Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Dell Powerconnect VLAN setup for backup network

Posted on 2011-05-07
15
Medium Priority
?
1,174 Views
Last Modified: 2012-06-27
List the Dell Powerconnect CLI commands that would be entered to set up VLANS that meet the following requirements:

Switch: Dell Powerconnect 5424 - 24 port gigabit switch

Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.300  on switch port 3

CompanyA should be isolated from CompanyB server.
CompanyB should be isolated from CompanyA server.
Backup server can backup both CompanyA and CompanyB servers.

By isolation I mean that the server cannot be accessed by other serves. For example, CompanyB and CompanyA servers cannot ping each other.


0
Comment
Question by:gvidals
  • 6
  • 5
  • 4
15 Comments
 
LVL 4

Expert Comment

by:dbright5813
ID: 35716736
Dell's site is being its characteristically slow self, so I'm still waiting for the CLI manual to download, but here's the answer to your homework problem ;)

For the server on port 3 to be able to talk to the other two servers without a router, it will need to have a NIC driver that can perform 802.1q tagging, and have a way to map each VLAN ID to the appropriate company's network.

hostname sw1

vlan database
vlan 101
vlan 102
exit

int vlan 101
name CompanyA
exit
int vlan 102
name CompanyB
exit

int eth g1
description CompanyA-Server
switchport mode customer
switchport customer vlan 101
exit
int eth g2
description CompanyB-Server
switchport mode customer
switchport customer vlan 102
exit
int eth g3
description Backup-server
switchport mode general
switchport general allowed vlan add 101
switchport general allowed vlan add 102
exit

Open in new window

0
 
LVL 4

Expert Comment

by:dbright5813
ID: 35716739
Sorry, I'm waiting for the 54xx series' CLI manual to download. This solution is based on the 35xx series.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35716792
One thing, all servers are in same subnet. It won't work without NAT if you use different VLANs and router because server can't have same subnet on two interfaces.

What gvidals wants to achieve can be done with one VLAN and MAC access lists, but I can't find in the CLI guide how to apply MAC ACL to certain interface.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
LVL 12

Expert Comment

by:Fidelius
ID: 35716800
Sorry it should be like this: It won't work without NAT and router if you use different VLANs, because server can't have same subnet on two interfaces.
0
 
LVL 4

Expert Comment

by:dbright5813
ID: 35717170
I agree it should have a router, or at least a NAT of some sort, however since the .300 address given for the backup server is out of range anyway, I'm assuming that the machines are on separate subnets, but the OP chose not to give them for whatever reason.
0
 

Author Comment

by:gvidals
ID: 35717675
There was an error since 10.10.10.300 is an illegal IP address. Instead, use 10.10.10.250.
0
 

Author Comment

by:gvidals
ID: 35717706
So the answers are mixed. Some say a router is necessary then and others say it is not necessary?

Correction:
Servers:
CompanyA: 10.10.10.100 (VLAN A) on switch port 1
CompanyB: 10.10.10.200 (VLAN B) on switch port 2
Backup: 10.10.10.250  on switch port 3
0
 

Author Comment

by:gvidals
ID: 35717720
It is acceptable to use MAC ACL if that will meet the objective of keeping CompanyA and CompanyB servers from having access to each other.

So if there is a solution using port security or MAC ACL, then please let me know the CLI commands to set it up.
0
 
LVL 4

Expert Comment

by:dbright5813
ID: 35720441
Either solution will work, but the MAC ACL one is harder to maintain since you'll have to manually update the lists whenever a new device is added to the network.

Are the IP subnets etched in stone? It would be much easier to have the following setup:
Company A: 10.10.10.x /24
Company B: 10.10.20.x /24
Backup: 10.10.1.x /16
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35720875
This is not good, because Backup subnet overlaps with Company A and Company B subnet.

The best solution is to have 3 different subnets, inter-vlan routing with ACL.
As 5424 is L2 switch, you will need additional L3 switch or router. This solution is most robust, scalable and by best practice.

All other solutions will lead to problems over time as network is growing.
0
 
LVL 4

Expert Comment

by:dbright5813
ID: 35721215
I was assuming that the overlap WAS desired, but yes, I agree that a router with ACLs is the preferred solution.
0
 

Author Comment

by:gvidals
ID: 35721812
I was assuming that the overlap WAS desired, but yes, I agree that a router with ACLs is the preferred solution.

Open in new window


Are you saying it should be three distinct subnets like so?

CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.300.0/24

What does the network topology look like now that the solution has evolved to include two switches???
Which switch is configured with the inter-vlan routing?




0
 

Author Comment

by:gvidals
ID: 35721830
Sorry, same mistake. I meant:

CompanyA: 10.10.100.0/24
CompanyB: 10.10.200.0/24
Backup Server: 10.10.250.0/24
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 2000 total points
ID: 35723237
Yes, it should be 3 distinct subnets like you wrote.

You have few options for topology:

1. option: current L2 switch with router, router does inter-vlan routing:
2. option: current L2 switch with L3 switch, L3 switch does inter-vlan routing
3. option: L3 switch alone, L3 switch does inter-vlan routing

PowerConnect 5424 is L2 switch, it can't do inter-vlan routing.
Example for L3 switch is Dell PowerConnect 62xx series switch.

Topology is simple:
- for first two options you connect hosts to L2 switch (untagged ports), and connect L2 switch to either router or L3 switch with trunk (interface with tagged VLANs).
- in third option you do all on 1 switch

Regards!
0
 
LVL 4

Expert Comment

by:dbright5813
ID: 35723288
Ideally yes. The purpose of VLANs is to separate traffic between devices on the same physical LAN.

By definition, devices on one VLAN cannot normally speak to each other without help from a router on L3 switch.

I'm assuming you'd like to have the backup server be able to talk to the servers on the other subnets without going through a router. This is possible, but requires either a NIC that supports VLAN tagging (802.1q) or else a separate NIC for each VLAN.

For either solution to work, each network connection on the backup server needs to belong to a different IP subnet.

I hadn't had my coffee when I recommended using an overlapping network mask on the Backup server, but Fidelius noted the mistake.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question