The VLANs Strike Back

Continuing from yesterday’s work on my new network kit, today I’m starting with configuring the new switch.

Setting user passwords

As already mentioned, this switch uses different commands to the old one. Setting a user’s password can be done with this command user name <user> password <new password>.

Saving the configuration

The old switch used save to do this, the new one copy running-config startup-config.

Create the VLANs

See yesterday’s post for the planned list, let’s create them now:

T1600G-28PS(config)#vlan 10,20,30-31,40

And now set their names:

T1600G-28PS(config)#vlan 10

T1600G-28PS(config-vlan)#name Switch-Mgmt

T1600G-28PS(config-vlan)#vlan 20

T1600G-28PS(config-vlan)#name Main-Network

T1600G-28PS(config-vlan)#vlan 30

T1600G-28PS(config-vlan)#name IoT

T1600G-28PS(config-vlan)#vlan 31

T1600G-28PS(config-vlan)#name IoT-CCTV

T1600G-28PS(config-vlan)#vlan 40

T1600G-28PS(config-vlan)#name Guest

And check the configuration:

T1600G-28PS#show vlan
VLAN  Name                 Status    Ports
----- -------------------- --------- ----------------------------------------
1     System-VLAN          active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4,
                                     Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8,
                                     Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12,
                                     Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16,
                                     Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20,
                                     Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24,
                                     Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28
10    Switch-Mgmt          active
20    Main-Network         active
30    IoT                  active
31    IoT-CCTV             active
40    Guest                active

Configure management VLAN

Tell the switch to obtain it’s IP via DHCP on the maangement VLAN:

T1600G-28PS(config)#interface vlan 10

T1600G-28PS(config-if)#ip address-alloc dhcp

Configure trunk ports

Port 1 will connect to the router, and ports 21, 22, 23, 24 (the last 4) will be connected to the wireless access points - so these will all be trunk ports. This version of TP-Link’s switch, again in contrast to their more expensive models, only supports ‘general’ port modes rather than being able to configure ‘trunk’ and ‘access’ ports - this just means a little more effort is required to get the configuration right.

T1600G-28PS(config)#interface range gigabitEthernet 1/0/1,1/0/21-24

T1600G-28PS(config-if)#switchport general allowed vlan 10,20,30-31,40 tagged

T1600G-28PS(config-if)#switchport check ingress

T1600G-28PS(config-if)#switchport acceptable frame tagged

Configure access ports

For now, I’m putting the rest of the ports onto the main network VLAN:

T1600G-28PS(config)#interface range gigabitEthernet 1/0/2-20

T1600G-28PS(config-if-range)#switchport general allowed vlan 20 untagged

T1600G-28PS(config-if-range)#no switchport general allowed vlan 1

T1600G-28PS(config-if-range)#switchport pvid 20

Configure the router

Fortunately I left all the logic for configuring VLAN interfaces in my Salt configuration when removing the old ones, so this was just a case of re-adding the interfaces in the host’s pillar file (note I also changed the router’s IP from x.1 to x.250 at this point too - too many things come preconfigured out-of-the-box for x.1):

networking:
  interfaces:
    - name: enp3s0.10
      mode: static
      auto: True
      router: True
      options:
        address: 192.168.10.250
        netmask: 255.255.255.0
    - name: enp3s0.20
      mode: static
      auto: True
      router: True
      options:
        address: 192.168.0.250
        netmask: 255.255.255.0
    # ...etc...

And add the subnet and new host to the home network configuration pillar:

networks:
  home.entek.org.uk:
    dhcp:
      subnets:
        - ip4-network: 192.168.0.0
          ip4-netmask: 255.255.255.0
          gateway: router
          options:
            domain-search: '"home.entek.org.uk"'
            domain-name-servers: 'router.home.entek.org.uk, 8.8.8.8'
          ranges:
            - [192.168.0.100, 192.168.0.160]
        - ip4-network: 192.168.10.0
          ip4-netmask: 255.255.255.0
          gateway: router-mgmt
          options:
            domain-search: '"home.entek.org.uk"'
            domain-name-servers: 'router-mgmt.home.entek.org.uk, 8.8.8.8'
          ranges:
            - [192.168.10.100, 192.168.10.120]
        # ...etc...
    hosts:
{{ host('ds9', '192.168.0.250', aliases=['router', 'salt']) | indent(6) }}
{{ host('ds9-mgmt', '192.168.10.250', aliases=['router-mgmt']) | indent(6) }}
# ...etc...

(N.B. ‘host’ is a macro that generates host information in the pillar file.)

And finally update the firewall rules with the new main network interface and rules for the management network.

Then apply the new configuration with salt as normal:

salt ds9.home.entek.org.uk state.highstate

De-configure VLAN 1 IP

In order for the switch’s management to be accessible from the main network, which has the same subnet as the default on the switch, the IP on VLAN 1 needs to be removed:

T1600G-28PS(config)#interface vlan 1

T1600G-28PS(config-if)#no ip address

Thought: Was continuing to use 192.168.0/24 on the main network a mistake?

Tomorrow, hopefully, I’ll be setting up the new access points in “Return of the WAPs” (the Star Wars theme was unintentional yesterday but seems a shame not to follow through now)…