?
Solved

Internal VLAN routing on dell switches

Posted on 2016-10-03
8
Medium Priority
?
47 Views
Last Modified: 2016-11-27
Hi guys, i have a few new switches that i want to configure vlan routing between them. They are dell N3048p

Basically i want vlan 110 to be able to access machines on 120 but not the other way around.

Hopefully its something small and stupid i have missed but here is my running config. With the below code nothing is pinging / allowing traffic in either direction.

Thanks in advance for any help.

console#show running-config

!Current Configuration:
!System Description "Dell Networking N3048P, 6.1.1.7, Linux 3.6.5-601418a5"
!System Software Version 6.1.1.7
!
configure
vlan 105
name "105"
exit
vlan 110
name "110"
vlan association subnet 192.168.110.0 255.255.255.0
exit
vlan 120
name "120"
vlan association subnet 192.168.120.0 255.255.255.0
exit
vlan 130
name "130"
exit
vlan 105,110,120,130
exit
slot 1/0 7    ! Dell Networking N3048P
slot 2/0 7    ! Dell Networking N3048P
slot 3/0 7    ! Dell Networking N3048P
slot 4/0 7    ! Dell Networking N3048P
slot 5/0 7    ! Dell Networking N3048P
stack
member 1 5    ! N3048P
member 2 5    ! N3048P
member 3 5    ! N3048P
member 4 5    ! N3048P
member 5 5    ! N3048P
exit
interface out-of-band
ip address 192.168.90.20 255.255.255.0 0.0.0.0
exit
ip access-list test
permit ip 192.168.110.0 0.0.0.255 192.168.120.0 0.0.0.255
deny ip 192.168.120.0 0.0.0.255 192.168.110.0 0.0.0.255
exit
ip routing
interface vlan 1
exit
interface vlan 110
ip address 192.168.110.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip access-group test out 1
exit
interface vlan 120
ip address 192.168.120.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
ip access-group test in 1
exit
interface vlan 130
ip address 192.168.130.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
exit
admin-profile usernameadmin
exit
username "admin" password 4e5a1a5d21c2d8adb6d7fbc15c24f719 privilege 15 encrypted
!
interface Gi1/0/1
switchport general pvid 110
exit
!
interface Gi1/0/4
switchport general pvid 110
switchport general allowed vlan add 110
switchport access vlan 110
exit
!
interface Gi1/0/5
switchport general pvid 120
switchport general allowed vlan add 120
switchport access vlan 120
exit
snmp-server engineid local 800002a203f8b15682d725
exit

console#
console#
0
Comment
Question by:CaptainGiblets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827195
Are the permit and deny IP subnet masks supposed to be 0.0.0.255? Shouldn't it be 255.255.255.0?
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points (awarded by participants)
ID: 41827290
The ACLs are stateless, so with no concept of a session, or "established"  your ACL is blocking the reply.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827293
Arne, so you're saying a switch only does stateless inspection so the vlan interface needs to be on a firewall for this sort of 1 way blocking?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1000 total points (awarded by participants)
ID: 41827494
The ACLs are stateless.

http://downloads.dell.com/manuals/common/networking_nxxug_en-us.pdf

Page 638

Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group

It is however possible to cheat

Page 682

ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only packets with the all the same flags asserted are matched (logical AND). Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with the same flags cleared are matched. The established keyword matches TCP packets with either the RST or ACK bits set (logical OR)

The above method however "trusts"  the network, and is therefore NOT secure, as packets that would normally be dropped can be created that would go through the ACL.

In comparison, a Cisco ASA has a session state table, which you can see with the command "show conn". Having a session state table means that the ASA does not need to "trust" the network
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41827604
Hi Arne, i know it might be asking a bit much but is there any chance you can show me an example of how you would use the cheat method?

Unfortunately i am mainly a windows admin so i can do ok with basic switching / routing but the rest of it is a bit of a learning curve for me.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 1000 total points (awarded by participants)
ID: 41828086
What's your firewall? Probably easier to just put the interfaces there.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41828090
My firewall is only a dell sonicwall nsa2600 which means it only has a 1gb connections.

One of the main goals of the switches is to do all the internal domain stuff through the switches rather than have to send all our traffic over a 1gb line.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41902925
ACLs are stateless.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question