Hi parnassus
sorry to be so confusing, I am a newbe at this, in the past we just bunged a switch in and away we went, owing to my attempt at setting up the network correctly I am learning that we have a lot to do than i thought, where I thought that routing was the answer I have since found that I needed to sort out a lot more, the network currently has no managerment whatsoever, I soon realised that I would need to set up several Vlans and then replicate them to each switch installed in various locations within the building, I recently re cabled all as a chain with the final multimode cable set as the leg in the loop (as was instucted by Aruba) which inevitably caused a loop as they failed to tell me about VSF.
anyhow here we are now, ready to setup a group of 2950F's and the one 3810M which I think would be set as Commander and the next switch to be the standby, all of the switches have the latest f/w, so according to the post by Matthew_Fern and yourself, I believe that the next step would be
using telnet and starting with the commander run this command;
switch(config)# vsf enable domain <1>
This will save the current configuration and reboot the switch.
Continue (y/n)? y
then to assign the ports, Question i was going to simply use ports 51 as "IN" and 52 as "OUT" on each switch, if that makes sense so I am not sure of the next would be right;
vsf member 1 link 1 1/51,1/52
vsf member 2 link 1 1/51,1/52
vsf member 3 link 1 1/51,1/52
vsf member 4 link 1 1/51,1/52
vsf member 5 link 1 1/51,1/52
which i think would only be using two sfp+ ports
would this be correct
regards Adrian
------------------------------
adrian dunbar
------------------------------
Original Message:
Sent: Mar 15, 2021 02:03 PM
From: Davide Poletto
Subject: setting up vlan on2930F
Hello Adrian, I'm not totally sure to have exactly understood your actual and/or desired network topology: by writing your last post I only understood that you're trying to work with 4 Aruba 2930F (and you want to deploy them as a four members VSF stack) and a standalone Aruba 3810M, this latter one is going to be connected to this VSF. No idea about what are your routing plans over this network topology. Am I correct with those assumptions?
------------------------------
Davide Poletto
Original Message:
Sent: Mar 15, 2021 05:17 AM
From: adrian dunbar
Subject: setting up vlan on2930F
Hi Davide
If i stick to Frontplane Stacking (VSF) using the 10G SFP+ ports will I be getting specific problems with the 3810M connections, or just cable up the same as I would the 2930F's?
regards Adrian
------------------------------
adrian dunbar
Original Message:
Sent: Mar 14, 2021 07:37 PM
From: Davide Poletto
Subject: setting up vlan on2930F
Yes, with VSF (on Aruba 2930F) Network Administrator's life is going to be easier (for the reasons you already highlighted -> there is a good VSF Best Practice here explaining both Frontplane Stacking - VSF - and the Backplane Stacking - the Hardware way - in case of Aruba 3810M). With that guide you will solve the Ring approach (no loop if you properly set and connect involved VSF Links).
For the routing part I copy and paste what I wrote you initially (with some adaptations since you changed your internal VLAN range):
Probably that device is your Router (Router that is acting as the Gateway for your internal network to let it to reach external ones, and vice-versa) you can follow two potential approaches, provided that you planned your VLANs and segmented Subnets:
(1) Let your Router to route your internal VLAN IDs (your Switch will continue to act as a simple Layer 2 device, its uplink to the Router's LAN interface shall necessarily carry all required VLAN IDs - this means that you need to tag that interface on various required VLANs - routing is going to happen at Router).
(2) Let your Switch to route your internal VLAN IDs (each VLAN ID shall have an IP Address - e.g 172.16.0.254 - VLAN 1000, 172.16.1.254 - VLAN 1001, 172.16.2.0/24 - VLAN 1002 and so on... - that IP address will be used by your VLAN's clients): generally you will need (as a Best Practice) a Transit VLAN (it's enough a /31 or /30l dedicated to point-to-point routing between your Layer 3 Switch and your Router. Uplink between your routing Switch and your Router (the Firewall) will be tagged (or untagged) on this "special" VLAN dedicated to the point-to-point "transit of traffic". A Route of Last Resort is required on the routing Switch to route any non local (directly connected) VLAN's traffic to your Router - like destination 0.0.0.0 mask 0.0.0.0 via Transit VLAN IP Address of your Router - and various Static Routes are required too on your Router to properly route back traffic with internal nets as destinations - like 172.16.0.0 mask 255.255.255.0 via Transit VLAN IP Address of your routing Switch.
More or less this.
------------------------------
Davide Poletto
Original Message:
Sent: Mar 14, 2021 05:24 PM
From: adrian dunbar
Subject: setting up vlan on2930F
Hi and thank you for your advice,
I have now reconfigured all switches and am now using 172 address ranges on all of our new servers and domains, looking at other posts here, am I right in thinking that it may be easier to connect my 4x 2930F and my 3810M as a VSF, to make life easier setting up the Vlans and routing between them as their ports will all show as one stack and so it should simply be a case of assigning each port to its asociated vlan(s), all are connected as a 10Gbe chain using SFP+ (multimode) ports 51 and 52 on each switch (52-51, 52-51) etc, there is a fibre cable to complete the loop but as i went to connect it the network crashed so i removed it, I will look into the cause of this tomorrow. a couple of things concern me,
Firstly this is our live network of switches that have simply been got working and have no stucture and so I am tyring to disruption to a minimum although we are aware that it is time to sort this while we can mostly done remotely after hours as I have full access.
