Help Configuring Cisco switch

[sam988]

I have a Cisco 2960S POE 24 port switch. The idea is to use it for home security cameras with POE.

It is my first time using Cisco CLI so need a bit of help.

The current wire path is:

Internet Service Provider => Asus Router (192.168.29.1) => 2960S ==> 2pcs , one desktop and one dedicated BI + cameras


I plugged the console cable in and used SSH over the serial port to connect and was able to login to the switch (i was told not to use vlan 1, so used vlan2 instead??)


I followed these commands:

Switch>enable Switch#configure terminal Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname CiscoSwitch
CiscoSwitch(config)#ip default-gateway 192.168.29.1
CiscoSwitch(config)#interface vlan 2
CiscoSwitch(config-if)#ip address 192.168.1.200 255.255.255.0
CiscoSwitch(config-if)#no shutdown
CiscoSwitch(config-if)#end
CiscoSwitch# *Mar  1 00:03:44.261: %SYS-5-CONFIG_I: Configured from console by console
CiscoSwitch#copy running-config startup-config Destination filename [startup-config]?
Building configuration... [OK] 0 bytes copied in 1.141 secs (0 bytes/sec)

Next I added username/password and gave level 15 privilege

CiscoSwitch(config)#username sam988 secret **
CiscoSwitch(config)#username sam988 privilege 15
CiscoSwitch(config)#end 
CiscoSwitch#copy running-config startup-config

And then I setup SSH

CiscoSwitch>enable
CiscoSwitch#configure terminal Enter configuration commands, one per line.  End with CNTL/Z.
CiscoSwitch(config)#ip domain-name myhome.local
CiscoSwitch(config)#crypto key generate rsa The name for the keys will be: CiscoSwitch.myhome.local
Choose the size of the key modulus in the range of 360 to 2048 for your  General Purpose Keys. Choosing a key modulus greater than 512 may take  a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
CiscoSwitch(config)#ip ssh version 2
CiscoSwitch(config)#line vty 0 15
CiscoSwitch(config-line)#transport input ssh
CiscoSwitch(config-line)#login local
CiscoSwitch(config-line)#end
CiscoSwitch#copy running-config startup-config
Destination filename [startup-config]? Building configuration... [OK]
0 bytes copied in 1.158 secs (0 bytes/sec)

Now for some reason I am unable to connect to the ssh server from any PC on the switch. I am wondering if it has something to do with vlan 1, vlan 2 etc?

My plan eventually (is this the correct ideas?) will be to have a vlan with the security cameras and the BI pc (which will be recording the camera output) and a second vlan for other computers on the network/internet
I do want to be able to access the BI from the other PC as well as remotely from smart phones and be able to get alerts


I tried creating some other vlans (1, 2, 4)... I tried to give vlan 1 and ip of 10.0.0.2 - still no luck on ssh or pinging

Here is my version output:

Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
Technical Support: Support - Cisco Support - Software Downloads, Product Documentation, Tools, and Cases
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 09-Apr-14 03:09 by prod_rel_team

ROM: Bootstrap program is C2960S board boot loader
BOOTLDR: C2960S Boot Loader (C2960S-HBOOT-M) Version 12.2(55r)SE, RELEASE SOFTWARE (fc1)

CiscoSwitch uptime is 19 hours, 1 minute
System returned to ROM by power-on
System restarted at 01:27:24 UTC Wed Mar 30 2011
System image file is "flash:/c2960s-universalk9-mz.150-2.SE6.bin"

And running-config:

CiscoSwitch#show running-config
Building configuration...

Current configuration : 2024 bytes
!
! Last configuration change at 19:56:41 UTC Wed Mar 30 2011
! NVRAM config last updated at 19:57:07 UTC Wed Mar 30 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$KxKO$nRqHc7xEI9h8Mb2AjOCYs/
!
username sam988 privilege 15 secret 5 ****
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
ip domain-name myhome.local
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.0.0.2 255.255.255.0
!
interface Vlan2
ip address 192.168.1.200 255.255.255.0
!
ip default-gateway 192.168.29.1
ip http server
ip http secure-server
!
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
end

***

I'm not sure why I picked 10.0.0.2 for vlan1 and 192.168.1.200 for vlan2.


