We are getting solar panels installed and the system comes with an inverter that uses a WiFi module to connect to a cloud service. Having looked into published information online, I have concluded that the WiFi module is going nowhere near anything else on my network so I am creating a separate VLAN for it.

Switch configuration

At the time of writing, I still manually configure my switch. I hope to change this as part of my migration from SaltStack to Ansible but have not yet.

Firstly I add the new VLAN:

core-switch(config)#vlan 32
core-switch(config-vlan)#name IoT-Solar
core-switch(config-vlan)#exit

and enabled it on the wireless access point ports as well as the router’s port:

core-switch(config)#interface range gigabitEthernet 1/0/41-44
core-switch(config-if-range)#switchport general allowed vlan 32 tagged
core-switch(config-if-range)#exit
core-switch(config)#interface gigabitEthernet 1/0/1
core-switch(config-if)#switchport general allowed vlan 32 tagged
core-switch(config-if)#exit

Finally, save the changes so they will remain after reboot:

core-switch#copy running-config startup-config

Router configuration

The router is still managed by SaltStack, so the changes required were all done through that. What I needed to do was:

  1. Configure and bring up an interface on the new VLAN (192.168.32.250/24)
  2. Enable DHCP server to serve IP addresses on the new VLAN
  3. Configure the firewall to permit required ports from the new VLAN to the internet
  4. Add the Inverter’s WiFi device to my radius server and set up to be configured onto the new VLAN

Although this will only have 1 device, and I did consider using a /29 (in case something else needs to be added to this subnet in the future), I opted to keep the consistent “class c” /24 subnet size with the router at x.250 as per my other subnets. I chose this address for the router as an annoying number of consumer devices come with a static configuration for either .1 or .254, although usually in the 192.168.0.0/24 or 192.168.1.0/24 networks, presumably for the same reason I would prefer either for the router (first and last host address in the subnet). This is an architecture decision I am becoming increasingly unhappy with and will need to revisit, however changing the size of my subnets will lead to changing the IP address for the router to remain consistent in different sized subnets. My networks, however, are not too numerous so I am not short of IP addresses - smaller subnets will be for neatness rather than necessity.

Firewall configuration

After doing this configuration, I setup the firewall to allow access for the DLS-W, per the details on the order this is what I will be getting, according to Solis’ documentation. This consisted of allowing access to port 10000 at 47.88.8.200 and 115.29.186.234 however the documentation did not specify whether this port is udp or tcp so I allowed both for now.