Wired Intelligent Edge

 View Only
last person joined: 6 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

setting up vlan on2930F

This thread has been viewed 132 times

  • 1.  setting up vlan on2930F

    Posted Mar 01, 2021 12:03 PM
    Hi 

    I am about to split my network to give better security across companies,

    each has a seperate network ip range  219.1.0.0,   219.1.1.0,  219.1.2.0, 219.1.3.0, etc.

    my router is also my phone system (Draytek) on a 173.189.4.7 address

    my Question is;

    if i set up vlans for each of the address ranges, how do I then route from the 2930F to the router, I cant change the router address as it still supports the old servers and existing network until such time as I am ready to switch to the new server installation, I will also at some poit install an aruba 720 as wireless controller, between the 2930f and the router


    thanks in advance

    ------------------------------
    adrian dunbar
    ------------------------------


  • 2.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 01, 2021 01:06 PM
    Hello Adrian, first of all consider that 219.1.0.0/16 (seen as the /16 network owning - as example - 256 /24 subnets: 219.1.0.0/24, 219.1.1.0/24, 219.1.2.0/24, ... up to 219.1.255.0/24) represents a public IP range. Do you really are the owner of the 219.1.0.0/16 network?

    About your question about the routing...what is the device that is currently performing IP routing between your "internal" network(s) and any other "external" networks (Internet, to simplify)?

    Probably that device is your Router (Router that is acting as the Gateway for your internal network to let it to reach external ones, and vice-versa)...you can follow two possible approaches:

    (1) Let your Router to route your internal VLAN IDs (your Switch will continue to act as a simple Layer 2 device, its uplink to the Router's LAN interface shall necessarily carry all reqired VLAN IDs...routing is going to happen at Router).

    (2) Let your Switch to route your internal VLAN IDs (each VLAN ID shall have an IP Address - e.g 219.1.0.254, 219.1.1.254, and so on... - that IP address will be used by your VLAN's clients): generally you will need (as a Best Practice) a Transit VLAN (it's enough a /31 or /30l dedicated to point-to-point routing between your Layer 3 Switch and your Router. Uplink between Switch and Router will be tagged (or untagged) on this Transit VLAN. A Route of Last Resort is required on the Switch to route any non local (direct) traffic to the Router and various Static Routes are required too on the Router to properly route back traffic with internal nets as destinations.

    More or less this.





    Original Message


  • 3.  RE: setting up vlan on2930F

    Posted Mar 01, 2021 02:42 PM

     

    Good evening Davide

     

    Thanks for your response

     

    Firstly I am using the 219 addresses as local internal networks and not for public access so I guess any others will do, the intention is to run companies 1-4 on their own separate 219 ranges for separation bout to use 219.1.0.0 range for management and shared resources printers backup devices etc, having spoken to Draytek who are the router manufacturer, they thought using the internal switch to create 4 Vlan's that each have the router IP as gateway should be the simplest way to solve the problem, I am also intending to set an Aruba 7010 as a WIFI controller and firewall, we have several 2930F switches that carry our network throughout the building that will need to setup either spanning on or simply set the ports to Vlan's, whichever is the more secure, physical access is not so much of a security problem as most are locked away.

     

    For now thought its more an issue of is this the best route to take and then correctly setting up the Vlan's themselves

     

    Regards Adrian

     

     




    Original Message


  • 4.  RE: setting up vlan on2930F

    EMPLOYEE
    Posted Mar 02, 2021 05:14 AM
    Hi, you should not use 219.1.x.x IP addresses internally, these are in use on the internet and assigned to a Japanese bank. Using them internally will prevent you from going to that bank on the internet. Not sure what made you pick these IP addresses. For internal, privately used IP, pick an IP subnet from RFC1918:
    10.0.0.0        -   10.255.255.255  (10/8 prefix)
172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
    While somewhat old, this video series 'Let's build a network' may help you understanding switching, VLAN, routing. You can do your routing on the switches, on the controller, or possibly on your router, which all have pros and cons and the choice depends on the required amount of segmentation required between the different subnets. This basically is what is mentioned above by Davide. It is hard to tell 'the best route' without a proper understanding of the use case. Without understanding, I would add a firewall between your subnets if these are different organizations or customers to prevent traffic between different VLANs, and a firewall as well allows you to selectively permit traffic. Do you have an IT/Networking partner that you can discuss this with? I don't think a forum is the best place to discuss a fundamental design like this.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 5.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 03, 2021 04:46 AM
    Hi! I totally support what Herman Robers wrote, it's exactly what I would have written (but Herman, as usual, wrote it nicely, far more nicely than me!). There are some strange things - the usage of Public IP Addressing in corporate LAN is the very first I would say - that one, legitimately, will start to think that not all the basic networking concepts/practices were already understood (or, if understood, the OP failed to explain some important facts of its design).
    ​​

