Link to home
Start Free TrialLog in
Avatar of gvidals
gvidals

asked on

Dell Powerconnect VLAN setup for backup network

List the Dell Powerconnect CLI commands that would be entered to set up VLANS that meet the following requirements:

Switch: Dell Powerconnect 5424 - 24 port gigabit switch

Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.300  on switch port 3

CompanyA should be isolated from CompanyB server.
CompanyB should be isolated from CompanyA server.
Backup server can backup both CompanyA and CompanyB servers.

By isolation I mean that the server cannot be accessed by other serves. For example, CompanyB and CompanyA servers cannot ping each other.


Avatar of dbright5813
dbright5813
Flag of United States of America image
Dell's site is being its characteristically slow self, so I'm still waiting for the CLI manual to download, but here's the answer to your homework problem ;)

For the server on port 3 to be able to talk to the other two servers without a router, it will need to have a NIC driver that can perform 802.1q tagging, and have a way to map each VLAN ID to the appropriate company's network.

hostname sw1

vlan database
vlan 101
vlan 102
exit

int vlan 101
name CompanyA
exit
int vlan 102
name CompanyB
exit

int eth g1
description CompanyA-Server
switchport mode customer
switchport customer vlan 101
exit
int eth g2
description CompanyB-Server
switchport mode customer
switchport customer vlan 102
exit
int eth g3
description Backup-server
switchport mode general
switchport general allowed vlan add 101
switchport general allowed vlan add 102
exit

Open in new window

Avatar of dbright5813
dbright5813
Flag of United States of America image
Sorry, I'm waiting for the 54xx series' CLI manual to download. This solution is based on the 35xx series.
Avatar of Fidelius
Fidelius
Flag of Croatia image
One thing, all servers are in same subnet. It won't work without NAT if you use different VLANs and router because server can't have same subnet on two interfaces.

What gvidals wants to achieve can be done with one VLAN and MAC access lists, but I can't find in the CLI guide how to apply MAC ACL to certain interface.
Avatar of Fidelius
Fidelius
Flag of Croatia image
Sorry it should be like this: It won't work without NAT and router if you use different VLANs, because server can't have same subnet on two interfaces.
Avatar of dbright5813
dbright5813
Flag of United States of America image
I agree it should have a router, or at least a NAT of some sort, however since the .300 address given for the backup server is out of range anyway, I'm assuming that the machines are on separate subnets, but the OP chose not to give them for whatever reason.
Avatar of gvidals
gvidals

ASKER

There was an error since 10.10.10.300 is an illegal IP address. Instead, use 10.10.10.250.
Avatar of gvidals
gvidals

ASKER

So the answers are mixed. Some say a router is necessary then and others say it is not necessary?

Correction:
Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.250  on switch port 3
Avatar of gvidals
gvidals

ASKER

It is acceptable to use MAC ACL if that will meet the objective of keeping CompanyA and CompanyB servers from having access to each other.

So if there is a solution using port security or MAC ACL, then please let me know the CLI commands to set it up.
Avatar of dbright5813
dbright5813
Flag of United States of America image
Either solution will work, but the MAC ACL one is harder to maintain since you'll have to manually update the lists whenever a new device is added to the network.

Are the IP subnets etched in stone? It would be much easier to have the following setup:
Company A: 10.10.10.x /24
Company B: 10.10.20.x /24
Backup: 10.10.1.x /16
Avatar of Fidelius
Fidelius
Flag of Croatia image
This is not good, because Backup subnet overlaps with Company A and Company B subnet.

The best solution is to have 3 different subnets, inter-vlan routing with ACL.
As 5424 is L2 switch, you will need additional L3 switch or router. This solution is most robust, scalable and by best practice.

All other solutions will lead to problems over time as network is growing.
Avatar of dbright5813
dbright5813
Flag of United States of America image
I was assuming that the overlap WAS desired, but yes, I agree that a router with ACLs is the preferred solution.
Avatar of gvidals
gvidals

ASKER

I was assuming that the overlap WAS desired, but yes, I agree that a router with ACLs is the preferred solution.

Open in new window


Are you saying it should be three distinct subnets like so?

CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.300.0/24

What does the network topology look like now that the solution has evolved to include two switches???
Which switch is configured with the inter-vlan routing?




Avatar of gvidals
gvidals

ASKER

Sorry, same mistake. I meant:

CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.250.0/24
ASKER CERTIFIED SOLUTION
Avatar of Fidelius
Fidelius
Flag of Croatia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dbright5813
dbright5813
Flag of United States of America image
Ideally yes. The purpose of VLANs is to separate traffic between devices on the same physical LAN.

By definition, devices on one VLAN cannot normally speak to each other without help from a router on L3 switch.

I'm assuming you'd like to have the backup server be able to talk to the servers on the other subnets without going through a router. This is possible, but requires either a NIC that supports VLAN tagging (802.1q) or else a separate NIC for each VLAN.

For either solution to work, each network connection on the backup server needs to belong to a different IP subnet.

I hadn't had my coffee when I recommended using an overlapping network mask on the Backup server, but Fidelius noted the mistake.