NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Unable to route Netgear FS728TP VLAN 5 to Cisco Meraki MS250-24 switch
Hi, We have mostly Meraki switches, but our loss prevention manager has Netgear FS728TP switches that all his cameras are on. In the past 6-8 years, all cameras were on the default VLAN (1, 1...
Exactly what I mentioned above about certain brands which are hiding the effecive standard technology. It's about the Meraki partner to tell us how these Meraki trunk ports are configured exactly - then I'm happy to help. Coming back to the start:
schumaku wrote:
RCCrosier wrote:
The Meraki MS250 port #1 is connected to first Netgear port #6.
Meraki port 1 is Native VLAN 1, Trunk port.
So yes, appears the VLAN 5 does not exist on the Meraki side - or there is "more" which isn't shown here. ...
All I can read here is that the port is configured to be a trunk (so not an access port), and the untagged traffic is associated with VLAN 1.
Note the designation "native VLAN" has a very bad taste with network security world, having caused plenty of holes and vulnerabilities caused (ha, mainly Cisco systems) by having a unchangeable "native VLAN".
schumaku wrote:
RCCrosier wrote:
Netgear port 6 is VLAN 1 untagged. VLAN 5 tagged. PVID on ALL ports is 1.
Still incomplete (VLAN 5 only on the trunk?), and partially wrong in the PVID aspect. The PVID does define the switch VLAN where untagged frames are associated to.
For a trunk - and I think I've mentioned this several times - I would expect a config like this on the trunk:VLAN 1, [U]ntagged, PVID 1
VLAN 5, [T]agged
(this makes up a trunk carrying VLAN 1 untagged, and VLAN 5 tagged)For the access ports connecting the new cameras it's only:
VLAN 5, [U]ntagged, PVID 5.(and no other VLAN memberships, that makes up an access port for VLAN 5)
For the access ports connecting the old NVR/cameras on VLAN 1 it's only:VLAN 1, [U]ntagged, PVID 1.
(and no other VLAN memberships, that makes up an access port for VLAN 1)
With this config, trunking to whatever brand switch uplink, you have the VLAN 5 and the VLAN 1. Guessing again the VLAN 1 is also used as the management network for the switches et all. Watch your step acordingly in case you plan to change the management VLAN - the uplink trunk must be configued accordingly and workable for all VLANs
Again, it's no rocket science, and that's on how such simple networks with a few VLANs on a trunk are configued for decades. Nothing I show here is "Netgear" specific! You can expect from your Meraki partner that they are able to translate their fancy coloured marketing click UI to the basics resp. configure a trunk port according to the above.
The access ports for the new cameras are set to VLAN 5 [U]ntagged and PVID 5 _only_ and no other VLAN?
For the trunk to whenever other industry standard switch with VLAN support the similar config must be applied on both ends, e.g. keep the old NVR on VLAN 1, PVID1, and for the new NVR VLAN 5 [T]agged.
Last, think L2 networking - of course you might have some L3 routing between the networks made of VLANs and IP subnets. Still, most is L2 switching. So I'm confused why you ask about routing that VLAN - explain please.
It's always funny to me reading that say Meraki or Ubiquity/UniFi (feel free to add other click brands here) resellers have apparently lost the basic track of what thier fancy UIs are really doing - at the end of the day mostly standard VLAN configurations. The standards are set for decades, and the interoperability can be taken as granted.
Thanks for your quick reply! I'm not sure I can answer these correctly, as I'm out of my area of expertise here, but I'll try.
The native/management VLAN on both switches is VLAN 1.
The NVR server is 192.168.5.253 and we can access that from VLAN 1 computers connected to the Meraki.
The Meraki MS250 port #1 is connected to first Netgear port #6.
Meraki port 1 is Native VLAN 1, Trunk port.
Netgear port 6 is VLAN 1 untagged. VLAN 5 tagged. PVID on ALL ports is 1.
I asked about routing that VLAN because I read a post by someone saying that this model may not do this...???
The vendor is telling me that "because they don't support it, even if they got it working, it may not be stable", but I think it CAN be made to work, by the right person... just not me, and apparently not the Meraki person, unfortunately.
Sorry, but I'm VERY unfamiliar with nuances/differences of L2, L3, etc. I've always relied on our vendors for routing and switches... I'm more of a software development side person.
schumaku : (I hope it's OK to say here)... I'd certainly be willing to pay for help fixing this if you can help me make these talk. I just don't know if our old switch guy is retired or still doing this stuff, and as I said, our current Meraki/Mitel phone people can't.
Oh, one more pertinent bit of info...
The NVR server is connected to the Meraki switch stack, not the Netgear.
So I know the routing/vlan on the Meraki side is working OK, because I can PING it from a PC on VLAN 1.
RCCrosier wrote:
The NVR server is connected to the Meraki switch stack, not the Netgear.
So the VLAN 5 does exist onthe Meraki stack, the NVR server is connected to an access port for the VLAN 5, and has a 192.168.5.x address, computers on the Meraki VLAN 1 with a 192.168.1.x address can reach the NVR so there seem to be some routing to be in place? All what has to happen is a proper trunk config for the Meraki<->Netgear connection, as explained before.
RCCrosier wrote:
The native/management VLAN on both switches is VLAN 1.
The NVR server is 192.168.5.253 and we can access that from VLAN 1 computers connected to the Meraki.
Well, if the new NVR Server should be on VLAN 5 and a 192.168.5.x addess making an own network the suspicion is near that this .5.x address is why ever connected to the VLAN 1 and the 192.168.1.x.