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 6.  RE: setting up vlan on2930F

    Posted Mar 04, 2021 10:58 AM
    Hi 

    Thanks for your help so far, I will go back and change IP adresses first and then come back hopefully better informed :)

    regards Adrian

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 7.  RE: setting up vlan on2930F

    Posted Mar 14, 2021 05:25 PM
    Hi and thank you for your advice,

    I have now reconfigured all switches and am now using 172 address ranges on all of our new servers and domains, looking at other posts here, am I right in thinking that it may be easier to connect my 4x 2930F and my 3810M as a VSF, to make life easier setting up the Vlans and routing between them as their ports will all show as one stack and so it should simply be a case of assigning each port to its asociated vlan(s), all are connected as a 10Gbe chain using SFP+ (multimode) ports 51 and 52 on each switch (52-51, 52-51) etc, there is a fibre cable to complete the loop but as i went to connect it the network crashed so i removed it, I will look into the cause of this tomorrow. a couple of things concern me,

    Firstly this is our live network of switches that have simply been got working and have no stucture and so I am tyring to disruption to a minimum although we are aware that it is time to sort this while we can mostly done remotely after hours as I have full access.

    Secondly would be the routing, as currently the new severs cant as yet see the world no mad rush as the networ management is my main priority

    Thirdly It was my intention to use an aruba 7010 as a AP controller and firewall and may need help with that.

    regards Adrian





    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 8.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 14, 2021 07:37 PM
    Yes, with VSF (on Aruba 2930F) Network Administrator's life is going to be easier (for the reasons you already highlighted -> there is a good VSF Best Practice here explaining both Frontplane Stacking - VSF - and the Backplane Stacking - the Hardware way - in case of Aruba 3810M). With that guide you will solve the Ring approach (no loop if you properly set and connect involved VSF Links).

    For the routing part I copy and paste what I wrote you initially (with some adaptations since you changed your internal VLAN range):

    Probably that device is your Router (Router that is acting as the Gateway for your internal network to let it to reach external ones, and vice-versa) you can follow two potential approaches, provided that you planned your VLANs and segmented Subnets:
    (1) Let your Router to route your internal VLAN IDs (your Switch will continue to act as a simple Layer 2 device, its uplink to the Router's LAN interface shall necessarily carry all required VLAN IDs - this means that you need to tag that interface on various required VLANs - routing is going to happen at Router).
    (2) Let your Switch to route your internal VLAN IDs (each VLAN ID shall have an IP Address - e.g 172.16.0.254 - VLAN 1000, 172.16.1.254 - VLAN 1001, 172.16.2.0/24 - VLAN 1002 and so on... - that IP address will be used by your VLAN's clients): generally you will need (as a Best Practice) a Transit VLAN (it's enough a /31 or /30l dedicated to point-to-point routing between your Layer 3 Switch and your Router. Uplink between your routing Switch and your Router (the Firewall) will be tagged (or untagged) on this "special" VLAN dedicated to the point-to-point "transit of traffic". A Route of Last Resort is required on the routing Switch to route any non local (directly connected) VLAN's traffic to your Router -  like destination 0.0.0.0 mask 0.0.0.0 via Transit VLAN IP Address of your Router - and various Static Routes are required too on your Router to properly route back traffic with internal nets as destinations - like 172.16.0.0 mask 255.255.255.0 via Transit VLAN IP Address of your routing Switch.
    More or less this.


    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 9.  RE: setting up vlan on2930F

    Posted Mar 15, 2021 05:17 AM
    Hi Davide 

    If i stick to Frontplane Stacking (VSF) using the 10G SFP+ ports will I be getting specific problems with the 3810M connections, or just cable up the same as I would the 2930F's?

    regards Adrian

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 10.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 15, 2021 02:04 PM
    Hello Adrian, I'm not totally sure to have exactly understood your actual and/or desired network topology: by reading what you wrote on your last post I only understood that you're trying to work with 4 Aruba 2930F (and you want to deploy them as a four members VSF stack) and a standalone Aruba 3810M, this latter one is going to be connected to this VSF. No idea about what are your routing plans over this network topology. Am I correct with those assumptions?​

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 11.  RE: setting up vlan on2930F

