Switch

Connect your network

April 5th, 2025

Choose Your Hardware#

Hands-on networking experience is still extremely valuable in 2025. A solid understanding of networking is encouraged if not outright required in many disciplines within the tech industry. The network touches everything and if you need to work with, build and/or maintain systems/applications/services in the future then you'll need to know how things communicate over a network.

As for the hardware, I'll be using my legacy HP 2915al switch in this lab. The HP 2915al is a little over 14 years old at this point. Obviously, I don't suggest you search for a 14 year old switch to follow along, but don't worry. The concepts in this lab are still very relevant and applicable to any modern switch you choose for your lab. That said, our configuration requirements are minimal and pretty much any small switch (8-10 interfaces) will do. If you're looking for a recommendation, I've suggested the Cisco Catalyst 1200 series switch in the first post in the series titled “Gear Up”. Finally, keep in mind that a major part of building a home lab is to challenge yourself. Grab your console cable and let's get networking!

Connect Via Console (Serial) Cable#

Assuming our switch is powered on and we've made our physical connection (i.e., our PC and our switch are connected using our serial cable and USB ethernet adapter), we'll now launch and configure PuTTY to establish a serial connection.

With PuTTY open, under “Session”, select “Serial” for the “Connection type”, confirm your “Serial line” using Windows Device Manger (COM5 in my case), and click “Open”. If a blank Putty terminal window opens, that's a good thing! Just left-click the blank terminal, hit “enter” on your keyboard a few times to help kick in the Serial connection and you should see a prompt load.

Change Context#

One of the first things to know about configuring a switch using the command line is that there are different “contexts” that you can enter to configure various aspects of the switch. For instance, when you first land in the command line after connecting to your switch, you'll notice that the prompt ends with a greater-than symbol. The mode or context you are in by default is called “Operator” mode and you can tell what context you're in by viewing the prompt.

    # Operator Mode
    HP-2915-8G-PoE>

    # Manager Mode
    HP-2915-8G-PoE#

    # Global Configuration Mode
    HP-2915-8G-PoE(config)#
    

To have more privileges and do more things on your switch, you have to enable different administrator contexts on the switch. You enable the “Manager” context by typing enable; however, to make configuration changes, you have to enable the “Global Configuration” context by typing config. There are also "Non-Global Configuration" contexts such as VLAN context configuration and Interface context configuration. To exit a context use the exit command. To move from any level back to the “Manager” level, type end. Practice Tip: Try entering different contexts and typing ? to see what commands are available to you as you change context.

    # Enter “Manager” context

    enable
  

    # Enter “Global Configuration” context
    
    config
  

    # Enter VLAN Configuration context
    
    vlan 10
  

    # Move from any level back to the preceding level
    
    exit
  

View Menu#

Most of our switch configuration will be done using the command line menu. Type menu into the command line to enter the command line menu. You can arrow up and down to move from one menu item to another, hitting “enter” to access each item. Alternatively, you can simply type in the corresponding menu number to access each item with a single keystroke. Take a few minutes to browse and get a good idea of what options are available to you through the menu and be sure to keep an eye out for navigation tips provided at the bottom of the screen.

    # Access the "Switch Menu” page
    
    menu
  

Basic Setup#

Manager Password Setup

Now that we've gained access to our switch and know our way around a bit, the first thing we should do is configure our “Switch Setup”. Use the  setup  command to enter the “Switch Setup” screen in order to configure the manager password and other critical settings. It's a security best practice, as a first step when configuring any device, to update the default passwords or set passwords in the event that there are none set by default. The HP 2915 has the concept of a “Manager” and “Operator” role, each with their own set of credentials and privileges. We'll first update the Manager Password and confirm it for good measure.

    # Access the "Switch Setup" page
    
    setup
  

Operator Password Setup

An optional step might be to set an “Operator” password which, as the name suggests, has fewer system privileges. To configure an operator password, we have to navigate to the CLI menu using the menu command. Then, we select "3. Console Passwords…" followed by "1. Set Operator Password."

