Wired Intelligent Edge

 View Only
last person joined: 3 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

1930 SFP WAN and static IP

This thread has been viewed 22 times
  • 1.  1930 SFP WAN and static IP

    Posted Jan 25, 2023 09:10 AM

    We have a fiber connection arriving in the office and we want to use a 1930 8p switch to distribute it.
    The ISP gave us static IP and gateway addresses to use, but I don't seem to be able to get them to work or to make the SFP port used for WAN access.
    I need some help with configuring and understanding this setup.

    Thank you very much.

  • 2.  RE: 1930 SFP WAN and static IP

    Posted Jan 25, 2023 02:42 PM
    Hi, if an ISP gave you a Static IP address (and here I'm implying it is a Public IP address) and a Gateway IP address (and here I'm implying it is a Private IP address)...that ISP should have given you also a device interfacing (literally NATting <- see NAT) those two IP sides, Public versus Private.

    Generally, such of device is (and it acts as) a Router or a Firewall (imagine both devices with, at least, a WAN interface facing your ISP network to the public Internet and a LAN interface facing your internal private network).

    WAN and LAN interface types vary and, given the WAN side throughput peovided by ISPs, it's not too infrequent these days to see a Firewall or a Router with a Fiber Optic LAN interface working at 1 Gbps full duplex (provided that it is equipped with a short range SFP Transceiver).

    Did your ISP give you a Router or a Firewall to NAT the Public IP address and to face your Private network with a Private IP address (Gateway IP address)?

    A switch generally is not engineered to offer NAT functionality/feature but it works at L2 level (switching) and eventually at L3 (routing) level too...that's to say that a Switch could be used in L2 mode to use the NATting device as its gateway to Internet (and all your devices will use that gateway) or, if it is L3 capable, it could be used to act as gateway for your internal networks (when you have many of them and all your devices will use the routing switch as their gateway) and then route to the NATting device all request for external destinations, the NATting device is the gateway to all other networks (Internet) in any case.

    That to simplifying.

    The way you physically are going to connect a port of your specific switch to a port of your Router/Firewall/ISP Gateway is another matter and, clearly, it needs to be fixed before (or concurrently) to worry about the logical connectivity (IP addressing, etc.).

  • 3.  RE: 1930 SFP WAN and static IP

    Posted Jan 25, 2023 04:50 PM
    Hello, and thank you for the detailed answer.

    We do not have ISP-provided devices, just the cables, and we have our own router with access points for our LAN, so our main issue is connecting to their network, I would have thought in the way you mentioned as the second case, where the NATting device being the gateway to all other networks would be the address they gave me as the gateway: would that make sense?
    Would that mean, essentially, performing "manual NATting" by creating manual routes from our internal network into theirs?

    Thank you so much

  • 4.  RE: 1930 SFP WAN and static IP

    Posted Jan 25, 2023 05:13 PM

    Let we suppose the ISP gave you a Private IP Address that you should use as the Next Hop Gateway (NHG) for your internal private networks in order for them to reach "the outer world" (the Internet or any other accessible non directly connected network the ISP is capable to access): with that scenario you just need to connect the ISP cable (either Ethernet Copper or Fiber Optic) to your Switch and configure an Host by setting the Default Gateway IP address = Private IP address of the NHG...this means that the ISP is ruling your internal private IP addressing (if your Switch acts just as a Layer 2 device). So the ISP should also give you the Private Subnet and its Subnet Mask (example: Subnet Subnet Mask and Gateway BUT I doubt your ISP is giving you just "the cable" (and a Private IP address on it) without having, on its remote end, a NATting device (Router/Firewall) which is the real gateway.

    If you already have a Router why not eventually use it?

    P.S. Sei italiano?

  • 5.  RE: 1930 SFP WAN and static IP

    Posted Jan 26, 2023 08:15 AM

    All that you wrote is correct (including the post scriptum :P ): it turned out we do have a (very basic) router by the ISP that is indeed acting as the gateway, and I had misunderstood the configuration they gave me and thought it was really on the other side of the cable.
    I did get the switch online by putting our router in between them, and the router's DHCP server is working fine enough for our current needs.
    Thank you for the patience and the clarity!