    Posted Mar 15, 2021 04:03 PM
    Hi parnassus

    sorry to be so confusing, I am a newbe at this, in the past we just bunged a switch in and away we went, owing to my attempt at setting up the network correctly I am learning that we have a lot to do than i thought, where I thought that routing was the answer I have since found that I needed to sort out a lot more, the network  currently has no managerment whatsoever, I soon realised that I would need to set up several Vlans and then replicate them to each switch installed in various locations within the building, I recently re cabled all as a chain with  the final multimode cable set as the leg in the loop (as was instucted by Aruba) which  inevitably caused a loop as they failed to tell me about VSF.

    anyhow here we are now, ready to setup a group of 2950F's and the one 3810M which I think would be set as Commander and the next switch to be the standby, all of the switches have the latest f/w, so according to the post by Matthew_Fern and yourself, I believe that the next step would be

    using telnet and starting with the commander run this command;

    switch(config)# vsf enable domain <1>
    This will save the current configuration and reboot the switch.
    Continue (y/n)? y

    then to assign the ports, Question i was going to simply use ports 51 as "IN" and 52 as "OUT" on each switch, if that makes sense so I am not sure of the next would be right;

    vsf member 1 link 1 1/51,1/52
    vsf member 2 link 1 1/51,1/52
    vsf member 3 link 1 1/51,1/52
    vsf member 4 link 1 1/51,1/52
    vsf member 5 link 1 1/51,1/52

    which i think would only be using two sfp+ ports

    would this be correct

    regards Adrian

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 12.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 16, 2021 03:28 AM
    Hello Adrian,

    With:

    vsf member 1 link 1 1/51,1/52
    vsf member 2 link 1 1/51,1/52
    vsf member 3 link 1 1/51,1/52
    vsf member 4 link 1 1/51,1/52
    vsf member 5 link 1 1/51,1/52

    you're creating a chain between VSF Member id 1 to VSF Member id 5 but the link numbering (VSF Link id) and its interface composition (VSF Link's members) are wrong.

    Better for you to read Chapter 20 "Virtual Switching Framework (VSF)" starting at page 650 of this guide. At page 691 there is a 8 member VSF Chain setup (you can reduce the number of VSF Members/Links to fit your case, the principle is the same). Supposing you're going to assign just one physical interface per each logical VSF Link then a schema could be:

    vsf member 1 link 1 1/51
    vsf member 1 link 2 1/52
    vsf member 2 link 1 1/51
    vsf member 2 link 2 1/52
    vsf member 3 link 1 1/51
    vsf member 3 link 2 1/52
    vsf member 4 link 1 1/51
    vsf member 4 link 2 1/52

    If I'm not mistaken (examples tend to vary about that) you then could interconnect cables this way:

    VSF Member 1 VSF Link 2 (1/52) to VSF Member 2 VSF Link 1 (1/51) <-- here the VSF Chain start
    VSF Member 2 VSF Link 2 (1/52) to VSF Member 3 VSF Link 1 (1/51)
    VSF Member 3 VSF Link 2 (1/52) to VSF Member 4 VSF Link 1 (1/51)
    VSF Member 4 VSF Link 2 (1/52) to VSF Member 1 VSF Link 1 (1/51) <-- here the VSF Chain end, closing back to 1st VSF Member and forming a VSF Ring.

    Better would be to aggregate multiple physical interfaces per each VSF Link id (to add resiliency and throughput) but I fear that doing so your VSF Members will be left with no free SFP+ ports to be used for uplinks/downlinks to other peers (Servers or Switches).

    Aruba 3810M doesn't support VSF (you can eventually form an Hardware Stack with two or more Aruba 3810M connected together). You can uplink the Aruba 3810M to your VSF via a LACP Port Trunk (Port Trunks' members need to be distributed to all VSF Members...so you should play with a 4 Links Port Trunk to stay in the safe side). On VSF side do the same with a LACP Port Trunk to your Aruba 3810M. That's for the basic connectivity. Then you should also care about VSF MAD.

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 13.  RE: setting up vlan on2930F

    Posted Mar 16, 2021 05:13 PM
    Hi Parnassus

    Many thanks for your time on this, the cabling is as current so thats good (with the exception of the final Connection waiting to be plugged in),

    Looks to me as if the best way then would be to connect the 4 X 2930F as VSF Stack and for now  for the 3810m  ( as its the server cab switch), to simply join it with two 10Gbe trunks, one to member 1 1/49 and one to member2 2/49 as they are both close by.

    which woud be best practice?