So in summary trying to get SSH to work (currently can't even ping the switch) and would need some help setting up my planned VLAN

Thanks for your help!

 

[sam988]

In case anyone was in the same boat, it seems the key to get it working is to add the ports you want to the vlan and set a static ip address for the computers on the vlan you want to access the switch

! create VLAN 2 in vlan database
#configure terminal
vlan 2
name VLAN_2
end
 
! ensure VLAN 2 is created
#show vlan
 
 
! assign  GE ports as access ports to VLAN2
#configure terminal
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 2
no shut
!
Interface VLAN2
no shut
end
 
! connect a PC to one of these 2 ports and double check if interface VLAN2 is up/up
#Show interface vlan2
! Line protocol status should be UP
 
2 PC hosts should be connected to GE 1/0/1 and 1/0/2 with manually assigned IPs from subnet 192.168.1.0 255.255.255.0 (excluding already used .200) and manually assigned default-gateway 192.168.1.200. Then a PCs should be able to ping 192.168.1.200 and each other and establish ssh session to 192.168.1.200.

Again the key was to manually assign the IPs for the computers


Now the question is...

Planned design

BI PC + Cams on one VLAN
Rest of home network on another VLAN

How to get BI PC to be viewable from other PCS + mobile devices without exposing the cameras to the internet?

 

[Hammerhead786]

Since you're setting up vlans anyway, put the BI machine on it's own vlan and set up an access list on the cameras vlan to drop all traffic not destined for the BI machine. You will need to set up some static routes on your router to enable communications between the various vlans since you are using a layer 2 switch. As you've already figured out, the appropriate switch ports need to be assigned to the appropriate vlans. Since you're using an Asus router, setup OpenVPN server on it and when not at home, you can connect your mobile devices to the vpn and access the cameras. Do NOT use port forwarding.

 

[reflection]

Are you looking to do a dual NIC BI design with one switch. If so, you have the right parts. Your switch config might look like this. And yes, as a "best practice", don't use VLAN 1.

VLAN 2 is for your cameras. VLAN 10 is for your home network. Ports 1-12 are for home network. Ports 13-24 are for your cameras. Plug your router in to port 1/0/1. Plug one NIC from BI (home network side) to port 12 and the other NIC (camera side) to port 13. This will put BI in two different VLANs. Think of ports 1-12 as being one switch and ports 13-24 as another switch. Your home network will be on 192.168.29.X. Your cameras on 192.168.1.X. You will have to set static IPs for your cameras. You can still use DHCP from your router on subnet 192.168.29.X. You don't really need interface VLAN2 if you don't want to. You will just point your cameras to the BI interface on VLAN2 (which should be a static IP).

If you only have one NIC on your BI machine, you can set your BI NIC up as a trunk with two IP addresses (one on VLAN 10 and one on VLAN 2). You will then configure your switches interface that connects to BI with "switchport mode trunk".

Do a search on some of my other posts if you want to add ACLs.

interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/3
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/4
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/5
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/6
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/7
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/8
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/9
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/10
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/11
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/12
switchport mode access
switchport access vlan 10
no shut
!
interface GigabitEthernet1/0/13
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/14
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/15
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/16
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/17
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/18
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/19
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/20
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/21
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/22
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/23
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/24
switchport mode access
switchport access vlan 2
no shut
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan10
ip address 192.168.29.2 255.255.255.0
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.29.1
ip http secure-server

 

[sam988]

