Solved

Internal VLAN routing on dell switches

Posted on 2016-10-03
8
31 Views
Last Modified: 2016-11-27
Hi guys, i have a few new switches that i want to configure vlan routing between them. They are dell N3048p

Basically i want vlan 110 to be able to access machines on 120 but not the other way around.

Hopefully its something small and stupid i have missed but here is my running config. With the below code nothing is pinging / allowing traffic in either direction.

Thanks in advance for any help.

console#show running-config

!Current Configuration:
!System Description "Dell Networking N3048P, 6.1.1.7, Linux 3.6.5-601418a5"
!System Software Version 6.1.1.7
!
configure
vlan 105
name "105"
exit
vlan 110
name "110"
vlan association subnet 192.168.110.0 255.255.255.0
exit
vlan 120
name "120"
vlan association subnet 192.168.120.0 255.255.255.0
exit
vlan 130
name "130"
exit
vlan 105,110,120,130
exit
slot 1/0 7    ! Dell Networking N3048P
slot 2/0 7    ! Dell Networking N3048P
slot 3/0 7    ! Dell Networking N3048P
slot 4/0 7    ! Dell Networking N3048P
slot 5/0 7    ! Dell Networking N3048P
stack
member 1 5    ! N3048P
member 2 5    ! N3048P
member 3 5    ! N3048P
member 4 5    ! N3048P
member 5 5    ! N3048P
exit
interface out-of-band
ip address 192.168.90.20 255.255.255.0 0.0.0.0
exit
ip access-list test
permit ip 192.168.110.0 0.0.0.255 192.168.120.0 0.0.0.255
deny ip 192.168.120.0 0.0.0.255 192.168.110.0 0.0.0.255
exit
ip routing
interface vlan 1
exit
interface vlan 110
ip address 192.168.110.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip access-group test out 1
exit
interface vlan 120
ip address 192.168.120.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
ip access-group test in 1
exit
interface vlan 130
ip address 192.168.130.1 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip
exit
admin-profile usernameadmin
exit
username "admin" password 4e5a1a5d21c2d8adb6d7fbc15c24f719 privilege 15 encrypted
!
interface Gi1/0/1
switchport general pvid 110
exit
!
interface Gi1/0/4
switchport general pvid 110
switchport general allowed vlan add 110
switchport access vlan 110
exit
!
interface Gi1/0/5
switchport general pvid 120
switchport general allowed vlan add 120
switchport access vlan 120
exit
snmp-server engineid local 800002a203f8b15682d725
exit

console#
console#
0
Comment
Question by:CaptainGiblets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827195
Are the permit and deny IP subnet masks supposed to be 0.0.0.255? Shouldn't it be 255.255.255.0?
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 250 total points (awarded by participants)
ID: 41827290
The ACLs are stateless, so with no concept of a session, or "established"  your ACL is blocking the reply.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41827293
Arne, so you're saying a switch only does stateless inspection so the vlan interface needs to be on a firewall for this sort of 1 way blocking?
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points (awarded by participants)
ID: 41827494
The ACLs are stateless.

http://downloads.dell.com/manuals/common/networking_nxxug_en-us.pdf

Page 638

Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group

It is however possible to cheat

Page 682

ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only packets with the all the same flags asserted are matched (logical AND). Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with the same flags cleared are matched. The established keyword matches TCP packets with either the RST or ACK bits set (logical OR)

The above method however "trusts"  the network, and is therefore NOT secure, as packets that would normally be dropped can be created that would go through the ACL.

In comparison, a Cisco ASA has a session state table, which you can see with the command "show conn". Having a session state table means that the ASA does not need to "trust" the network
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41827604
Hi Arne, i know it might be asking a bit much but is there any chance you can show me an example of how you would use the cheat method?

Unfortunately i am mainly a windows admin so i can do ok with basic switching / routing but the rest of it is a bit of a learning curve for me.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points (awarded by participants)
ID: 41828086
What's your firewall? Probably easier to just put the interfaces there.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41828090
My firewall is only a dell sonicwall nsa2600 which means it only has a 1gb connections.

One of the main goals of the switches is to do all the internal domain stuff through the switches rather than have to send all our traffic over a 1gb line.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41902925
ACLs are stateless.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question