    # log in as manager
    u/n: manager
    p/w: <password>

    # log in as operator
    u/n: operator
    p/w: <password>
  

IP Settings

There are other IP protocol related settings we'll need to configure in the Switch Setup. Most notably are the switch's  IP Config,  IP Address, and  Default Gateway  which we'll be setting to  DHCP,  192.168.50.10, and  192.168.2.1  respectively. In this step, we're telling the switch to support DHCP, we're setting a static IP address for the switch, and we're setting the switch's default gateway. For now, don't worry about the Network Time Protocol (NTP)-related settings. We will be configuring our switch to support NTP later in this lab.

Create VLANs#

With our basic switch setup in place, we're ready to start configuring our switch's ethernet interfaces. We'll begin be assigning interface one (1) through eight (8) each to a single VLAN, but before we can do that we'll have to create the VLANs on our switch.

Performance Benefits

VLANs are useful for both performance and security reasons. Performance gains that result from implementing VLANs are due to the fact that unnecessary traffic (such as broadcasts) are isolated to their own VLAN. Therefore, broadcasts destined for users/devices that are part of one VLAN won't need to be broadcast to users/devices that are part of a different VLAN. In short, you have less congestion on the network when you use VLANs.

Security Benefits

Security gains that result from implementing VLANs are that we can keep our more valuable users or resources (e.g., our crown jewels) in one VLAN and our less valuable (and, perhaps, more risky) users or resources (e.g., our guest users) in a separate VLAN. Then, we can use VLANs within the security policies we set on our Netgate security appliance to enforce the appropriate security policies on traffic flowing between VLANs. For instance, perhaps we don't trust our Guest VLAN as much as we do, say, our Management VLAN. Perhaps, all we want to allow guests to do on our network is to jump on the Wi-Fi and get out to the Internet. If that's the case, the routing and firewall policies that we need to put in place for our Guest VLAN are pretty straight forward—they can only reach the Internet, block everything else. Our Management VLAN, on the other hand, would require firewall and routing policies that allow only users connected to the Management VLAN access to the device in order to manage it while blocking access to and from anything else. Another bonus of VLANs, should your switch support it, is to restrict management access to a single VLAN. This feature is supported on the HP 2915 so we'll take advantage of it and add another layer of security in our home lab.

VLAN Assignments

That said, we're provided with a default VLAN, VLAN 1. This is common with switch vendors but check your documentation. We don't have to worry about the Default VLAN for now, but we are going to need to create four (4) VLANs to support our lab's requirements. One VLAN will be used for our “Services” which will be the applications and resources that we want to serve up from our cloud. We'll have another VLAN for our “Users” which, as you can imagine, is a catch all for all user types. In your typical organization, you'd likely have multiple VLANs for various types of users and those typically align to various departments across an organization. Feel free to add more VLANs for different user types if you want, but I'm keeping it to one user VLAN for simplicity's sake. Our third VLAN will be for “Storage”. This VLAN is reserved for our lab's Network Attached Storage (NAS) appliance which we'll be adding in a subsequent lab post. Our fourth and final VLAN will be our “Management” VLAN. This VLAN will be used to allow access to our switch for management purposes (e.g., making configuration changes, applying updates, etc.). That said, let's create our VLANS referencing the code block shared below. To create VLANs on our switch, we'll enter the  menu  command and navigate to:

    const KRAUS_CLOUD_VLANS = {
      vlan_10: {
        name: "services"
        subnet: "192.168.10.0/24",
        netgate_virtual_interface_ip: "192.168.10.1".
        switch_physical_interface_ip: "192.168.10.254",
        switch_interfaces: "1-3"
      },
        name: "users"
        vlan_20: {
        subnet: "192.168.20.0/24",
        netgate_virtual_interface_ip: "192.168.20.1".
        switch_physical_interface_ip: "192.168.20.254",
        switch_interfaces: "4-6"
      },
        name: "storage"
        vlan_30: {
        subnet: "192.168.30.0/24",
        netgate_virtual_interface_ip: "192.168.30.1".
        switch_physical_interface_ip: "192.168.30.254",
        switch_interfaces: "7"
      },
        name: "management"
        vlan_40: {
        subnet: "192.168.40.0/24",
        netgate_interface_ip: "192.168.40.1".
        switch_physical_interface_ip: "192.168.40.254",
        switch_interfaces: "8"
      }
        vlan_50: {
        name: "default"
        subnet: "192.168.50.0/24",
        netgate_virtual_interface_ip: "192.168.50.1".
        switch_physical_interface_ip: "192.168.50.254",
        switch_interfaces: "9"
      },
    }
  

