Dell Switch 6248 - cannot connect to firewall with configuration

This is a test network we're setting up to emulate our future network. 172.10.10.1/24 is our interface default internet gateway, and we have that connected to a port on the test network switch. The gateway is managed through our firewall.

With the switch performing VLAN routing, your clients will need to have their default gateway set to the IP address of the VLAN they are in. for instance, clients in VLAN 20 will have a DG of 172.16.17.1.

The connection from the 6248 to the firewall should not need to send tagged traffic for multiple VLANs. Unless different VLANs have a separate route they need to take. But if all traffic need to be funneled out 172.10.10.1, then port 47 can be changed to access mode for VLAN 50.

The 6248 cannot route it's own management VLAN, which by default is VLAN 1. If you are connecting to VLAN 1 and trying to route 192.168.1.0 out 172.10.10.1, it wont work.

Okay, I've tried having VLAN 50 in access mode and it still didn't work. The PC I'm trying to get to access the firewall internet is in VLAN 3 with it's default gateway at 172.16.16.1.  I set the default gateway of VLAN 50 to 172.10.10.2, which it can ping. But it cannot access the firewall at 172.10.10.1.

Should I change the default gateway of VLAN 50 to the firewall IP address? Also the management VLAN is currently 40 with the ip address of 192.168.1.1

Are clients placed in VLAN 50 able to ping 172.10.10.1? What brand firewall is being used? You may need to add some routes on the firewall that points returning traffic back to the internal networks.

Example of possible entry on the firewall.

ip route 172.16.16.0 255.255.255.0 172.10.10.2

Yes I just checked. A client placed on VLAN 50 is able to access the internet, but not any of the other VLAN's. Just as none of the other VLAN's are able to access that client or the internet.

I have the port with the firewall set to:

interface ethernet 1/g47

switchport mode general

switchport general pvid 50

switchport general allowed vlan add 2-3,20,50 tagged

exit

And all the others are access. Would this cause any issues?

I outlined in one of my previous posts that the connection from the switch to the firewall could be changed to access mode. Because the firewall is not performing the routing, and does not need traffic from multiple VLANs sent to it. I would proceed with making this change on port 47.

It sounds like VLAN routing may not be working, if no clients can access any of the clients in other VLANs. Are clients in VLAN 3 able to ping clients in VLAN 2 or VLAN 30, and vice versa? Or is it just the client in VLAN 50 that cannot be pinged?

The config on the switch looks fine, VLAN routing should be working and it sounds like it is except for VLAN 50. The PVID on a general mode connection sends untagged traffic, received untagged traffic is placed on the PVID. This is the exact same behavior as an interface in access mode. After you made the config changes to port 47, did the config look like this:

console(config-if)# switchport mode access

console(config-if)# switchport access vlan 50

How is the interface on the firewall configured?

I tried changing the port on the switch to access mode, and it lost it's internet connectivity. I think for our purposes, that port needs to be general mode in order for traffic to see it.

And it is just the client on VLAN 50, all other VLAN's can still talk to each other, and ping the ip address of VLAN 50, but they do not receive the internet connection that the client on VLAN 50 does.

Any changes to our configuration that you can suggest?

So we have the VLAN routing working on all PC's no matter what VLAN they're attached to. Now the only issue is with the Internet not coming through to Any VLAN that's not 50.

Access doesn't work because the firewall is putting out tagged traffic on port 47 (VLAN 50). Is there a specific port/place we should put the incoming internet connection in order for VLANs 2, 3, and 20 to talk to port 47 and the internet?

I see, that would be the reason you had the port set to General with VLAN 50 tagged. Can you change the firewalls port to send and receive untagged packets? And then leave port 47 on the switch in access mode.

Have you checked the firewall to ensure it has routes pointing back to the internal network?

Yeah looks like that was the issue. The routes back to the network weren't set on the firewall.

Another question, for creating a MAC ACL on the switch, is there a central management software that we could use for all our switches so we don't have to input each MAC address separately?

Glad to hear you were able to get the routing working. I am not aware of management software that you can use to manage the ACLs on the switch.