Question

Hopefully a quick answer:

I have a RUT955 with ~200 clients that are statically addressed.

I need to move them all to a different subnet due to some upstream network changes that are coming.

My process for this that reduces downtime for any one device goes like this (and I would appreciate confirmation or correction/advice):

1. Create a second LAN interface, with the new Subnet details under Network>Interfaces>Add new instance

2. incrementally change one-by-one, each devices static configurations over to the new interface/subnet

Is it that simple?

Thanks!

Answer 1

Hi,

Have you considered VLANs? Frankly speaking, the best option would be to create a new interface and assign a VLAN to it. Then move all of the clients one by one to this interface (VLAN).

There are different approaches to your issue. More information is needed to provide a solution that will minimize the downtown and ensure that everything will work as intended.

Is it possible for you to provide more details? It would be good to know the following:

• How are all these devices connected? Are they connected via ethernet cables? Are there any switches? Maybe they are connected wirelessly via WiFi? Are there any wireless clients?
• Which ports are used on the device?
• Network topology with addresses.
• Is it critical to use static addresses? If not, why is DHCP not used?

There are two types of VLAN configurations:

• Port-based VLAN configuration. A single physical device is divided into multiple logical switches. For example, you can assign port 2 on the device to VLAN 1, while assigning port 3 to VLAN 2. Devices connected on port 2 to VLAN1 are considered to be on a different LAN than those devices on port 3 (VLAN 2). It is a good way to separate end devices into different LANs.

• Tag-based VLAN configuration. A single port on the device can be used by multiple VLANs. The idea behind this is that there are multiple logical LAN interfaces with different subnets. These LANs are then assigned to VLANs as needed. Let's say you create a LAN1 interface with a subnet of 192.168.10.0 /24 and one with 192.168.20 /24 (LAN2). You can then assign LAN1 to VLAN1 and LAN2 to VLAN2. What happens next is that traffic coming from 192.168.10.0 /24 (LAN1) is assigned a VLAN1 tag, while traffic from 192.168.20.0 /24 (LAN2) is assigned a VLAN2 tag. This way, the traffic is separated as if it was on different LANs.

More information about VLAN configuration can be found HERE.

As I already said, more information is needed to provide more specific advice.

Kind Regards,

Andzej

Comments

Thank you, I think you are correct, the Tag-based VLAN approach is likely the right one. 

I was hoping to understand if simply adding a second LAN interface with a different subnet would work ok at a basic level though - is there a reason this wouldn't work?

To answer your questions:

The devices are all on a chain of switches connected via ethernet to a single port on a RUT955. 

The devices are physically and logically aligned so that a device with a certain .xxx IP is in a mapped physical location - DHCP will not be helpful for this so static assignment is critical (as much as I would like to use DHCP). this is 10.0.0.x Subnet (soon to need to be 10.0.4.x, hence the need to change) and has the main site router with WAN uplink.

There are a small number of wireless clients that are not part of the mapped addressing - eg they are admin/pcs etc (these are on DHCP)

There is a second building with same arrangement - an RUT240, located devices, ethernet switches, all this is connected to the RUT955 via Wifi - these all have a 10.0.2.x subnet. Soon we will replace wifi with ethernet connection to the main router, and change to 10.0.3.x subnet.

Topology:

10.0.0.x served by RUT955 at 10.0.0.254

|-------ethernet+switches----static devices 10.0.0.1-230

|-------wifi------ 10.0.0.250 (RUT240)

                       |---LAN subnet 10.0.2.x---ethernet+switches--- static devices 10.0.2.1-230

|------- wifi----- DHCP 10.0.0.231-253 - misc wifi devices

|-----WAN port

|----mobile failover

The requirements of aVLAN approach is that 

1. static devices can access the WAN/outside world. (think this is not an issue) It is a security bonus to separate these into smaller VLAN groups separate from each other

2. admin/misc servers/pcs need to see and access the static devices in 1. (ie, each VLANx device must be accessible and administered by the admin devices.

---

Hi can I clarify - to operate a tagged VLAN, do I need to set something on each client to apply a tag? Or does the static address of the client mean it is automatically tagged in the VLAN with the corresponding subnet?

---

Hi,

Sorry for the late reply.

Since the devices are connected via switches and all connected to a single port on RUT955, it's possible to use either - port-based or tag-based VLAN. However, tag-based would probably be better as they allow more flexibility, which can be beneficial in the future.

Tag-based

Create one VLAN_1 interface for the current subnet (10.0.0.0/24) and one for a new VLAN_2 (10.0.4.0/24). 

• Network -> Interfaces -> Add new instance -> Enter the name (ex. VLAN_1) -> Click add. In the general settings of the interface, select 'static' as a protocol. Assign a subnet.

Set VLAN ID which you will use for VLAN_1 to be untagged on LAN 1 (port1 or whichever port you are using) and set VLAN ID which you will use for VLAN_2 to be tagged. 

• Network -> VLAN -> Port based

Assign VLAN_1 interface to VLAN_1 in physical settings. Assign VLAN_2 interface to VLAN_2 in physical settings.

• Network -> Interfaces -> choose your VLANs (VLAN_1, VLAN_2 in the example) and click settings. Go to 'physical settings' and assign a physical interface to a VLAN. For example, 'eth0.10' (depends on VLAN ID).

Whenever you change the IP address on the end device to a new subnet and attach a tag, the device will start using VLAN_2. One by one migrate all end devices to VLAN_2.

Port-based

Create one VLAN_1 for the current subnet (10.0.0.0/24) and one for a new VLAN_2 (10.0.4.0/24).

• Network -> Interfaces -> Add new instance

Assign VLAN_1 to the current port to which all the devices are connected. Assign VLAN_2 to a different LAN port. Connect another ethernet cable to a new port and assign VLAN_2 to that port. 