Create Uplink "Trunk" Interface#

Our “Trunk” interface is the interface from which we will send all of our switch's traffic to our Netgate security appliance. To configure a trunk interface on our switch, navigate to "Port/Trunk Settings" menu page and set the interface as type trunk. In subsequent steps, we'll make a physical connection between our Netgate appliance and our network switch using this trunk interface (i.e., interface 9/10) and we'll also assign VLANs as “tagged” when transmitted over this interface. More on that in the next section.

Assign VLANs to Interfaces#

With our VLANs and trunk interface created, it's time to assign our VLANs to the physical interfaces on our switch and also ensure our VLANs are properly assigned to our trunk interface. The “VLAN Port Assignment” menu page makes configuration fairly straightforward; however, there are a handful of different VLAN interface assignment types to familiarize yourself with before you begin assigning VLANs to interfaces. See below for the abbreviated description of the three we'll be using in our lab.

VLAN Port Assignment Types

An "untagged" type interface assignment is used with access interfaces to allow a device to connect to the VLAN. Each VLAN marked “untagged” in the below screenshot is assigned to the corresponding interface.

A "tagged" type interface assignment is used with trunk interfaces in order to send one or more VLAN's traffic to/from your switch. Traffic passed through these interfaces are tagged with their assigned VLAN IDs.

A forbid type interface assignment is used to prevent the specified VLAN from being assigned to the corresponding interface. This keeps our interfaces nice and isolated to only their assigned VLAN as we're implementing a 1:1 VLAN-to-interface design.

Default VLAN

The Default VLAN has to be assigned to at least one interface and, so, we'll assign it to an unused interface (i.e., 10/10) by marking the Default VLAN as untagged.

Trunk Interface

Our trunk interface, interface 9/10 which we created in the previous step titled "Create Uplink 'Trunk' Interface", is ready to be tagged with all VLANs that we want to send upstream from our switch. We'll tag all of our VLANs to our trunk interface except for our Management VLAN because, for added security, we want to prevent our switch's Management VLAN traffic from leaving the switch.

Simple Network Time Protocol (SNTP)#

When introducing a new system into your lab environment it's important to ensure that the system's clock is synchronized with all the other systems within your lab. In our last lab, we configured out Netgate appliance to be our Network Time Protocol (NTP) server. So, we have an NTP server. Let's use it to keep our switch's time in sync with the rest of our lab.

To get our bearings, let's enter “Manager” context and display our systems clock and/or the current time using the following commands:

Show Time

 
    # Enter any context
    enable

    # Two commands to display the time
    display clock
    show time
  

We can set the time and date manually with the following commands, but we don't want to do this because a better option is to use Network Time Protocol (NTP) which is supported by the switch.

    time 11:30:00 11/17/2022
    time 1:50:00 3/22/2024
  

Configure SNTP Settings on Switch

In “Lab 2 — pfSense”, we configured our VLAN interfaces but, for good measure, let''s confirm that our “VLAN_DEFAULT” interface on our Netgate appliance is enabled and set to: 192.168.50.1

We haven't configured our VLANs within our switch yet, so the “Internet (IP) Service” screen found in the “Switch Configuration” menu on your switch will look different than the screenshot I'm sharing here. For now, we're just going to focus on setting “IP Routing” to  Disabled,  ensuring our “Default Gateway” is set to  192.168.2.1 and, finally, ensuring that our DEFAULT_VLAN has an “IP Config” of DHCP/Bootp and a  192.168.50.10/24 IP address and subnet mask. Save your changes, if any were required, and exit.

Going back to the “Switch Setup” menu screen, we're need to check that our “IP Config” setting is set to DHCP/Bootp. Also, “Time Sync Method” should be set to  SNTP. “SNTP Mode” should be set to Unicast and you can leave the default polling interval of 720. Save your changes, if any were required, and exit.