Secondly would be the routing, as currently the new severs cant as yet see the world no mad rush as the networ management is my main priority
Thirdly It was my intention to use an aruba 7010 as a AP controller and firewall and may need help with that.
regards Adrian
------------------------------
adrian dunbar
Original Message:
Sent: Mar 04, 2021 10:57 AM
From: adrian dunbar
Subject: setting up vlan on2930F
Hi
Thanks for your help so far, I will go back and change IP adresses first and then come back hopefully better informed :)
regards Adrian
------------------------------
adrian dunbar
Original Message:
Sent: Mar 03, 2021 04:46 AM
From: Davide Poletto
Subject: setting up vlan on2930F
Hi! I totally support what Herman Robers wrote, it's exactly what I would have written (but Herman, as usual, wrote it nicely, far more nicely than me!). There are some strange things - the usage of Public IP Addressing in corporate LAN is the very first I would say - that one, legitimately, will start to think that not all the basic networking concepts/practices were already understood (or, if understood, the OP failed to explain some important facts of its design).
------------------------------
Davide Poletto
Original Message:
Sent: Mar 02, 2021 05:14 AM
From: Herman Robers
Subject: setting up vlan on2930F
Hi, you should not use 219.1.x.x IP addresses internally, these are in use on the internet and assigned to a Japanese bank. Using them internally will prevent you from going to that bank on the internet. Not sure what made you pick these IP addresses. For internal, privately used IP, pick an IP subnet from RFC1918:
10.0.0.0 - 10.255.255.255 (10/8 prefix)172.16.0.0 - 172.31.255.255 (172.16/12 prefix)192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
While somewhat old, this video series 'Let's build a network' may help you understanding switching, VLAN, routing. You can do your routing on the switches, on the controller, or possibly on your router, which all have pros and cons and the choice depends on the required amount of segmentation required between the different subnets. This basically is what is mentioned above by Davide. It is hard to tell 'the best route' without a proper understanding of the use case. Without understanding, I would add a firewall between your subnets if these are different organizations or customers to prevent traffic between different VLANs, and a firewall as well allows you to selectively permit traffic. Do you have an IT/Networking partner that you can discuss this with? I don't think a forum is the best place to discuss a fundamental design like this.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Mar 01, 2021 02:41 PM
From: adrian dunbar
Subject: setting up vlan on2930F
Good evening Davide
Thanks for your response
Firstly I am using the 219 addresses as local internal networks and not for public access so I guess any others will do, the intention is to run companies 1-4 on their own separate 219 ranges for separation bout to use 219.1.0.0 range for management and shared resources printers backup devices etc, having spoken to Draytek who are the router manufacturer, they thought using the internal switch to create 4 Vlan's that each have the router IP as gateway should be the simplest way to solve the problem, I am also intending to set an Aruba 7010 as a WIFI controller and firewall, we have several 2930F switches that carry our network throughout the building that will need to setup either spanning on or simply set the ports to Vlan's, whichever is the more secure, physical access is not so much of a security problem as most are locked away.
For now thought its more an issue of is this the best route to take and then correctly setting up the Vlan's themselves
Regards Adrian
Original Message:
Sent: 3/1/2021 1:06:00 PM
From: parnassus
Subject: RE: setting up vlan on2930F
Hello Adrian, first of all consider that
219.1.0.0/16 (seen as the /16 network owning - as example - 256 /24 subnets:
219.1.0.0/24,
219.1.1.0/24,
219.1.2.0/24, ... up to
219.1.255.0/24) represents a public IP range. Do you really are the owner of the
219.1.0.0/16 network?
About your question about the routing...what is the device that is currently performing IP routing between your "internal" network(s) and any other "external" networks (Internet, to simplify)?
Probably that device is your Router (Router that is acting as the Gateway for your internal network to let it to reach external ones, and vice-versa)...you can follow two possible approaches:
(1) Let your Router to route your internal VLAN IDs (your Switch will continue to act as a simple Layer 2 device, its uplink to the Router's LAN interface shall necessarily carry all reqired VLAN IDs...routing is going to happen at Router).
(2) Let your Switch to route your internal VLAN IDs (each VLAN ID shall have an IP Address - e.g 219.1.0.254, 219.1.1.254, and so on... - that IP address will be used by your VLAN's clients): generally you will need (as a Best Practice) a Transit VLAN (it's enough a /31 or /30l dedicated to point-to-point routing between your Layer 3 Switch and your Router. Uplink between Switch and Router will be tagged (or untagged) on this Transit VLAN. A Route of Last Resort is required on the Switch to route any non local (direct) traffic to the Router and various Static Routes are required too on the Router to properly route back traffic with internal nets as destinations.
More or less this.
Original Message:
Sent: 2/27/2021 5:28:00 AM
From: ad51
Subject: setting up vlan on2930F
Hi
I am about to split my network to give better security across companies,
each has a seperate network ip range 219.1.0.0, 219.1.1.0, 219.1.2.0, 219.1.3.0, etc.
my router is also my phone system (Draytek) on a 173.189.4.7 address
my Question is;
if i set up vlans for each of the address ranges, how do I then route from the 2930F to the router, I cant change the router address as it still supports the old servers and existing network until such time as I am ready to switch to the new server installation, I will also at some poit install an aruba 720 as wireless controller, between the 2930f and the router
thanks in advance
------------------------------
adrian dunbar
------------------------------