    A/      Running vsf enable Domain 1 on the first switch  and type Y reboots the switch which boots up as Commander then add the command;
    vsf member 1 link 1 1/51, then
    vsf member 1 link 2 1/52.

    reset the other 2930F's to factory settings then statr them in turn waiting for it to reboot and then add the link command;
    vsf member 2 link 1 1/51
    vsf member 2 link 2 1/52

    etc. until complete then make final connection to complete the loop.

    B/    Or do I enter the following suggestion from you at the start on the commander prior to adding each Member in turn

    vsf member 1 link 1 1/51
    vsf member 1 link 2 1/52
    vsf member 2 link 1 1/51
    vsf member 2 link 2 1/52
    vsf member 3 link 1 1/51
    vsf member 3 link 2 1/52
    vsf member 4 link 1 1/51
    vsf member 4 link 2 1/52

    will this allow the live network to run as before (unmanaged) once i have complete the VSF Stack process whilst i set up the Vlans and routing, which is where I came in :)




    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 14.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 17, 2021 04:01 AM
    Hello Adrian, I'm not you...so I can't exactly suggest you what is best VSF provisioning method in your particular scenario. Probably I would go with the "A" way: I will configure the first Aruba 2930F (defaulted and already fully updated to latest 16.10.0012) and, as per Best Practices, I will decide to proceed with a "Semi-Automatic provisioning" (see page 5 of Best Practice I linked). Best if all involved Aruba 2930F are defaulted and already updated. Clearly your mileage may vary (significantly) but I can't help you further since deciding the best method depends on many other variables (first of all: are you dealing and working with a production network or are you just setting up a totally new network from scratch?).

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 15.  RE: setting up vlan on2930F

    Posted Mar 17, 2021 04:30 AM
    Hi Parnassus

    All firmware is 16,10,0012

    Will default each switch prior to commencing,

    Network connections are all fairly close so that should not create an issue,

    I am curriently about to replace the entire system ( servers pcs printers Etc). hence my need to sort the infrastucture first, there are only a couple of important pcs on the network that are crucial to us and as these are relatively close to each othe I can if need be temporarily move them on to the 3810M as I wont need to touch that at the moment, possiby set up "Vlan old" until the changeover is complete or si, going to leave attempting the changes until the weekend to avoid and loss of production, will let you know.

    many thanks for your help

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 16.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 17, 2021 01:15 PM
    Hello Adrian Dunbar, pay attention that the Aruba 3810M should be connected to all VSF Members, if possible (So a 4x10G LACP Port Trunk from Aruba 3810M to a 4x10G LACP Port Trunk on VSF, with links distributed on all VSF Members <- this for maximum protection, throughput and resiliency): if you deploy the Aruba 3810M that way (connected to all VSF Members by means of a LACP Port Trunk) you can use the very same Aruba 3810M also as a "MAD Device". To do so you need connect it with other four single 1G dedicated Links (here no Port Trunk for this scope) untagged on a particular selected VLAN (the MAD VLAN -> see Best Practices).​

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 17.  RE: setting up vlan on2930F

    Posted Mar 17, 2021 01:57 PM
    Hi

    Thats sort of what I thought as VSF members 1 and 2 will have ports 51 and 52 as VSF links, port 50 will be for server connections (Failover as both Servers are connected to ports 49, 50 on the 3810M) and port 49 will then be the Trunk for the 3810M all at 10Gbe, nice :),

    regards Adrian

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 18.  RE: setting up vlan on2930F

    MVP
    Posted Mar 17, 2021 08:23 AM
    Adrian,
    I'm not any way an expert, but I have recently made a similar config. 
    Re the uplink, a lacp to ports 49 on switches 1, 
    2 seems like a good plan. 
    For config of the bad, there are Post's here on the forums with context that you can likely find by searching vsf. 

    I can give you a quick reference here, though. 

    To set up VSF, option a would be best. Grab a copy of the config that you have from each switch, then after doing the first switch as you indicated, (set it up with each member config (don't forget the type - pull it from the other members - probably all are the same)

    member 1
    link 1 1/51
    link 2 2/52
    member 2,
    link 2/51
    link 2 2/52
    member 3……. Etc

    then,  go to the second switch and clear the config. 

    Then you can set up the ports - but remember that by default each switch is member 1. 
    config t
    Vsf member 1
    link 1 51
    Link 2 51
    end
    vsf domain 1
    vsf renumber to 2


    each switch gets configured as member 1, set the links, then renumber. Complete this for all 3 additional switches. 
    connect them to the stack as you reboot them with the renumber command. Don't want any loops. And if you don't connect them when you reboot them, they won't boot fully. They will look for member 1 on the link ports that you set. 

    it is also good to set a secondary before you add the members. Do this from switch 1. If switch 1 goes down, what switch will take over, mine are all member 2, so something like
    vsf secondary member 2

    Hope this helps. 


