All AloneI found myself all alone on Friday night, which was actually good, because it gave me a chance to turn my new network design into reality. So after scarfing down a takeaway curry and grabbing a few beers it was time to begin! Exciting...

In my previous post about the re-design and what I wanted to achieve I incorporated a technicolour Visio diagram. I knew in reality something would need to change and that I'd be modifying the drawing again, so here it is.

New Network Diagram v2- Jan 2016

It didn't have to change too much. I added an extra VLAN for lab VMs, I renumbered the Media network from VLAN 100 to VLAN 99 and added a separate subnet for guest WiFi. The Media VLAN change was really down to my borderline OCD. I like having the third octet in IP ranges correspond to the VLAN ID, e.g. 192.168.10.0 is VLAN10, 192.168.20.0 is VLAN20 and so on.

One of the first things I had to do was put my Virgin Media Super Hub into modem-mode and this automatically changes the management IP on the device to 192.168.100.1, which in my mind would have been on VLAN 100, except it's not, and that makes my teeth itch.

So, easier I thought to just change the VLAN ID being used by the media network. In actuality I've also create VLAN 70, 80 and 90 which aren't shown in the diagram, but they are just spares in case I decide I need them for some reason.

The guest WiFi I will cover in more detail in a future post. There's already a lot of stuff about how to set this up out there on the web, but I was nonetheless impressed with it, and so will share my own experiences.

SETUP FROM SCRATCH

I'd already messed about with the network a bit while I tried to decide what I wanted, so it was time to wipe the slate clean and start over. This also enabled me to capture the steps I went through for inclusion in this article. A word of warning: This is quite specifically centred around the kit I have. So, while this may be really useful for people who own a DD-WRT router and a HP 1920g switch, it may not be so useful for others. Having said that, the principles should largely stay the same.

First thing to was to re-initialise the switch. To make this easy, it requires that you have a serial console cable. As most PCs/laptops these days do not have a serial port you're relying on a USB-to-DB9 adapter and the inherently flakey drivers they come with.

When you attach one of these devices and install the drivers, it should create a new COM port, which you'll be able to find under Windows Device Manager.

Image

Mine showed up as COM5. Don't know why, the number seems to be random and change every time you plug it in, but it works so who cares? Next thing to do is fire up PuTTY and configure it thusly:

Image

The default settings for the serial port are printed on the front of the HP 1920 switch range. It's something like 38400 baud, 8 data bits, 1 stop, no parity. PuTTY's default serial settings work, except the speed will need to be changed from the 19200 default to 38400. Once that's setup click Open and hit enter a couple of times in the PuTTY window to bring the connection into life.

Image

Typing ? provides you with a list of available commands. Initialize is the one we want, so type that in an then Y and Enter. The switch will begin a re-initialisation sequence essentially putting it back to factory defaults (hence the need for the serial cable)..

ImageTime for a coffee...

Image

Some time later the switch will have re-initialised and be ready...

Image

Hit Enter and login. Obviously we'll be back to default credentials, which are admin and a blank password. First thing to do is set an IP address on the switch's management interface using the command:

ipsetup ip-address x.x.x.x nm

Where x.x.x.x is the IP you want an nm is the netmask in CIDR format, e.g. 24, 16 etc. You can also put it in old skool, like 255.255.255.0.

Image

You're going to want to access the switch Web GUI now, so you'll need to make sure you've got a PC/laptop connected to the switch that's configured with a static IP on the same subnet that was set for the management interface. Type the URL http://switch-ip into a browser.

Image

Login as admin, leaving a blank password and putting in the annoying Verification Code. The first thing we need to do in the Web GUI is create a static route for Internet traffic that points to our Internet router, in my case the Netgear R7000. Go to Network > IPv4 Routing

Image

Input the destination IP and mask as 0.0.0.0 and the next hop as the IP of the Internet router, which in my case will be 192.168.0.1. Once that's done and saved, the Summary screen which effectively shows the routing table should look like this:

Image

There is more to do on the HP switch, but now we need to work on the Internet router, which from this point on I'll just refer to as the gateway.