    I do have an additional, more appropriate question: we will need to be sharing our connection with the neighbouring office, and of course I'd like the networks to be isolated. Is this something that the switch can handle?

    Grazie :)

  • 6.  RE: 1930 SFP WAN and static IP

    Posted Jan 26, 2023 10:17 AM

    "we will need to be sharing our connection with the neighbouring office, and of course I'd like the networks to be isolated. Is this something that the switch can handle?"

    To answer your question we should first agree about this initial assumption: your Router is acting as the Gateway for your current hosts located on a particular network segment defined by your Aruba 1930 Switch (another assumption I made is this one: you have just one network segment propagated to your Aruba 1930 Switch from the Router and the Switch is acting as a simple Layer 2 device, the Layer 3 features are provided specifically by your Router which provide, as you report, DHCP functionality).

    Given that, both the segmentation (with another non overlapping network segment) and the desired segregation (between network segments) can be fulfilled only by the device which is performing the routing (for sure it has Routing and ACL capabilites and, moreover, you can eventually provide physical segmentation).

    I will try to explain it better: supposing you have a decent Router then it could generate two virtual interfaces on the same physical LAN (Ethernet) interface...say Network Segment "A" - your current office - (say VLAN 100) with VLAN Interface IP Address set to and a /24 Net (that IP will be the Gateway IP address used by hosts that will be placed on that specific /24 Network Segment on VLAN 100 on the Switch) and a Network Segment "B" - your neighbour office - (say VLAN 200) with VLAN Interface IP Address set to and a /24 Net (that IP will be the Gateway IP address used by hosts that will be placed on that specific /24 Network Segment on VLAN 200 on the Switch)...the Switch will uplink to the Router's LAN interface by tagging both VLAN 100 and VLAN 200...but some of its ports will be VLAN 100 untagged (for connecting Hosts on your office) and some other will be VLAN 200 untagged (for connecting Hosts from your neighbour office). This is a way...the Switch (operating at Layer 2 level) just splits its access ports to serve VLAN 100 and to serve VLAN 200 (they are two different segments), the uplink port will have tagged these two VLAN IDs up to the Router's LAN interface and the Router, as written, will do the Routing/NAT magic to outside networks - the Internet - for both VLAN 1000's users and VLAN 200's users concurrently keeping them isolated (if it isn't configured to route VLAN 100 into VLAN 200 and vice-versa).

    The above is a way of doing things (you probably have VLAN 1 on the Switch and no VLAN interfaces associated with the Router's LAN interface other than the one serving your VLAN 1 users...but here I'm just speculating).

    Another way could be: use a second LAN interface (if available) on the Router - but you need to set a VLAN ID with an IP interface as above, say a VLAN 2 - and do another downlink from this LAN2 interface to the Aruba 1930 where a new port will dedicated as a second uplink to the router and it will be tagged on VLAN 2 keeping some other free ports untagged on VLAN 2 for Hosts connectivity, exactly as above.

    In both scenarios the Router has the duty of not routing VLAN 100 and VLAN 200 (or VLAN 1 and VLAN 2) keeping them separated but letting them to separately reach the Internet by mean of the single connection you already have.

    Unfortunately you haven't a setup where ACL can be deployed at Switch level...at least given the scenario you explained us...and that is because a similar approach will require first (a) that the Switch acts as the Router for your networks (A and B) and (b) that the Switch is Layer 3 capable with ACL support, while the latter is fulfilled (your Aruba 1930 is capable, see example here)...the former condition looks not deployed in your scenario (because your Router does all the routing)...then to follow this path you will also need to setup a Transit VLAN (a VLAN with just two IP addresses dedicated to let Switch and Router to speak each other) with another free ID (say 300), this just to setup the communication between your Routing Switch and the existing Router (and the latter needs to be reconfigured accordingly with respect to any running configuration it has now).

    Forgot to write that for specific questions about Aruba 1930 (Instant-On) configuration better for you to post here (I write this because I'm not an expert about Aruba 1930 even if the "network basics" are pretty much the same everywhere, no matter the switch).