Unsolved
This post is more than 5 years old
12 Posts
0
3501
Dell N1548P Access list applied to VLANs question
I've created an access-list to control traffic to a specific VLAN in my switch, but it seems as soon as I apply the access-group to the VLAN I seem to lose all ability to communicate to that VLAN, and the logging is not showing any hits on the rules I've created..
I'm not sure what I am doing wrong, and when I search I seem to only be able to find information on configuring policy based routing on the switch using ACL's, but no decent examples for traffic control ACL's on the Dell Nxxxx series switches.
I'm trying to restrict traffic going to VLAN 175 to only printer related traffic, and ultimately want the printers to only be able to respond in kind.
!Current Configuration:
!System Description "Dell Networking N1548P, 6.3.3.9, Linux 3.6.5"
!System Software Version 6.3.3.9
!
configure
vlan 170,175,180,185,190,200
exit
vlan 170
name "LAN"
exit
vlan 175
name "Printers"
exit
vlan 180
name "Wifi"
exit
vlan 185
name "guest-wifi"
exit
vlan 190
name "VLAN109912972"
exit
vlan 200
name "voip"
exit
snmp-server location "IT Department"
hostname "T-N1548-Stack"
clock timezone -5 minutes 0 zone "EST"
stack
member 1 4 ! N1548P
member 2 4 ! N1548P
member 3 4 ! N1548P
exit
ip domain-name "mydomain.com"
ip access-list printers
remark "access list to allow only port protocols needed for printing"
100 permit tcp 10.100.185.0 0.0.0.255 10.100.175.0 0.0.0.255 eq http log
remark "allow any computer to access printers web interface in vlan 175"
140 permit tcp 10.100.185.0 0.0.0.255 10.100.175.0 0.0.0.255 eq 515 log
remark "allow any Tap computer to access printers LPD interface in vlan 175"
150 permit tcp 10.100.185.0 0.0.0.255 10.100.175.0 0.0.0.255 eq 9100 log
remark "allow any Tap computer to access printers HP RAW interface in vlan 175"
200 deny ip any 10.100.175.0 0.0.0.255 log
remark "deny all other access to vlan 175"
exit
ip routing
ip helper-address 10.100.170.10
interface vlan 1
ip address 10.100.165.1 255.255.255.0
exit
interface vlan 170
ip address 10.100.170.1 255.255.255.0
exit
interface vlan 175
ip address 10.100.175.1 255.255.255.0
ip access-group printers in 1
exit
interface vlan 180
ip address 10.100.180.1 255.255.255.0
exit
interface vlan 185
ip address 10.100.185.1 255.255.255.0
exit
interface vlan 190
ip address 10.100.190.1 255.255.255.0
Thank you
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
November 10th, 2017 11:00
Hi,
Do the printers have static IP addresses? If they are on DHCP the ACL may be stopping DHCP traffic for them to get an IP address.
Mark308
12 Posts
0
November 10th, 2017 12:00
The printers have a static IP addresses.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
November 10th, 2017 13:00
Try adding the ACL to the ports the printers are connected to instead of to the VLAN.
Mark308
12 Posts
0
November 13th, 2017 11:00
applying the ACL to the port works,
Was hoping to apply the ACL to the VLAN since there will be printers on the wifi Printer SSID in the same VLAN.
Ultimately if I can get the switch to identify the printer / PC / Voip Phone when plugged into the switch, then automatically assign the appropriate VLAN to the port it would simplify things if the ACL was applied to the vlan.
Would like to get away from hard coding the VLANS to each port if at all possible.
looking at GVRP now since it looks like the N1500 series doesn't do MVRP