A word on the gateway; I purchased a Netgear AC1900 Nighthawk (R7000) to replace the routing and WiFi functionality of the Super Hub and give me some more flexibility. While the stock firmware is fine, I'm quite comfortable with DD-WRT having used it on previous devices and the amount of extra features it gives you access to is impressive, so no sooner had I unboxed the R7000 it was time to flash the firmware to the latest DD-WRT "Kong Mod" release which came out a couple of weeks ago. For more information, check out this link: http://www.myopenrouter.com/download/dd-wrt-kong-mod-netgear-r7000-k3-jan-2015

I won't cover upgrading to DD-WRT because, frankly it's been done a million times, suffice to say it's pretty easy, especially if you're doing it straight out of the box. One word of warning though; I would make sure you download both the DD-WRT firmware and the latest official Netgear firmware before you start. Assuming the device is required for you to get access to the Internet, if something goes wrong, you are going to have a hard time downloading the official firmware after your Internet connection has gone.

After flashing the R7000 the IP defaults back to 192.168.1.1, so set your PC/laptop to an IP on that range and then point a browser at it. The first thing you'll get post firmware update is this...

Image

Set a nice secure password and I also suggest changing the username to something less obvious than ‘admin' or ‘root'. Once you've done that, don't forget to keep a record of the login details in a secure password store like KeePass and then click Change Password. Once that's done you'll get the welcome, or ‘Info' screen.

Image

Yes, that's right. I don't want some 1337 h4X0rZ getting hold of my precious MAC addresses or WAN IP. Click on Setup and you'll be prompted to login using the new credentials you just set. On the initial setup page we need to configure all the basic stuff., most of which are pretty self-explanatory. For WAN Connection Type , ff you're on cable, like Virgin Media then use DHCP. For DSL it'll probably be PPPoE. I won't cover the rest of the settings as these are all really well documents on the DD-WRT wiki.

Image

Click Save and Apply Settings. The IP of the gateway will change, so if your PC/laptop is on a different subnet to the IP you've just set, you'll lose connection. Not to worry for now, as we have more configuration to do on the HP 1920g.

VLAN CREATION

After logging into the HP switch go to Network > VLAN > Create and input the VLAN IDs you want to create, which in my case is 10,20,30,40,50,60,70,80,90,99 and then click Create.

Image

You should end up with something like the screenshot above. I've create VLANs to segregate based on traffic and device type. VLAN 10, the Management VLAN is where my main PC, laptop, ESXi management interface and everything else that's kind of important will live. VLAN 20 will be used for NFS and/or iSCSI storage primary for vSphere. VLAN 30 is for vMotion traffic between ESXi hosts. VLANs 40,50,60 are reserved for lab virtual machines. VLANs 70,80,90 will also probably get used for future lab virtual machines, but for now are just spares. Finally VLAN 99 is for multi-media traffic, which will essentially be streaming between my Plex server and network connected TVs.

Storage and vMotion traffic is self-contained and so doesn't need to be routed, but everything else pretty much does. So I will need to create layer 3 VLAN interfaces on VLANs 10,40,50,60 and 99. I won't bother with 70,80 and 90 just yet. The HP 1920g switches are only capable of having a maximum of 8 layer 3 VLAN interfaces so I need to use them wisely.

To create the interfaces go to Network > VLAN Interface and input the information for each like so...

Image

All of my interfaces will be on 192.168.<vlan-id>.254 and I'm not bothering with IPv6 so the "Configure IPv6 Link Local Address" check box can be deselected. Once all of the interfaces are complete the Summary screen should show something like this:

Image

The HP switch configuration has to be periodically saved by clicking on the Save link at the top right of the Web GUI. Get into the habit of doing this regularly, otherwise you stand to lose all of your config.

VLAN PORT ASSIGNMENT AND PORT DESCRIPTIONS

Now we need to assign VLANs to the various switch ports. To do that we need to know what is hanging off each port. If you didn't make careful note of what you plugged into each port this can be a painstaking process of hunting down MAC addresses and matching them up to devices. Depending on how many devices you have this could be a horrible task. Luckily for me, I'd made a note of what went into each port, and so to make my life easier down the line I'm going to apply port descriptions to each port. This in itself is a pretty mind-numbing task, but it only needs doing once and will be worth it in the long run.

