Netgear M4100 question

[PennLib]

After all the great help I rec'd over in the VLAN section, hopefully my newest questions will also be answered.

I help out at a local library and they recently purchased a M4100-D12G switch. I have been tasked with the installation. Here's my problem. The network at the library is all 192.168.1.x. Router is 192.168.1.1, DHCP between 192.168.1.15 and 192.168.1.80 for all public and some staff computers. I was hoping to assign the M4100 a static address of 192.168.1.2. OK, now when I run an ethernet cable directly from the management computer to the switch, and using the browser, I can go to "http://169.254.100.100", the default address for the switch.

That's where the problems start. You have to uncheck the DHCP box to be able to change the IP address and as soon as you do that, the computer loses connectivity, I assume because the it originally got it's address from the switch which would have been in the 169.254.x.x range. It would now be incompatible with a 192.168.1.x address.

I had initially tried using the USB/UART bridge to run the CLI to set the address but the software wouldn't load correctly on the management computer.

Any suggestions?

Bill

 

[abailey]

The 169.254.100.100 address is the default address given to the switch if it can't find a DHCP address. So here are your options:
1) Connect the switch to your network so it can pull a DHCP address and then use that address to get into the switch management to change the address to the static IP you want.
2) You can use the 169.254.100.100 address. This address has a subnet mask of 255.255.0.0. So you would need to set your management PC with a static address in the same subnet and use the same subnet mask. Something like 169.254.100.101 with a 255.255.0.0 subnet would work for your PC.
If you use the second method then after you set the switch address to the new static address you want, you will have to change your PC back to the way it was (in the 192.168.1.x address with a 255.255.255.0 mask) before you can reconnect to the switch under its new IP address and continue to configure.

 

[PennLib]

1) Connect the switch to your network so it can pull a DHCP address and then use that address to get into the switch management to change the address to the static IP you want.

This would be the preferred method. However, I need to discover what IP address the switch has. Right now, the only network discovery tool available is The Dude (http://www.mikrotik.com/thedude) and after I run discover in that program, the switches MAC address doesn't show up. Can you recommend a better open source discover tool?

Bill

 

[abailey]

This is a simple one but it should work for what you need:
http://www.advanced-ip-scanner.com/

 

[PennLib]

Netgear M4100 *ANSWER*

First off, thanks to all (excluding Netgear that is) for all the help. Here's how the problem was resolved.

After trying to install the USB/UART software from the Netgear DVD, which wouldn't install, I downloaded their latest version from Netgear's website. Tried installing that. Still wouldn't install.

The gentleman here at the library that I help found a different USB/UART driver on the net http://www.silabs.com/products/mcu/pages/usbtouartbridgevcpdrivers.aspx which DID install on the Win XP Pro computer. I could then log in to the Netgear switch using a mini-USB cable, changed the IP address, plugged unit back into the network and did an http:// to the assigned address and BINGO! success!

Moral to this story - DON'T TRUST MANUFACTURER'S SOFTWARE!!! ;-))))

Bill

 

[PennLib]

Just about done and most stuff working fine. Still have one major problem.

First to reiterate the configuration:

Comcast coming in to a Motorola Cable Modem SB5120

wired direct to Cisco/Linksys WRT54G router (WiFi turned off, DHCP turned on)

Wired direct to Netgear M4100.

On the first pass, I configured the M4100 as follows:

port 1 - in from WRT54G
port 2 - to Staff dumb switch
port 3 - to Adult dumb switch
port 4 - to Juvenile dumb switch
port 5 - to Envisionware server
port 6 - to Sharp MX-2600N network printer
port 7 - to Adult Webcat hub
port 8 - to Juvenile Webcat hub
port 9 - to WiFi hub
port 10 -
port 11 -
port 12 - to server

I set up the VLANs as follows:
VLAN 20 - Staff
VLAN 30 - Adult
VLAN 40 - Juvenile
VLAN 50 - Envisionware
VLAN 60 - Sharp printer
VLAN 70 - Juvenile WebCat
VLAN 80 - Adult WebCat
VLAN 90 - WiFi

I left the two default VLANs ( 1- default, 2 - Auto VOIP) alone.

Now the Envisionware server controls access to both the adult and juvenile computers on VLANs 30 and 40 so I made both of them members of VLAN 50 which works fine.

However, both Staff and Envisionware need access to the network printer so I made VLANs 20 and 50 members of VLAN 60. This doesn't work. All the computers on VLANs 30 and 40 are DHCPed. The Envisionware server is a static IP and the Sharp network printer is a static IP. Configured this way, neither the staff nor the Envisionware server can see the printer.

Any suggestions??

Thanks.
Bill

 

[abailey]

How do you have your IP address scheme? Do you have a different subnet for every VLAN? If you don't have a separate subnet for every VLAN then you might as well combine any VLAN's that you have merged together by making them members of another VLAN since separate VLANs would not serve any purpose.

