Setting up stacking/vlan on 3850's

VeeTeeEye · ‎07-21-2020

Hey all,

I'm at my end on this one, please someone help me! I'm working on a data-center-type of installation.

I drew the current set-up, please see attached.

In words here is what I'm trying to accomplish:
1) Multiple cameras go to a Cisco 3650 in a nearby field headend via CAT6.
2) Those field 3650 switches are then sent back to the MDF over fiber.
3) Combine 3x Cisco 3850 switches together to create a "core" switch stack using Stackwise Data Cables.

4) Field switches will plug into any of the 3x 3850 switches to create a balanced load.

All Cameras are using IP in the ranges of: 192.168.130.***, 192.168.131.***, 192.168.132.***, and 192.168.133.***.

All Cameras use 255.255.254.0 as their subnnet.

All Cameras use no gateway. This was the direction given by the customer... so they must know something I don't.

Switches have a VLAN titled vlan102, description CAMERAS, and use 192.168.130.1 255.255.254.0 as the IP for it.

When doing a ping from one of the stacked switches, using the all above information, I am able to ping cameras/devices in the 192.168.130...and 131... ranges, however, I cannot talk to any 132 and 133 ranges.

I have too many thoughts in my head to write down, and try, so hopefully someone on here can help me as soon as they can.
I have tried changing the vlan102 to a bigger subnet, but it doesnt change anything, and then I was reading about vlan groups, maybe I should plan on making 4 seperate vlans and then tying them into 1 group and apply to all ports on the three core switches in stack? I'm so lost at this point... enough to be dangerous, but enough to know when to stop and consult this community.

Thank you very much in advance for any and all help.

I hope we can get this going!

paul driver · ‎07-21-2020

Hello
Your addressing scheme is incorrect, And for inter-vlan communication hosts in these vlans WILL require default-gateways.
At present those subnets will create two /23 networks (see below)
192.168.130.0 -192.168.131.254 < vlan X
192.168.132.0 -192.168.133.254 < vlan Y

So if you wish to have separate vlans for you cameras then you need to make these into smaller networks.
Please post the existing running configuration of the core switch stack (attach it in a file) include the following commands:
sh run
sh switch
sh ip int brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

VeeTeeEye · ‎07-22-2020

Paul,

Thank you for taking this under your wing. I apologize for the delay, I was waiting to get access. I now have full time access, anytime. I attached the three command reports to this reply. I understand you believe I need to create 2 seperate vlans. Do I need to make that change on every switch in the field or just the core? How would you recommend I proceed or program? Thanks for all the help!

paul driver · ‎07-22-2020

Hello

The reason why you can only reach cameras in the ip range 192.168.130.x and 192.168.131.x is because your vlan 102 addressing only accommodates hosts assigned within this address range.

Now you can either create an additional 23 bit vlan for the 192.168.132.x and 192.168.133.x or create 3 new vlans and change the existing one to accommodate 4 separate subnets which would be a more viable option as it would help cut down on large broadcast or unknown unicast traffic saturating hosts that currently reside in the larger vlan.

However to do this all you hosts would require to have the correct subnet mask and default-gateway applied so they’d be able to communicate to other hosts in the other vlans.
Example:

No interface vlan 102

interface Vlan130
description CAMERA_V130
ip address 192.168.130.1 255.255.255.0

interface Vlan131
description CAMERA_V131
ip address 192.168.131.1 255.255.255.0

interface Vlan132
description CAMERA_V132
ip address 192.168.132.1 255.255.255.0

interface Vlan133
description CAMERA_V133
ip address 192.168.133.1 255.255.255.0

vlan 130 -133
exit

I also notice you have a version mismatch in your stacking for switch3, this would be down to that switch not running the same feature set all the other switches in that stack, so you need to remove this switch 3 and upgrade it software before re-adding it to the stack.

Lastly why are all you interface set as trunks , I am assuming these are for the cameras correct is this required- What make are the cameras?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

VeeTeeEye · ‎07-22-2020

Paul,

I owe you big time! I like the idea of a vlan for each address range, however, the customer is requesting the following.... is this doable? if so, what would I do to get it going?

This is from the customer:
"

PLease use the below IP@ Range for the VMS network:

Please ensure that all network switches (POE) have a management VLAN configured with a IP@ range of 192.168.1.10/24 through 192.168.1.254/24 and Subnet of 255.255.255.0 and no Gateway is needed since the VMS network is not routed. Please use the default VLAN for management. We will also need you to enable SSH on all switches.

Please create one camera VLAN for all cameras connected to the Video network and are located on Exterior Buildings and 1st Floor with IP range of 192.168.130.20/23 through 192.168.131.254/23 with a Subnet of 255.255.254.0 and a Gateway of 0.0.0.0. This VLAN should be TAGGED on all Uplink ports and UNTAGGED on any camera ports.

Please create one camera VLAN for all cameras connected to the Video network and are located on the Perimeter and 2nd Floor with IP range of 192.168.132.20/23 through 192.168.133.254/23 with a Subnet of 255.255.254.0 and a Gateway of 0.0.0.0. This VLAN should be TAGGED on all Uplink ports and UNTAGGED on any camera ports.

Please ensure that all 3 VLAN's above are configured with the same VLAN ID on each and every switch on the network.

"

Let me know your thoughts, Paul. Thank you again.

paul driver · ‎07-23-2020

Hello

TBH i would defiantly challenge this directive however sticking with it you were almost there with your original configuration be it apart from ssh.
See attached file for enabling basic user authentication and ssh on a switch and having two non-routed vlans for your cameras and a mgt vlan for your switches.

As it states your hosts in different vlan WILL NOT be able to communicate with each other as they will have no default-gateway, this also applies to accessing your switch via ssh, you will only be able to reach the switches if you are on the same subnet as the switch mgt vlan.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

VeeTeeEye · ‎07-23-2020

Paul,

If I would like to seperate all 4 onto their each vlan, I will use the above commands you gave me, to create vlan 130, 131, 132, and 133.

If I default the configurations on the ports, what do I need to tag onto each port?

Also, on the other side of the connection, is a Cisco 3650 field switch. What commands do I need to apply to that side (gi1/1/1 is the uplink to the core switch stack 3850 as modified above) for the cameras on ports 1-24 and the uplink of 1/1/1?

Thank you for providing help.

Thank you,