To do this, go to Device > Port Management > Setup. You'll need to select each port in turn, enter something meaningful in the ‘Description' field and click Apply.

Image

Once you're done, your Port Management Summary by Description will show you a lovely list of all the devices connected to each physical port:

GE1/0/1 Netgear R7000
____________________________________________________________________________________________________
GE1/0/2 Main PC
____________________________________________________________________________________________________
GE1/0/3 Raspberry Pi
____________________________________________________________________________________________________
GE1/0/4 Work Laptop
____________________________________________________________________________________________________
GE1/0/5 Samsung 40UHD TV
____________________________________________________________________________________________________
GE1/0/6 GigabitEthernet1/0/6 Interface
____________________________________________________________________________________________________
GE1/0/7 GigabitEthernet1/0/7 Interface
____________________________________________________________________________________________________
GE1/0/8 GigabitEthernet1/0/8 Interface
____________________________________________________________________________________________________
GE1/0/9 GigabitEthernet1/0/9 Interface
____________________________________________________________________________________________________
GE1/0/10 GigabitEthernet1/0/10 Interface
____________________________________________________________________________________________________
GE1/0/11 GigabitEthernet1/0/11 Interface
____________________________________________________________________________________________________
GE1/0/12 GigabitEthernet1/0/12 Interface
____________________________________________________________________________________________________
GE1/0/13 Second Bedroom 1
____________________________________________________________________________________________________
GE1/0/14 Second Bedroom 2
____________________________________________________________________________________________________
GE1/0/15 Second Bedroom 3
____________________________________________________________________________________________________
GE1/0/16 Second Bedroom 4
____________________________________________________________________________________________________
GE1/0/17 Master Bedroom 1
____________________________________________________________________________________________________
GE1/0/18 Master Bedroom 2
____________________________________________________________________________________________________
GE1/0/19 Master Bedroom 3
____________________________________________________________________________________________________
GE1/0/20 Master Bedroom 4
____________________________________________________________________________________________________
GE1/0/21 Living Room 1
____________________________________________________________________________________________________
GE1/0/22 Living Room 2
____________________________________________________________________________________________________
GE1/0/23 Living Room 3
____________________________________________________________________________________________________
GE1/0/24 Living Room 4
____________________________________________________________________________________________________
GE1/0/25 ESXi 03 vmnic0
____________________________________________________________________________________________________
GE1/0/26 ESXi 03 vmnic1
____________________________________________________________________________________________________
GE1/0/27 ESXi 03 vmnic2
____________________________________________________________________________________________________
GE1/0/28 ESXi 03 vmnic3
____________________________________________________________________________________________________
GE1/0/29 ESXi 03 vmnic4
____________________________________________________________________________________________________
GE1/0/30 ESXi 02 vmnic0
____________________________________________________________________________________________________
GE1/0/31 ESXi 02 vmnic1
____________________________________________________________________________________________________
GE1/0/32 ESXi 02 vmnic2
____________________________________________________________________________________________________
GE1/0/33 ESXi 02 vmnic3
____________________________________________________________________________________________________
GE1/0/34 ESXi 02 vmnic4
____________________________________________________________________________________________________
GE1/0/35 ESXi 01 vmnic0
____________________________________________________________________________________________________
GE1/0/36 ESXi 01 vmnic1
____________________________________________________________________________________________________
GE1/0/37 ESXi 01 vmnic2
____________________________________________________________________________________________________
GE1/0/38 ESXi 01 vmnic3
____________________________________________________________________________________________________
GE1/0/39 ESXi 01 vmnic4
____________________________________________________________________________________________________
GE1/0/40 GigabitEthernet1/0/40 Interface
____________________________________________________________________________________________________
GE1/0/41 GigabitEthernet1/0/41 Interface
____________________________________________________________________________________________________
GE1/0/42 GigabitEthernet1/0/42 Interface
____________________________________________________________________________________________________
GE1/0/43 GigabitEthernet1/0/43 Interface
____________________________________________________________________________________________________
GE1/0/44 GigabitEthernet1/0/44 Interface
____________________________________________________________________________________________________
GE1/0/45 GigabitEthernet1/0/45 Interface
____________________________________________________________________________________________________
GE1/0/46 GigabitEthernet1/0/46 Interface
____________________________________________________________________________________________________
GE1/0/47 GigabitEthernet1/0/47 Interface
____________________________________________________________________________________________________
GE1/0/48 Test Port
____________________________________________________________________________________________________
GE1/0/49 GigabitEthernet1/0/49 Interface
____________________________________________________________________________________________________
GE1/0/50 GigabitEthernet1/0/50 Interface
____________________________________________________________________________________________________
GE1/0/51 GigabitEthernet1/0/51 Interface
____________________________________________________________________________________________________
GE1/0/52 GigabitEthernet1/0/52 Interface