RCCrosier wrote:
The Meraki MS250 port #1 is connected to first Netgear port #6.
Meraki port 1 is Native VLAN 1, Trunk port.
Netgear port 6 is VLAN 1 untagged. VLAN 5 tagged. PVID on ALL ports is 1.
So yes, appears the VLAN 5 does not exist on the Meraki side - or there is "more" which isn't shown here. Are the computers you access the NVR on the 192.168.1.0 subnet? If the NVR really is on the VLAN 5 and has a 192.168.5.x address, there must be some routing in between. If the NVR is simply connected to the VLAN 1 with a 192.168.1.x address ... it's a mess.
Something to discuss with the new NVR engineer and the Meraki people - from what I read here it's simply lack of network design.
If the aim is to have the new cameras and the new NVR server on a dedicated network - by specs VLAN 5, and 192.168.5.x IP subnet ... that's the way it has to be. There can't be a NVR server with that 192.168.5.x address connected to the VLAN 1 making the primary or original network on the 192.168.1.x subnet. If the new NVR server has a spare interface, connect that one to the VLAN 1 with a 192.168.1.x address.
Permitting the new NVR does allow access over it to the recordings and the camera e.g. on it's Web UI, all fine.
If the unknown new NVR system user interface does also require IP access from the cameras e.g. for the live view, some routing must exists between the VLAN 1 on 192.168.1.x and the NVR network VLAN 5 on 192.168.5.x. But this does lead to the question why one does want to have the new NVR and the new cameras on a dedicated network.
Again, this is nothing about Meraki or Netgear or whatever other switch manufacturer - it's called design and systematic implementation.
Back to the drawing board - please try to make an appropriate design. And let us know the requirements. Happy to help here, just for my fun, free.
All of our company network is VLAN 1. We have to be able to "access" the NVR server from VLAN 1, but we want the NVR on a separate VLAN (5) and all the cameras (eventually) to be on VLAN 5.
So a desktop (Loss Prevention manager, for example) that is on VLAN 1 (192.168.1.xxx) must be able to run software and see all the cameras on the 5.xxx network (VLAN 5).
The LP manager (and I) wanted to separate the two networks (cameras and busines) for several reasons, but mainly because we're running out of IP addresses in the 1.xxx subnet.
VLAN 5 is set up on the Meraki side, and the NVR is set to 192.168.5.253 (VLAN 5).
So, basically, devices on the 192.168.1 xxx network need to be able to see/access devices on the 192.168.5.xxx network.
We have this already, on our Meraki switches, for other VLANs (0.xxx, 2.xxx, 3.xxx, etc)
I'm not sure I understand fully what you're telling me, however, regarding an appropriate design.
To answer your other post, yes, there is routing on the Meraki side, but we cannot (and the Meraki person could not/would not) help us to figure out the appropriate settings on the netgear side to get the trunking to work properly, therefore, we have no connection there.
And yes, the NVR is connected to an Access port on the Meraki, on VLAN 5, but I don't know how to do the "proper trunk config for the Meraki<->Netgear connection" This is what we're missing, and I don't know what to set the ports for, to accomplish this.
Exactly what I mentioned above about certain brands which are hiding the effecive standard technology. It's about the Meraki partner to tell us how these Meraki trunk ports are configured exactly - then I'm happy to help. Coming back to the start:
schumaku wrote:
RCCrosier wrote:
The Meraki MS250 port #1 is connected to first Netgear port #6.
Meraki port 1 is Native VLAN 1, Trunk port.
So yes, appears the VLAN 5 does not exist on the Meraki side - or there is "more" which isn't shown here. ...
All I can read here is that the port is configured to be a trunk (so not an access port), and the untagged traffic is associated with VLAN 1.
Note the designation "native VLAN" has a very bad taste with network security world, having caused plenty of holes and vulnerabilities caused (ha, mainly Cisco systems) by having a unchangeable "native VLAN".
schumaku wrote:
RCCrosier wrote:
Netgear port 6 is VLAN 1 untagged. VLAN 5 tagged. PVID on ALL ports is 1.
Still incomplete (VLAN 5 only on the trunk?), and partially wrong in the PVID aspect. The PVID does define the switch VLAN where untagged frames are associated to.
For a trunk - and I think I've mentioned this several times - I would expect a config like this on the trunk:VLAN 1, [U]ntagged, PVID 1
VLAN 5, [T]agged
(this makes up a trunk carrying VLAN 1 untagged, and VLAN 5 tagged)For the access ports connecting the new cameras it's only:
VLAN 5, [U]ntagged, PVID 5.(and no other VLAN memberships, that makes up an access port for VLAN 5)
For the access ports connecting the old NVR/cameras on VLAN 1 it's only:VLAN 1, [U]ntagged, PVID 1.
(and no other VLAN memberships, that makes up an access port for VLAN 1)
With this config, trunking to whatever brand switch uplink, you have the VLAN 5 and the VLAN 1. Guessing again the VLAN 1 is also used as the management network for the switches et all. Watch your step acordingly in case you plan to change the management VLAN - the uplink trunk must be configued accordingly and workable for all VLANs
Again, it's no rocket science, and that's on how such simple networks with a few VLANs on a trunk are configued for decades. Nothing I show here is "Netgear" specific! You can expect from your Meraki partner that they are able to translate their fancy coloured marketing click UI to the basics resp. configure a trunk port according to the above.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
