Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

michaelbbwalker

7 Posts

98058

September 24th, 2013 16:00

Help with VLAN & VLAN Routing... PowerConnect 7048 stack

Hi All,

hoping someone can help - got a couple of issues which hopefully can be wrapped up all in one go ...

I have a stack of 4x 7048 switches, have set up just some basic VLAN config on them, but wanted to have a go at setting up VLAN routing. Also, not sure that the trunk ports are set up correctly...

anyway - config - edited in some places:

!Current Configuration:
!System Description "PowerConnect 7048, 4.1.1.9, VxWorks 6.6"
!System Software Version 4.1.1.9
!System Operational Mode "Normal"
!
configure
vlan database
vlan 9-13,15,26-28,30,40,3913
vlan routing 10 1
exit
vlan 9
name "xxx-CORPORATE"
exit
vlan 10
name "Management"
exit
vlan 11
name "MGMT_LiveMigrate"
exit
vlan 12
name "iSCSI"
exit
vlan 13
name "CMPT_LiveMigrate"
exit
vlan 15
name "vMotion"
exit
vlan 26
name "iSCSI_Replication_1"
exit
vlan 27
name "iSCSI_Replication_2"
exit
vlan 28
name "Backup"
exit
vlan 30
name "Cloud"
exit
vlan 40
name "Server_Management"
exit
vlan 3913
name "Corporate"
exit
hostname "SMC_7048_Stack"
slot 1/0 5    ! PowerConnect 7048
slot 1/1 9    ! CX4 Card
slot 2/0 5    ! PowerConnect 7048
slot 2/1 9    ! CX4 Card
slot 3/0 5    ! PowerConnect 7048
slot 3/1 9    ! CX4 Card
slot 4/0 5    ! PowerConnect 7048
slot 4/1 9    ! CX4 Card
stack
member 1 5    ! PCT7048
member 2 5    ! PCT7048
member 3 5    ! PCT7048
member 4 5    ! PCT7048
exit
interface out-of-band
ip address 192.168.10.241 255.255.255.0 0.0.0.0
exit
interface vlan 10
exit
username "admin" password 5f4dcc3b5aa765d61d8327deb882cf99 privilege 15 encrypte
d
line telnet
enable authentication enableList
password 5f4dcc3b5aa765d61d8327deb882cf99 encrypted
exit
iscsi enable
!

interface Gi1/0/1
spanning-tree portfast
mtu 9216
switchport access vlan 12
exit
!
interface Gi1/0/2
spanning-tree portfast
mtu 9216
switchport access vlan 12
exit
!
.......
1-12 are the same
.......
interface Gi1/0/12
mtu 9216
switchport access vlan 12
exit
!

interface Gi1/0/13
mtu 9216
switchport mode trunk
exit
!
...........
13-36 appear to be the same
...........

interface Gi1/0/36
mtu 9216
switchport mode trunk
exit
!
interface Gi1/0/37
mtu 9216
switchport access vlan 10
exit
!
................
37-48 are the same
................
interface Gi1/0/48
mtu 9216
switchport access vlan 10
exit
!
interface Te1/1/1
mtu 9216
exit
!
interface Te1/1/2
mtu 9216
exit
!

interface port-channel 1
mtu 9216
exit
!
interface port-channel 2
mtu 9216
exit
!
........
these all appear the same
........
interface port-channel 22
mtu 9216
exit


So, my questions:

1. what are the interface port-channel etc... things about? I don't think I typed those in!

