Solved

Internal VLAN routing on dell switches

Posted on 2016-10-03
8
27 Views
Last Modified: 2016-11-27
Hi guys, i have a few new switches that i want to configure vlan routing between them. They are dell N3048p

Basically i want vlan 110 to be able to access machines on 120 but not the other way around.

Hopefully its something small and stupid i have missed but here is my running config. With the below code nothing is pinging / allowing traffic in either direction.

Thanks in advance for any help.

console#show running-config

!Current Configuration:
!System Description "Dell Networking N3048P, 6.1.1.7, Linux 3.6.5-601418a5"
!System Software Version 6.1.1.7
!
configure
vlan 105
name "105"
exit
vlan 110
name "110"
vlan association subnet 192.168.110.0 255.255.255.0
exit
vlan 120
name "120"
vlan association subnet 192.168.120.0 255.255.255.0
exit
vlan 130
name "130"
exit
vlan 105,110,120,130
exit
slot 1/0 7    ! Dell Networking N3048P
slot 2/0 7    ! Dell Networking N3048P
slot 3/0 7    ! Dell Networking N3048P
slot 4/0 7    ! Dell Networking N3048P
slot 5/0 7    ! Dell Networking N3048P
stack
member 1 5    ! N3048P
member 2 5    ! N3048P
member 3 5    ! N3048P
member 4 5    ! N3048P
member 5 5    ! N3048P
exit
interface out-of-band
ip address 192.168.90.20 255.255.255.0 0.0.0.0
exit
ip access-list test
permit ip 192.168.110.0 0.0.0.255 192.168.120.0 0.0.0.255
deny ip 192.168.120.0 0.0.0.255 192.168.110.0 0.0.0.255
exit
ip routing
interface vlan 1
exit
interface vlan 110
ip address 192.168.110.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip access-group test out 1
exit
interface vlan 120
ip address 192.168.120.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
ip access-group test in 1
exit
interface vlan 130
ip address 192.168.130.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
exit
admin-profile usernameadmin
exit
username "admin" password 4e5a1a5d21c2d8adb6d7fbc15c24f719 privilege 15 encrypted
!
interface Gi1/0/1
switchport general pvid 110
exit
!
interface Gi1/0/4
switchport general pvid 110
switchport general allowed vlan add 110
switchport access vlan 110
exit
!
interface Gi1/0/5
switchport general pvid 120
switchport general allowed vlan add 120
switchport access vlan 120
exit
snmp-server engineid local 800002a203f8b15682d725
exit

console#
console#
0
Comment
Question by:CaptainGiblets
  • 4
  • 2
  • 2
8 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827195
Are the permit and deny IP subnet masks supposed to be 0.0.0.255? Shouldn't it be 255.255.255.0?
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 250 total points (awarded by participants)
ID: 41827290
The ACLs are stateless, so with no concept of a session, or "established"  your ACL is blocking the reply.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827293
Arne, so you're saying a switch only does stateless inspection so the vlan interface needs to be on a firewall for this sort of 1 way blocking?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points (awarded by participants)
ID: 41827494
The ACLs are stateless.

http://downloads.dell.com/manuals/common/networking_nxxug_en-us.pdf

Page 638

Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group

It is however possible to cheat

Page 682

ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only packets with the all the same flags asserted are matched (logical AND). Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with the same flags cleared are matched. The established keyword matches TCP packets with either the RST or ACK bits set (logical OR)

The above method however "trusts"  the network, and is therefore NOT secure, as packets that would normally be dropped can be created that would go through the ACL.

In comparison, a Cisco ASA has a session state table, which you can see with the command "show conn". Having a session state table means that the ASA does not need to "trust" the network
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41827604
Hi Arne, i know it might be asking a bit much but is there any chance you can show me an example of how you would use the cheat method?

Unfortunately i am mainly a windows admin so i can do ok with basic switching / routing but the rest of it is a bit of a learning curve for me.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points (awarded by participants)
ID: 41828086
What's your firewall? Probably easier to just put the interfaces there.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41828090
My firewall is only a dell sonicwall nsa2600 which means it only has a 1gb connections.

One of the main goals of the switches is to do all the internal domain stuff through the switches rather than have to send all our traffic over a 1gb line.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41902925
ACLs are stateless.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SolarWinds reporting 2 25
Will either laptop run DayZ? 2 77
Losing connectivity from some servers - Restore connectivity if i ping them 3 38
Win 7 to Win 10 11 40
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question