Catalyst 3750-24P - VLAN For CCTV Cameras

1152728 · ‎01-15-2021

Hello,

Completely new to Cisco and their switches. I have taken on a property that uses a Catalyst 3750 series PoE-24.

On the switch currently is a few computers and devices on Ethernet.

I would like to add a few IP CCTV cameras (on ports 16-24 for example) but have them on a separate VLAN. The rest of the network can quite happily sit on VLAN1 (default) as there isn't much need in segregating those devices.

I have made a map below:

I have been playing around with CNA and the CLI to do this but havent had much luck.

Essentially would like the cameras (connected to Ports 16-24) to be isolated from the rest of the network - but allow the NVR to be connected to the internet? VLAN1 on 192.168.1.XXX and VLAN10 on 192.168.2.XXX with the NVR allowed to see the internet.

If anyone can give me some help with this - I would be very happy to even pay for help if needed to get this set up.

Thank you in advanced!

balaji.bandi · ‎01-15-2021

Post the configuration of 3750, if you have created seperate VLAN SVI for the camera VLAN it should able to communicate with VLAN1,

if the Camera need to connect to internet, then you required to add NATing for that IP address in uplink router where NAT take place ? ( BT home hub and also required static Route entry towards switch.) if you want static route.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

1152728 · ‎01-15-2021

Hello!

Thank you for your help.

I actually haven't set anything yet. Not quite sure what you are saying..?

See config backup attached!

Georg Pauwen · ‎01-15-2021

Hello,

make the changes/additons marked in bold. The access list keeps Vlan 1 and Vlan 10 from communicating. As Balaji mentioned, make sure the BT Home router NATs the 192.168.10.0/24 subnet.

!
! Last configuration change at 11:38:41 UTC Fri Jan 15 2021
! NVRAM config last updated at 11:56:25 UTC Fri Jan 15 2021
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YHNN$T/PzNjDC/EfPGNKgaycgZ0
!
username admin privilege 15 secret 5 $1$R93u$on2patAWh60BQf1ILctAp1
!
no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
vtp mode transparent
ip routing
!
crypto pki trustpoint TP-self-signed-1363833088
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1363833088
revocation-check none
rsakeypair TP-self-signed-1363833088
!
crypto pki certificate chain TP-self-signed-1363833088
certificate self-signed 01 nvram:IOS-Self-Sig#3838.cer
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
switchport trunk allowed vlan 1
!
interface FastEthernet1/0/5
switchport access vlan 10
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/17
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/18
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/19
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/20
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/21
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/22
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/23
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface FastEthernet1/0/24
--> description CCTV Port
--> switchport mode access
--> switchport access vlan 10
--> spanning-tree portfast
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
ip address 192.168.1.251 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
--> ip access-group 101 in
!
--> no ip default-gateway 192.168.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
ip http secure-server
!
--> access-list 101 deny ip 192.168.10.0 255.255.255.0 192.168.1.0 0.0.0.255
--> access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
line con 0
line vty 5 15
!
end

balaji.bandi · ‎01-15-2021

I actually haven't set anything yet. Not quite sure what you are saying..?

i was only suggesting how you can achieve for the CCTV to work, if you not done any thing below statement contridict what mentioned in the post

I have been playing around with CNA and the CLI to do this but havent had much luck.

any way looking at config - VLAN 10 you like to use for CCTV ? or anything else ?

interface FastEthernet1/0/5
switchport access vlan 10

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

1152728 · ‎01-15-2021

Can't thank you enough for looking into this for me!

Yes - so VLAN10 is purely just me playing around/testing (port 5 is connected to an ethernet port that's at my desk).

Ideally Ports 17-23 will be for the cameras (24 is the uplink to the router at the moment) that will be on the VLAN10.

Everything else will be on the default vlan.

The cameras I will be using are Dahua IP cameras - so just need to broadcast their IP to be received by the NVR but go no further than that. The NVR then will need to see the cameras and the internet (single NIC).

Let me know if theres any way I can explain it better.

balaji.bandi · ‎01-15-2021

No worries - we are here to help best we can always.

Looks @Georg Pauwen beat me with the config - now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

1152728 · ‎01-15-2021

Okay Brilliant!

How do I get that new config onto the switch? Do I paste it into the config file I have downloaded?

I use Cisco Network Assistant..

So with that config what will happen?

Thank you!!

balaji.bandi · ‎01-15-2021

go to command line or ssh to device :

config t

!

paste all bold lines in to config

then type

end

test - do not save until all working.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎01-15-2021

Hello,

actually, CNA is not really what you want to use. Try and get access to the command line (either via a TELNET to the Vlan 1 IP address of the switch, or via physical console access.

1152728 · ‎01-15-2021

Okay I will do that and have a look.

Do you have any idea how I can set the NAT on the BT Home Hub 5?

Best,

Oli