?
Solved

Internal VLAN routing on dell switches

Posted on 2016-10-03
8
Medium Priority
?
61 Views
Last Modified: 2016-11-27
Hi guys, i have a few new switches that i want to configure vlan routing between them. They are dell N3048p

Basically i want vlan 110 to be able to access machines on 120 but not the other way around.

Hopefully its something small and stupid i have missed but here is my running config. With the below code nothing is pinging / allowing traffic in either direction.

Thanks in advance for any help.

console#show running-config

!Current Configuration:
!System Description "Dell Networking N3048P, 6.1.1.7, Linux 3.6.5-601418a5"
!System Software Version 6.1.1.7
!
configure
vlan 105
name "105"
exit
vlan 110
name "110"
vlan association subnet 192.168.110.0 255.255.255.0
exit
vlan 120
name "120"
vlan association subnet 192.168.120.0 255.255.255.0
exit
vlan 130
name "130"
exit
vlan 105,110,120,130
exit
slot 1/0 7    ! Dell Networking N3048P
slot 2/0 7    ! Dell Networking N3048P
slot 3/0 7    ! Dell Networking N3048P
slot 4/0 7    ! Dell Networking N3048P
slot 5/0 7    ! Dell Networking N3048P
stack
member 1 5    ! N3048P
member 2 5    ! N3048P
member 3 5    ! N3048P
member 4 5    ! N3048P
member 5 5    ! N3048P
exit
interface out-of-band
ip address 192.168.90.20 255.255.255.0 0.0.0.0
exit
ip access-list test
permit ip 192.168.110.0 0.0.0.255 192.168.120.0 0.0.0.255
deny ip 192.168.120.0 0.0.0.255 192.168.110.0 0.0.0.255
exit
ip routing
interface vlan 1
exit
interface vlan 110
ip address 192.168.110.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip access-group test out 1
exit
interface vlan 120
ip address 192.168.120.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
ip access-group test in 1
exit
interface vlan 130
ip address 192.168.130.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
exit
admin-profile usernameadmin
exit
username "admin" password 4e5a1a5d21c2d8adb6d7fbc15c24f719 privilege 15 encrypted
!
interface Gi1/0/1
switchport general pvid 110
exit
!
interface Gi1/0/4
switchport general pvid 110
switchport general allowed vlan add 110
switchport access vlan 110
exit
!
interface Gi1/0/5
switchport general pvid 120
switchport general allowed vlan add 120
switchport access vlan 120
exit
snmp-server engineid local 800002a203f8b15682d725
exit

console#
console#
0
Comment
Question by:CaptainGiblets
  • 4
  • 2
  • 2
8 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827195
Are the permit and deny IP subnet masks supposed to be 0.0.0.255? Shouldn't it be 255.255.255.0?
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points (awarded by participants)
ID: 41827290
The ACLs are stateless, so with no concept of a session, or "established"  your ACL is blocking the reply.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827293
Arne, so you're saying a switch only does stateless inspection so the vlan interface needs to be on a firewall for this sort of 1 way blocking?
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1000 total points (awarded by participants)
ID: 41827494
The ACLs are stateless.

http://downloads.dell.com/manuals/common/networking_nxxug_en-us.pdf

Page 638

Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group

It is however possible to cheat

Page 682

ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only packets with the all the same flags asserted are matched (logical AND). Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with the same flags cleared are matched. The established keyword matches TCP packets with either the RST or ACK bits set (logical OR)

The above method however "trusts"  the network, and is therefore NOT secure, as packets that would normally be dropped can be created that would go through the ACL.

In comparison, a Cisco ASA has a session state table, which you can see with the command "show conn". Having a session state table means that the ASA does not need to "trust" the network
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41827604
Hi Arne, i know it might be asking a bit much but is there any chance you can show me an example of how you would use the cheat method?

Unfortunately i am mainly a windows admin so i can do ok with basic switching / routing but the rest of it is a bit of a learning curve for me.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 1000 total points (awarded by participants)
ID: 41828086
What's your firewall? Probably easier to just put the interfaces there.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41828090
My firewall is only a dell sonicwall nsa2600 which means it only has a 1gb connections.

One of the main goals of the switches is to do all the internal domain stuff through the switches rather than have to send all our traffic over a 1gb line.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41902925
ACLs are stateless.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question