gvidals
asked on
Dell Powerconnect VLAN setup for backup network
List the Dell Powerconnect CLI commands that would be entered to set up VLANS that meet the following requirements:
Switch: Dell Powerconnect 5424 - 24 port gigabit switch
Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.300 on switch port 3
CompanyA should be isolated from CompanyB server.
CompanyB should be isolated from CompanyA server.
Backup server can backup both CompanyA and CompanyB servers.
By isolation I mean that the server cannot be accessed by other serves. For example, CompanyB and CompanyA servers cannot ping each other.
Switch: Dell Powerconnect 5424 - 24 port gigabit switch
Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.300 on switch port 3
CompanyA should be isolated from CompanyB server.
CompanyB should be isolated from CompanyA server.
Backup server can backup both CompanyA and CompanyB servers.
By isolation I mean that the server cannot be accessed by other serves. For example, CompanyB and CompanyA servers cannot ping each other.
Sorry, I'm waiting for the 54xx series' CLI manual to download. This solution is based on the 35xx series.
One thing, all servers are in same subnet. It won't work without NAT if you use different VLANs and router because server can't have same subnet on two interfaces.
What gvidals wants to achieve can be done with one VLAN and MAC access lists, but I can't find in the CLI guide how to apply MAC ACL to certain interface.
What gvidals wants to achieve can be done with one VLAN and MAC access lists, but I can't find in the CLI guide how to apply MAC ACL to certain interface.
Sorry it should be like this: It won't work without NAT and router if you use different VLANs, because server can't have same subnet on two interfaces.
I agree it should have a router, or at least a NAT of some sort, however since the .300 address given for the backup server is out of range anyway, I'm assuming that the machines are on separate subnets, but the OP chose not to give them for whatever reason.
ASKER
There was an error since 10.10.10.300 is an illegal IP address. Instead, use 10.10.10.250.
ASKER
So the answers are mixed. Some say a router is necessary then and others say it is not necessary?
Correction:
Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.250 on switch port 3
Correction:
Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.250 on switch port 3
ASKER
It is acceptable to use MAC ACL if that will meet the objective of keeping CompanyA and CompanyB servers from having access to each other.
So if there is a solution using port security or MAC ACL, then please let me know the CLI commands to set it up.
So if there is a solution using port security or MAC ACL, then please let me know the CLI commands to set it up.
Either solution will work, but the MAC ACL one is harder to maintain since you'll have to manually update the lists whenever a new device is added to the network.
Are the IP subnets etched in stone? It would be much easier to have the following setup:
Company A: 10.10.10.x /24
Company B: 10.10.20.x /24
Backup: 10.10.1.x /16
Are the IP subnets etched in stone? It would be much easier to have the following setup:
Company A: 10.10.10.x /24
Company B: 10.10.20.x /24
Backup: 10.10.1.x /16
This is not good, because Backup subnet overlaps with Company A and Company B subnet.
The best solution is to have 3 different subnets, inter-vlan routing with ACL.
As 5424 is L2 switch, you will need additional L3 switch or router. This solution is most robust, scalable and by best practice.
All other solutions will lead to problems over time as network is growing.
The best solution is to have 3 different subnets, inter-vlan routing with ACL.
As 5424 is L2 switch, you will need additional L3 switch or router. This solution is most robust, scalable and by best practice.
All other solutions will lead to problems over time as network is growing.
I was assuming that the overlap WAS desired, but yes, I agree that a router with ACLs is the preferred solution.
ASKER
I was assuming that the overlap WAS desired, but yes, I agree that a router with ACLs is the preferred solution.
Are you saying it should be three distinct subnets like so?
CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.300.0/24
What does the network topology look like now that the solution has evolved to include two switches???
Which switch is configured with the inter-vlan routing?
ASKER
Sorry, same mistake. I meant:
CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.250.0/24
CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.250.0/24
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ideally yes. The purpose of VLANs is to separate traffic between devices on the same physical LAN.
By definition, devices on one VLAN cannot normally speak to each other without help from a router on L3 switch.
I'm assuming you'd like to have the backup server be able to talk to the servers on the other subnets without going through a router. This is possible, but requires either a NIC that supports VLAN tagging (802.1q) or else a separate NIC for each VLAN.
For either solution to work, each network connection on the backup server needs to belong to a different IP subnet.
I hadn't had my coffee when I recommended using an overlapping network mask on the Backup server, but Fidelius noted the mistake.
By definition, devices on one VLAN cannot normally speak to each other without help from a router on L3 switch.
I'm assuming you'd like to have the backup server be able to talk to the servers on the other subnets without going through a router. This is possible, but requires either a NIC that supports VLAN tagging (802.1q) or else a separate NIC for each VLAN.
For either solution to work, each network connection on the backup server needs to belong to a different IP subnet.
I hadn't had my coffee when I recommended using an overlapping network mask on the Backup server, but Fidelius noted the mistake.
For the server on port 3 to be able to talk to the other two servers without a router, it will need to have a NIC driver that can perform 802.1q tagging, and have a way to map each VLAN ID to the appropriate company's network.
Open in new window