Create NTP Firewall Rules in pfSense

We now have our switch properly configured to support SNTP, but we still haven't allowed NTP traffic to pass between our switch and our Netgate appliance acting as our NTP server. We'll need two new firewall rules on our Default VLAN interface within pfSense. One rule will allow NTP (i.e., port 123) traffic to pass from our switch (192.168.50.10) to our Netgate appliance's Default VLAN Interface IP address (192.168.50.1) . Our second firewall rule will be exactly the same as the first, but we'll flip the source and destination to allow NTP traffic to pass from our Netgate appliance's Default VLAN Interface to our switch. We'll create those rules within pfSense at:

Enable DHCP for Default VLAN in pfSense

We're going to treat our Default VLAN interface a little differently than all of the other interfaces in that we're going to enable DHCP support for this interface. This isn't a requirement, but it does allow us to explicitly define the NTP server issued via DHCP. First, let's ensure our “DHCP Backend” within pfSense is the newer  KIA  DHCP setting. Second, ensure that the “Enable” checkbox is checked. We've already defined our Subnet for VLAN_DEFAULT as  192.168.50.0/24, but we're going to carve out nine addresses that we'll reserve for static assignment in a future lab by setting our “Address Pool Range” to192.168.50.10  to  192.168.50.243. Finally, towards the bottom of this menu is our “NTP Server 1” setting which we'll set to  192.168.50.1  which is the IP address of our VLAN_DEFUALT interface.

Synchronize Your Time Using NTP

Both your switch and your Netgate appliance should be in the proper configuration in order to support SNTP on your HP 2915. Run the following series of commands to view your SNTP settings, sync your switch's time with your NTP server's time, and confirm that the switches time has been properly updated. If your time isn't updating properly, try a reboot command boot and double-check your configurations.

    # View sntp settings
    show sntp

    # Sync time
    timesync sntp

    # View time
    show time
    display clock
  

Confirm SNTP Settings In Logs

For good measure, you can also use your switch's logs to confirm that SNTP has updated your system time and date:

    # Show logs
    show logging -a
  

Connect Switch to (Netgate) Security Appliance#

Next, we need to make a physical ethernet connection between interface 3/4 on our Netgate appliance and interface 9/10 on our switch. Remember, interface 9/10 on our switch is our trunk interface and it will carry all of our switch's VLAN traffic to and from our Netgate security appliance. Also remember that the Netgate security appliance is also acting as our core router. If a user on the User VLAN needs to connect to a service on our Services VLAN, then you must have the proper firewall rules in place to allow that traffic to be routed between the two different VLANs. Once this physical connection is made your switch will be connected to the rest of the lab.

This is good time to connect your PC to one of the User VLAN interfaces, making sure to update your PC's IP address and default gateway so that it's in the same subnet as the User VLAN. At this point, you should be able to get out to the internet and ping other users in the Users VLAN. Review your pfSense firewall rules and test your policies to ensure they're implemented correctly. If everything is working as expected, congratulations!

If everything's not working as expected, don't worry! Consider it a great learning opportunity and take your troubleshooting one step at a time. Be sure to review you switch and firewall configurations, check your logs and don't forget to check your physical connections as well. If you're still stuck, familiarize yourself with the following tools to help you troubleshoot:

1. •  ping
2. •  nslookup
3. •  ipconfig
4. •  traceroute

Set Management VLAN#

For added security, you can configure your switch so that it can only be managed through a single VLAN and, if that VLAN is only tied to a single interface on the switch, then you can lock down management access to a single ethernet interface on your switch. The 2915 switch's documentation refers to this as the “Management VLAN” which explains why we named VLAN 40 just that—the “Management VLAN”. So, as you probably guessed, we'll be setting ethernet interface 8/10 as our Management interface and it will be the only switch interface that we can use to manage the switch. The more you can do to make it difficult for an attacker to compromise your network, the better, so let's get to it!

You cannot set the Management VLAN using the menu; however, the command to set/unset the Management VLAN is pretty straight forward. Using the below command you can set or unset the Management VLAN. Notice that you can specify either the VLAN ID (e.g., 40) or VLAN Name (e.g., Management_VLAN) to set the Management VLAN.