Thanks @reflection

Plan for ports 1-12 to be home_network and 13-24 cam_network

I added interfaces 1-12 to one vlan (vlan 2) and 13-24 to another (vlan 4)
By setting ip of the home_network vlan to 192.168.29.2 and the cam_network to 192.168.1.1 I'm able to access internet from vlan 2. I can also access the switch web interface page from

http://192.168.29.2

My BI PC has only one NIC.
I have router plugged into port 1, BI PC into port 2
I tried the following:

config t
interface GigabitEthernet1/0/2 
switchport mode trunk
switchport trunk allowed vlan 2,4
end

When I run show vlan, I get

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28
2    HOMENET                          active    Gi1/0/1, Gi1/0/3, Gi1/0/4
                                                Gi1/0/5, Gi1/0/6, Gi1/0/7
                                                Gi1/0/8, Gi1/0/9, Gi1/0/10
                                                Gi1/0/11, Gi1/0/12
4    CAMS                             active    Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24

and show interface trunk:

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/2     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/2     2,4

Port        Vlans allowed and active in management domain
Gi1/0/2     2,4

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/2     2,4

So seems like it worked?

However the BI PC is not able to get to the internet now? Is there something special I need to set on the BI PC? (running win 10)

 

[reflection]

You need to enable 802.1q VLAN tagging on your Windows machine.

Do a google search on how to do that. You will have two IP addresses on your BI machine. One IP address on VLAN 2 and one on VLAN 4. The IP address on VLAN 4 will be static. The IP address on VLAN 2 can be DHCP or static (if static, make sure you set your default gateway to 192.168.29.1).

 

[sam988]

Thanks, that seemed to do it.

The BI PC has a realtek NIC, it was rather tricky to figure out VLAN as it wasn't an option in the adapter settings -> properties -> advanced

Found this: Note: Multiple VLAN Operation on Realtek RTL8111D NIC (& Others)

Turns out you need to download Realtek Diagnostic Utility to set up vlan on Realtek NIC

so I added two VLANs (ID 2 and 4) and now I have multiple NIC adapters in the network adapter options in windows

so for the home_network (vlan 2) I can use DHCP (IP auto-assigned was 192.168.29.223)
and for the cam_network (vlan 4) I set static IP - 192.168.1.3

And then each cam will be set a static IP of 192.168.1.XX

I am still waiting to install the cams, but tested and it seems to be working
If I plug PC into port 1-12 I can ping the 192.168.29.223 and I can't ping 192.168.1.3
If I plug PC into port 13-24 I can ping the 192.168.1.3 and I can't ping 192.168.29.223

So I think it's all working

 

[reflection]

Great sam988. Glad it worked out for you. Yes, the VLAN setup can be specific to the driver. I had to install the Intel tools to do VLANs on my Windows 10 box (not my BI machine).

You are now the only person I know that does the Dual IP design for BI with one NIC instead of two NICs .

 

[sam988]

For anyone trying to configure the same, here are some screenshots

After you download the realtek diagnostic utility, create two corresponding VLANS (click add, give same VLAN ID, wait a few sec for it to connect, it will auto-generate MAC address)


You will see two "virtual" network adapters - You can Rename them to make it more clear


Right click and press properties


Set home network to DHCP/Auto Address (click internet protocol version 4 -> properties)

and for cam network set manual IP


Under Advanced make sure the correct VLANID is selected

Confirm its all working by running ipconfig in command prompt (start->run->cmd)


You can confirm that ports 1-12 cant see 13-24 by pinging two devices (pc to cam or pc to pc for example), but don't forget that the windows firewall by default will block pinging so you may need to make exception or turn it off for testing purposes

 

[sam988]

Noticed an issue with PC coming back from sleep mode taking a while to get IP
Fixed thanks to @reflection

On the switch port connected to your PC, add "spanning-tree portfast". If it's a trunk port, do "spanning-tree portfast trunk"

NOTE: do not do this for any ports connecting switch to switch if your setup includes multiple switches as this protects against loops.