gigabitEthernet 1/0/41
core-switch(config-if)#description master-bed-2-wap
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/42
core-switch(config-if)#description lounge-2-wap
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/43
core-switch(config-if)#description dining-2-wap
core-switch(config-if)#exit
core-switch(config)#interface gigabitEthernet 1/0/44
core-switch(config-if)#description office-wap
core-switch(config-if)#exit

Link-aggregation groups (LAGs)

There are two LAGs on the network, one for the HP Microserver (which, amongst other tasks, is the main backup server) and one for the NAS. The LAGs allow two network ports to serve these devices in tandem, although a single connection cannot span ports connections from multiple hosts can be spread over them to increase the total aggregate bandwidth (in this case, this is my goal) available.

core-switch(config)#interface range gigabitEthernet 1/0/17-18
core-switch(config-if-range)#channel-group 1 mode active
core-switch(config-if-range)#description lag-1
core-switch(config-if-range)#exit
core-switch(config)#interface range gigabitEthernet 1/0/19-20
core-switch(config-if-range)#channel-group 2 mode active
core-switch(config-if-range)#description lag-2
core-switch(config-if-range)#exit

As some hosts span VLANs, it seemed sensible to base load-balancing on IP rather than the default MAC address, so I also made that change:

core-switch(config)#port-channel load-balance src-dst-ip

Now the LAGs are created, there are two new interfaces to configure - one for the server and one for the NAS (although they are identical apart from the descriptions):

core-switch(config)#interface range port-channel 1-2
core-switch(config-if-range)#switchport general allowed vlan 20 untagged
core-switch(config-if-range)#switchport pvid 20
core-switch(config-if-range)#no switchport general allowed vlan 1
core-switch(config-if-range)#exit
core-switch(config)#interface port-channel 1
core-switch(config-if)#description hp-microserver
core-switch(config-if)#exit
core-switch(config)#interface port-channel 2
core-switch(config-if)#description readynas-214
core-switch(config-if)#exit

Saving configuration

Once configured, come out of configure mode and save the configuration ready to swap the switch over:

core-switch(config)#exit
core-switch#copy running-config startup-config

Swap the switch over

Next I swapped the switch over - although before I did this I did update my DHCP server with the new switch’s MAC for the core-switch IP address (to pre-empt the management headache of it getting a random IP on the management network).

Final configuration

Once swapped over and I was happy the switch was configured correctly, including being able to login via the management network, I configured the final port (48) onto the main network and copied the final configuration to both the startup and backup configuration (so the backup is now the baseline I have configured here).

core-switch>enable
core-switch#configure
core-switch(config)#interface gigabitEthernet 1/0/48
core-switch(config-if)#switchport general allowed vlan 20 untagged
core-switch(config-if)#switchport pvid 20
core-switch(config-if)#no switchport general allowed vlan 1
core-switch(config-if)#exit
core-switch(config)#exit
core-switch#copy running-config startup-config
core-switch#copy running-config backup-config
core-switch#exit
core-switch>exit