Once that's done we can get on with assigning VLANs to ports. Go to Network > VLAN > Modify Port. The PC from which I'm accessing the switch is connected via port GE1/0/02 so I will deal with that one last.  The Raspberry Pi and Laptop on ports 3 and 4 need to be on the management VLAN (10), but as they are VLAN unaware (in their current configuration) these will need to be untagged.

Image

Ports 5, and 13 -- 24 are all multi-media devices around the house. TVs, Streaming boxes, TiVos etc. So these all need to go onto VLAN 99. Again untagged because these devices are not VLAN aware.

Image

The ESXi hosts which live on ports 25-39 are VLAN aware, and will be trunking all available VLANs up into ESX to be sorted by a virtual switch further down the line, so those ports will be set tagged for all VLANs and their type will be set to trunk.
First set the link type to trunk...
Image

Then set each port to be tagged for VLAN traffic for VLANs 10,20,30,40,50,60,70,80,90 and 99...

Image

Again, don't forget to SAVE the switch config. The last port to change is the one my PC is connected to, but before I do that I'm going to create some static routes on the Netgear R7000 to allow traffic to be routed back from the 192.168.0.0/24 network.

On the Netgear R7000 go to Setup > Advanced Routing and fill in the details like this:

Image

This is basically telling the gateway how to get traffic over to the 192.168.10.0/24 network. The gateway IP has to be set to a Layer 3 Interface on the switch which is on the same network as the R7000, so this will be 192.168.0.254 as the R7000's IP is 192.168.0.1. Save and Apply Settings.

Now to modify the switch port  VLAN assignment on the HP 1920g. The port to which my PC is connected needs to be put on VLAN 10 untagged, because once again, my PC is VLAN unaware in its current configuration.

Image

The progress box will just sit there not completing. Give it a minute, then change the PCs IP address to one on the 192.168.10 subnet. And then reload your browser. You should still be able to access the switch via its 192.168.0.254 management interface so long as you set your default gateway to 192.168.10.254.

Any other networks which need to be able to access the Internet via the gateway R7000 on 192.168.0.1 will also require static routes setting up in DD-WRT. The only other VLAN I have which needs direct Internet access is VLAN 99. For example, I want TVs to be able to run Netflix or Amazon Instant Video apps directly and most of these devices aren't sophisticated enough to allow you to configure a proxy server.Image

NAT MODIFICATIONS

At this point although we can still ping the gateway at 192.168.0.1 from the PC on VLAN 10 (192.168.10.x) we can't get to the Internet. This is because, by default DD-WRT only NATs traffic on the directly connected subnet and not for other subnets. It took me ages to find out how to fix this, but thanks to this article I was able to get it working.

In the DD-WRT Web GUI, go to Administration > Commands and run the following:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

Click the Save Firewall button. You should now find that you can ping IPs on the Internet from devices on VLANs/IP ranges other than the one the gateway itself is on. Try pinging 8.8.8.8 (Google's public DNS server).

CONCLUSION

That's the basic network configuration done. The next articles will cover the issues I had setting up DHCP, and how to configure a restricted wireless guest network and apply QoS policies to limit bandwidth usage for the various VLANs.