    [no] management-vlan < vlan-id | vlan-name >
  

You can issue the show config command to confirm that your commands were saved:

Connect Via Ethernet Cable (SSH)#

Secure Shell (SSH) protocol is, as it's name implies, a secure way to gain shell access to our switch over the network. Since we've assigned our management VLAN, VLAN 40, to interface 8/8 on our switch, we will need to make a physical connection from our Lab PC to said interface in order to make an SSH connection. We also need to make sure our Lab PC's IP address is within the VLAN 40 subnet of 192.168.40.1/24.

    # Open SSH config
    vim ~/.ssh/config

    # Add the following
    Host *
        KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
  

Now that's out of the way, we can make an SSH connection to our switch by entering the following command. Specifying the user will prompt you for the associated password.

    # ssh manager@<management-vlan-interface-ip-address>
    ssh manager@192.168.40.254
  

Disable IP Routing#

The HP 2915 is capable of routing IPv4 traffic between port-based VLANs so long as the “IP Routing” setting is enabled; however, for security's sake, we're sending all of our switch's traffic to our Netgate appliance for routing and policy enforcement. Ensure “IP Routing” is set to “Disabled” and save your changes.

Factory Reset#

There might come a time when you need to completely reset your switch's configuration. This is referred to as a “Factory Reset”. Perhaps, you forget your Manager password and lock yourself out of the switch. I've been there more times than I'd like to admit, so it's a good idea to get comfortable with how to factory reset a switch. See below for the directions which I've copied from the "HP 2915-8G-PoE Installation and Getting Started Guide":

Option 1 —Factory Reset via Reset & Clear Buttons

You can restore the factory default configuration either on the switch itself, or through the switch console. To execute the factory default reset on the switch, perform these steps:

1. Using pointed objects, simultaneously press both the Reset and Clear buttons on the front of the switch. The power and fault lights come on.
2. Continue to press the Clear button while releasing the Reset button.
3. When the Self Test LED begins to flash, release the Clear button. The switch will then complete its self test and begin operating with its configuration restored to the factory default settings.

Option 2 — Factor Reset via Console

To restore the factory default configuration using the console, execute the erase startup-config command from the console command prompt:

    erase startup-config
    

Backup Configuration#

HP made backing up your switch's configuration very easy. My preferred way is through the Administrative Web User Interface (UI). To access your switch's Web UI, first ensure that your Lab PC is connected to your switch's Management interface 8/10 and that your Lab PC's IP address (e.g., 192.168.40.8) is within the Management VLAN subnet (i.e., 192.168.40.0/24) and that your Lab PC's default gateway is set to 192.168.40.254. Then, simply type in your switch's Management VLAN IP address(192.168.40.254) into your browser's navigation bar and hit "Enter". Log in with your Management credentials and navigate to the below path within the UI. Once there, simply select the configuration file you want to back up and click “Download”. Save your backup configuration file somewhere safe and use it to reinstall your configuration when need be:

Next Steps#

Congratulations! You've configured your switch and secured it with a password-protected management role. You've also locked management access down to a single physical interface and restricted inter-VLAN routing. Furthermore, each switch interface is assigned to a single VLAN and each VLAN serves a different purpose. With all routing taking place within our pfSense Netgate appliance we are securing our network traffic with pfSense not only north/south (to and from the Internet) but also east/west as well (i.e., inter-VLAN traffic).

At this point, your switch is adequately configured to support your lab's requirements and we've kept things pretty simple. We now have the core components of our Cloud, but if we want our lab to do anything, then we'll have to add a server and a few virtual machines (VMs). The really fun stuff is coming up next. Let's get to it!

Useful Commands#

Get Help

    ?
    

Rename the Switch

    hostname <new-name>
    

Show History

    show history
    

Set Default Route

    [no] ip route 0.0.0.0/0 192.168.2.1
    

Configure Interfaces

    interface 1-10 disable
    

    interface 1-4 enable
    

    interface 1,2 enable
    

    show interface brief
    

    vlan 1
    no ip address 192.168.50.10 255.255.255.0
    

    no vlan <vlan_id>
    

Show MAC Address

    show mac-address
    

Show IP Service

    show ip
    

Show ARP Table

    show arp
    

Show LLDP Remote Device Information

    show lldp info remote-device
    

Show IP Route Entries

    show ip route
    

Save Configuration

    write memory