• Network -> VLAN -> Port based

Assign VLAN_1 interface to VLAN_1 in physical settings. Assign VLAN_2 interface to VLAN_2 in physical settings. 

• Network -> Interfaces -> choose your VLANs (VLAN_1, VLAN_2 in the example) and click settings. Go to 'physical settings' and assign a physical interface to a VLAN.

When you configure an IP address on one of the end devices to be on a 10.0.4.0/24 network, the device will start using VLAN_2 on the assigned port. Hence, the newly configured end device will be on a 10.0.4.0/24 subnet. Both subnets are operational at the same time but are separated. The downtime is relatively unnoticeable.

RUT240

When it comes to RUT240, it does not have port-based VLAN capabilities as it has only one LAN port. RUT240 has only interface-based VLANs, which use 802.1AD/802.1Q encapsulation protocols. These protocols are used to tag Ethernet frames. More information about VLANs for RUT240 can be found HERE and HERE.

One of the possible solutions:

Since you are about to swap WiFi connection with a wired WAN connection to the Uplink router, WiFi access becomes available. What you can do is try to connect all LAN devices on RUT240 to WiFi. This will leave your LAN ethernet port available. Reconfigure LAN port interface settings. Take devices connected to WiFi, and one by one configure them and connect via ethernet+switches to the ethernet LAN port on RUT240.

Otherwise, you can always try to do what you wanted to do in the beginning. Simply create a new interface instance with a new subnet and start moving end devices to that subnet. Using interfaces in such ways should be avoided if possible. The traffic from different subnets is not separated as needed. This can potentially cause issues regarding management, routing, and other unexpected behavior of the device. 

If you choose this approach, ensure that after you are done migrating to a new subnet, there is only one LAN interface assigned to the port.

Device management

When it comes to the management of the devices, I can recommend the following:

Create a separate VLAN for management purposes. Then, in firewall settings on RUT955 (Network -> Firewall -> General settings -> Zones) you can configure firewall zones as you wish. For example, create a rule that allows traffic from Management VLAN to access VLAN 1 and another rule to allow access to VLAN 2. In case there is a need for more VLANs, you can always create a new rule that will allow access from Management VLAN to a new VLAN.

More information about VLAN configuration can be found HERE.

Kind Regards,

Andzej

---

Thank you for the very complete answer!

However can you clarify why under your heading “Tag based” you then create settings under network>Vlan>port based?
Nevermind! I think I understand now, the naming of the sections is a little confusing.

For reference my usage would not be to utilise different ports - all devices ultimately will be in the same level connecting to one port via many switches, so I believe interface based is the correct vlan settings to use?

Sorry I am still struggling. When I follow 

Set VLAN ID which you will use for VLAN_1 to be untagged on LAN 1 (port1 or whichever port you are using) and set VLAN ID which you will use for VLAN_2 to be tagged. 

The UI says :

• Tagged port can not be used together with untagged

I'm afraid even with your explanations, and the Wiki info, I still do not understand how the VLAN should be set and also how devices get tagged. 

All devices are connected to port LAN3.

Eg: (this is ideal and how I now want to configure (removed wifi link)

LAN3 -------- switch-----------devices 10.0.0.1,2,3,4...

                        |

                     switch------------devices 10.0.4.1,2,3,4...

how to the devices become "tagged" - is it just because they each have static addresses set for a certain subnet?

---

Hi,

Please, pardon me. My bad. It seems that some devices, including RUT955, cannot be configured to support both, tagged and untagged traffic on the same port due to some internal limitations. But RUTX11 can.

Anyway, this means that a single port on a device needs to be configured as tagged for each separate VLAN that it accepts. The end devices will need to be configured to use their respective TAG. Otherwise, they will not be able to communicate via that port. Hence, it is better if you configure another port to use TAGS and connect devices to that port only when you changed their IP address and assigned a VLAN ID (TAG). 

For example, on Windows 10 PC, I can configure a VLAN ID by navigating to:

Device Manager (win key, type device manager) -> Network adapters (choose your adapter) -> Properties (right click) -> Advanced tab  -> Property: Priority & VLAN -> VALUE: enable VLAN,

Property: VLAN ID -> VALUE: VLAN_ID -> OK.

This information regarding VLAN ID settings on windows PC can be found HERE.

Keep in mind that not every windows PC can be configured to use a VLAN ID this way. In such cases, additional software might be required to assign a VLAN ID to a network adapter.

A quick google search should be enough to find information on how to configure VLANs on the end device.

My configuration example for a single VLAN, but you can add more VLANs:

Interface:

VLAN ID on PC:

In this scenario, devices connected to RUT955 on port 1, receive an IP address of 192.168.1.0 /24 subnet (using DHCP) and can communicate without a TAG. On port 3, only devices configured to be in the 192.168.20.0 /24 subnet with a tag (VLAN ID 20) can communicate on that port. Devices from VLAN 20 cannot reach 192.168.1.1 and devices on that subnet. Devices on subnet 192.168.1.0 /24 cannot reach the devices on subnet 192.168.20.0 /24. (or 192.168.20.1)

You can use this approach. Just change the IP addresses and VLAN IDs in accordance with your needs. 

An example topology (You can adapt it for your needs):

You can unplug the ethernet cable from port 3 and put it into port 1 or port 2. Configure port 3 to use VLANs and connect an additional ethernet cable to that port from a switch. This way, when you configure a device to use that VLAN, it will use port 3 and will be separated from untagged traffic on the other port (1 or 2).

Another thing I wanted to mention is that RUT240 can support up to 50 simultaneous connections. This is in case you decide to continue with the method I described previously by connecting devices to WiFi before configuring a port on RUT240.

Kind Regards,

Andzej.