Solved

Internal VLAN routing on dell switches

Posted on 2016-10-03
8
22 Views
Last Modified: 2016-11-27
Hi guys, i have a few new switches that i want to configure vlan routing between them. They are dell N3048p

Basically i want vlan 110 to be able to access machines on 120 but not the other way around.

Hopefully its something small and stupid i have missed but here is my running config. With the below code nothing is pinging / allowing traffic in either direction.

Thanks in advance for any help.

console#show running-config

!Current Configuration:
!System Description "Dell Networking N3048P, 6.1.1.7, Linux 3.6.5-601418a5"
!System Software Version 6.1.1.7
!
configure
vlan 105
name "105"
exit
vlan 110
name "110"
vlan association subnet 192.168.110.0 255.255.255.0
exit
vlan 120
name "120"
vlan association subnet 192.168.120.0 255.255.255.0
exit
vlan 130
name "130"
exit
vlan 105,110,120,130
exit
slot 1/0 7    ! Dell Networking N3048P
slot 2/0 7    ! Dell Networking N3048P
slot 3/0 7    ! Dell Networking N3048P
slot 4/0 7    ! Dell Networking N3048P
slot 5/0 7    ! Dell Networking N3048P
stack
member 1 5    ! N3048P
member 2 5    ! N3048P
member 3 5    ! N3048P
member 4 5    ! N3048P
member 5 5    ! N3048P
exit
interface out-of-band
ip address 192.168.90.20 255.255.255.0 0.0.0.0
exit
ip access-list test
permit ip 192.168.110.0 0.0.0.255 192.168.120.0 0.0.0.255
deny ip 192.168.120.0 0.0.0.255 192.168.110.0 0.0.0.255
exit
ip routing
interface vlan 1
exit
interface vlan 110
ip address 192.168.110.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip access-group test out 1
exit
interface vlan 120
ip address 192.168.120.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
ip access-group test in 1
exit
interface vlan 130
ip address 192.168.130.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
exit
admin-profile usernameadmin
exit
username "admin" password 4e5a1a5d21c2d8adb6d7fbc15c24f719 privilege 15 encrypted
!
interface Gi1/0/1
switchport general pvid 110
exit
!
interface Gi1/0/4
switchport general pvid 110
switchport general allowed vlan add 110
switchport access vlan 110
exit
!
interface Gi1/0/5
switchport general pvid 120
switchport general allowed vlan add 120
switchport access vlan 120
exit
snmp-server engineid local 800002a203f8b15682d725
exit

console#
console#
0
Comment
Question by:CaptainGiblets
  • 4
  • 2
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Are the permit and deny IP subnet masks supposed to be 0.0.0.255? Shouldn't it be 255.255.255.0?
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 250 total points (awarded by participants)
Comment Utility
The ACLs are stateless, so with no concept of a session, or "established"  your ACL is blocking the reply.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Arne, so you're saying a switch only does stateless inspection so the vlan interface needs to be on a firewall for this sort of 1 way blocking?
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points (awarded by participants)
Comment Utility
The ACLs are stateless.

http://downloads.dell.com/manuals/common/networking_nxxug_en-us.pdf

Page 638

Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group

It is however possible to cheat

Page 682

ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only packets with the all the same flags asserted are matched (logical AND). Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with the same flags cleared are matched. The established keyword matches TCP packets with either the RST or ACK bits set (logical OR)

The above method however "trusts"  the network, and is therefore NOT secure, as packets that would normally be dropped can be created that would go through the ACL.

In comparison, a Cisco ASA has a session state table, which you can see with the command "show conn". Having a session state table means that the ASA does not need to "trust" the network
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
Hi Arne, i know it might be asking a bit much but is there any chance you can show me an example of how you would use the cheat method?

Unfortunately i am mainly a windows admin so i can do ok with basic switching / routing but the rest of it is a bit of a learning curve for me.
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points (awarded by participants)
Comment Utility
What's your firewall? Probably easier to just put the interfaces there.
0
 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
My firewall is only a dell sonicwall nsa2600 which means it only has a 1gb connections.

One of the main goals of the switches is to do all the internal domain stuff through the switches rather than have to send all our traffic over a 1gb line.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
ACLs are stateless.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now