 

[PennLib]

How do you have your IP address scheme? Do you have a different subnet for every VLAN? If you don't have a separate subnet for every VLAN then you might as well combine any VLAN's that you have merged together by making them members of another VLAN since separate VLANs would not serve any purpose.

As stated in my last post, the Envisionware server and the network printer are static IPs. All the rest of the computers run DHCP from the Cisco/Linksys router. We are only using the range 192.168.1.1 to 192.168.1.254. The purpose of this exercise was to shield the staff computers from anyone coming in and using the WiFi. That part seems to be working. You can't see the staff computers from the WiFi VLAN. Network discovery is not turned on on the adult or juvenile access computers. So you also cannot see the staff computers from them.

My original question remains the same. I set up the adult VLAN (#30) and the juvenile VLAN (#40) to be members of the Envisionware VLAN (#50). That works as expected. Both the adult VLAN and the juvenile VLAN can see the Envisionware VLAN and vice versa. This is how people access the computers. They either register at the desk (Envisionware server) or type in their library card number at the computer (which then verifies through the Envisionware server) to gain access. This all works.

I used the exact same procedure to put the staff VLAN (#20) and the Envisionware VLAN (#50) in the network printer VLAN ((#60). This does NOT work.

I didn't see anything in the docs that apply to the M4100 that said you also had set up subnets for each VLAN. I got the impression it was an either/or proposition.

Bill

 

[abailey]

I wrote out a long answer to your post but after reviewing it I think finally realize what you are trying to do. I will go ahead and post my original thoughts (they are still relevant) and then below that I will post my current thoughts.
Original:
Maybe we are just speaking different terms, lol. The reason to use subnets is usually to 1) Help traffic congestion 2) provide security 3) help in management of a network. Now it is common or best practice to put every VLAN on a separate subnet. There are two reasons for this. One is it helps in troubleshooting. The second, and most common, is that you want to separate VLAN's but you want some to talk to others and thus need to route between them. Now if you have 2 VLAN's with the same subnet, you cannot route between them because routers route based on network. If they are in the same network (or subnet) then the router cannot route between them. Thus the only way to get the VLANs to talk (using the same subnet) is to make them one large VLAN (which is what would happen if you put one VLAN into another VLAN). Thus the only reason to have VLAN's using the same subnet would be if you wanted to keep them totally isolated from each other (and personally I would still follow best practice and put them on different subnets). Because of this I have never heard of or seen a switch that allows you to put a VLAN into another VLAN, and that, maybe, is where me and you are speaking different terms. You can put a switch port into multiple VLAN's but the port can only be a member of one untagged VLAN because it can only have one default VLAN (native VLAN).
So, if you want computers to talk to each other you either put them in the same VLAN with the same subnet, or you put them in different VLAN's using different subnets and route between them.
Ok Now current thoughts:
After reviewing all your post it looks like you want to block access to certain devices but keep everything in one subnet. It may be possible to use VLAN's for what you want but it would be messy and hard to troubleshoot, as VLAN's were not designed to do what you are trying to do. Now saying that, what is available to do what you want are two different technologies. One technology is called ACL (access control list) and the other is port isolation. With port isolation you are able to define per port what other ports it can see and communicate with. Here is an example from my switch:

Here you can see the ports of my switch listed on the left, and on the right what ports each one is allowed to communicate with. Since I am not using port isolation it is set where every port can see all other ports. That would be the easiest to set up for your project.
ACL's are rules you define that tell the switch what to do with packets. They can be based on things like MAC address, IP address, etc. You can have packets dropped from certain destinations going to other destinations. This could also work for you but would require a lot of work and many definitions to do all you want.

Anyway that is my current thoughts on your project. I wish I knew more about your exact switch so I could see what all it has. I assume it has a feature similar to port isolation as my switch is a pretty cheap TP-Link switch that I assume would not have any features that more expensive switches would not.

 

[PennLib]

I wrote out a long answer to your post but after reviewing it I think finally realize what you are trying to do. I will go ahead and post my original thoughts (they are still relevant) and then below that I will post my current thoughts.

Thank you for the VERY good explanation. I had suggested the Netgear M4100 switch based on the review from this website (http://www.smallnetbuilder.com/lanw...r-m4100-d12g-intelligent-edge-switch-reviewed) and it mostly has lived up to the review. I also looked at the Netgear docs, (http://documentation.netgear.com/gs108t/enu/202-10337-01/GS108T_UM-10-5.html), and this was what we were trying to accomplish. after reading these two pcs of documentation, it appeared that the use of VLANs would accomplish what we wanted.

This is all new to me so my terminology is definitely off. I think what I should have said was I assigned VLANs to specific ports on the switch, then I made other VLANs MEMBERS of ......

I have also printed out your remarks and will read them (probably several times).

Now here's the REALLY strange part. Two days after my 7-3 post, everything started working as req'd, with no further configuration by any human, IT JUST STARTED WORKING! Sooooooo, for right now, I'm just going to leave things be and read some more. ;-)))

Thanks again.

Bill