    ------------------------------
    Phillip Horn
    ------------------------------

    Original Message


  • 19.  RE: setting up vlan on2930F

    Posted Mar 24, 2021 03:59 PM
    Hi

    firstly many thanks for all of your help so far, have now got the stack up and running and in a ring configuation as well, going back to the original question regarding setting up Vlans and using the switches to route from them to the routers, fixed ip all are on 172 addresses, vlans are on 172.26.217.1,2,3,4,5, and the router is on 172.14.178.1, Im now happy with the Vlan setting up (I think:)), so the first issue will be the routing, and the next will be setting up the trunk between the stack and the 3810M, there are two 10gbe sfp+ ports available on the 3810m for the stack Trunk connections as the other two are connections to the two servers in the cab (Dell R710's each with 2 10gbe sfp+ ports each has one connection to the stack, and the other to the 3810M), on the commander there are 2 10gbe sfp+ spare as there are on the adjacent Standby, one on each for each of the servers direct connection to the Stack and the other would be for the Trunk, i did see something on here about using L4 for the trunk would give me better speed but not sure how to set that up.

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 20.  RE: setting up vlan on2930F

    MVP GURU
    Posted Mar 24, 2021 07:06 PM
    Hello Adrian,

    "fixed ip all are on 172 addresses, vlans are on 172.26.217.1,2,3,4,5, and the router is on 172.14.178.1"

    well...what does it mean VLANs are on 172.26.217.1, 2, 3, 4 and 5? What does is mean the router is on 172.14.178.1 (which is not a local connected address giving the subnets of your VLANs)?

    For VLAN's SVI I would have expected something like (example):

    VLAN a -> Net: 172.26.217.0/24 -> SVI: 172.26.217.254
    VLAN b -> Net: 172.26.218.0/24 -> SVI: 172.26.218.254
    VLAN c -> Net: 172.26.219.0/24 -> SVI: 172.26.219.254
    VLAN d -> Net: 172.26.220.0/24 -> SVI: 172.26.220.254

    and so on...the third octect (217, 218, 219, 220, ...) discriminates the /24 nets.

    Saying you have VLANs with SVI IP Addresses such as 172.26.217.1, 172.26.217.2, 172.26.217.3, 172.26.217.4, 172.26.217.5 is a little bit difficult to imagine.

    Then having the IP address of your Next Hop Gateway to the RoW (your Router) equal to 172.14.178.1 is totally possible BUT you need a way to reach that IP Address (if directly connected to your Switch/Stack it means that your Switch/Stack needs to have an IP within its very one subnet OR that is possible to use a Transport VLAN to that IP Address, in both cases - giving the VLAN SVI Addresses you wrote above - I see really nothing of both).

    I believe you need to better clarify your internal IP Addressing space.

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 21.  RE: setting up vlan on2930F

    Posted Mar 25, 2021 06:01 PM
    Hi davide

    Like a plonker I messed that right up Ha!

    yes you are right it is the third Octet: 172.26.211.1, 212.1, 213.1 etc

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 22.  RE: setting up vlan on2930F

    Posted Apr 03, 2021 09:33 AM
    Hi

    I have now set up the 2930f stack and I also have a Stack of two 3810Ms all using front SFP's.
    Question,  I understand that they wouldnt form a single Stack but can I have both (independant) stacks running on the same ring or not?

    Regards Adrian

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message


  • 23.  RE: setting up vlan on2930F

    MVP GURU
    Posted Apr 03, 2021 09:52 AM
    Hi, this thread is becoming a little bit long in my opinion and we're going off-topic.

    What you could (should) do is to interconnect both independent stacks together by means of (not less than) a four ports' Port Trunk (also known as Link Aggregation, LAG or BAGG) by using LACP as control protocol...and - physically speaking - you should "cross terminating" Port Trunks' links against each member of corresponding Stack, example:

    Stack 1 Member 1 Port 1 to Port 1 Member 1 Stack 2
    

    Stack 1 Member 1 Port 2 to Port 2 Member 2 Stack 2
    

    Stack 1 Member 2 Port 1 to Port 1 Member 2 Stack 2
    

    Stack 1 Member 2 Port 2 to Port 2 Member 1 Stack 2

    Original Message


  • 24.  RE: setting up vlan on2930F

    Posted Mar 15, 2021 05:23 AM
    sorry was meant for parnassus

    ------------------------------
    adrian dunbar
    ------------------------------

    Original Message