2. when I originally set this up, i configured it so that
port 1-12 should be access ports (untagged) on VLAN12
port 13-24 should be trunk ports, tagged with VLAN 11,13,15
port 25-36 should be trunk ports, tagged with VLAN 9,10,12,28,30,40,2913
port 37-48 should be access ports (untagged) on VLAN10

I set a port range
((config)#interface range gigabitethernet 4/0/1-12,gigabitethernet2/0/1-12,gigabitethernet3/0/1-12,gigabitethernet1/0/1-12
and then executed the configuration commands... for the 13-24 ports, i used

(config-if)#switchport mode trunk
(config-if)#switchport trunk allowed vlan add 11,13,15
(config-if)#exit

and for 25-36, i used

(config-if)#switchport mode trunk
(config-if)#switchport trunk allowed vlan add 9,10,12,28,30,40,3913
(config-if)#exit

yet, when I now check the config of say, port 23 or port 35, it just says switchport mode trunk, no mention of the allowed VLANs which i added to each port.

also, when I do show VLAN, it shows that VLAN 40 is assigned to ALL trunk ports

40     Server_Management                Gi1/0/13-36,   Static
                                        Gi2/0/13-36,
                                        Gi3/0/13-36,
                                        Gi4/0/13-36,
                                        Gi4/0/47

so why is this? when i specifically set the ports in groups to specify only certain VLANs for each port group? how can i reconfigure it so that it is correct, VLANs only assigned to the group of ports I specify?

3. I would like to configure VLAN routing. I am going to set up another VLAN, lets say vlan 20, for KMS activation, which I want to allow access from certain other VLAN networks. Example I would like VLAN 40 to be able to communicate with VLAN 20. How would I configure this?
I have read countless other posts and from what I understand, I would

configure an IP address on each VLAN interface I want to route,
specify the "routing" command against each VLAN I want to route

But the things I dont understand,

Do I need to configue IP routes?
I dont understand the VLAN ROUTING X X command, which I have seen on various posts of configs... It seems to go like,

vlan routing 10 1
vlan routing 20 2
vlan routing 28 3

What does this mean? I see in my config I have the vlan routing 10 1 command there but why, what does it do?

Sorry for the extremely long post, hopefully someone can help :)

DELL-Josh Cr

Moderator

 • 

9.4K Posts

September 25th, 2013 08:00

Hi,

An interface port channel is a logical group of ports acting as a single port. For routing between VLANs you do need to configure IP routing so that they know to talk to each other. Page 875 of the manual shows how to configure VLAN routing ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/powerconnect-7048_User%27s%20Guide_en-us.pdf

 

There is additional information about the commands for IP Routing in the CLI guide ftp://ftp.dell.com/Manuals/Common/powerconnect-7024_Reference%20Guide_en-us.pdf page 1008

michaelbbwalker

7 Posts

September 25th, 2013 15:00

Thanks for the reply, have seen some of that documntation before when setting the switches up...

so if for example, I created VLAN 20, and then assigned ip address 192.168.20.240

(config)#interface vlan 20
(config-if-vlan20)#ip address 192.168.20.240 255.255.255.0
(config-if-vlan20)#routing
(config-if-vlan20)#exit

and then did the same on VLAN 40

(config)#interface vlan 40
(config-if-vlan40)#ip address 172.100.40.240 255.255.255.0
(config-if-vlan40)#routing
(config-if-vlan40)#exit

would I then configure routing between VLAN 40 and 20 by doing something like

(config)#ip route 192.168.20.0 255.255.255.0 192.168.20.240

and do I need to do the reverse to allow traffic back (ie from 20 to 40)

(config)#ip route 172.100.40.0 255.255.255.0 172.100.40.240

(config)#ip routing

would that work? Do I need the second route to allow traffic back?

Also how  do I assign the trunk ports to only allow the VLANs I specify?

 

thanks

DELL-Josh Cr

Moderator

 • 

9.4K Posts

September 25th, 2013 16:00

If it is enabled globally you shouldn’t have to specify it in both directions. What are the trunk ports connecting to? Is it just the stacked switches? They are for communication between switches on the VLANs specified, which is looks like you are doing. Here are some documents from other models, but the concepts are the same. If you are just communicating with the stacked switches they should act as one big switch and not need trunked ports.

http://www.dell.com/downloads/global/products/pwcnt/en/app_note_38.pdf

 

http://www.dell.com/downloads/global/products/pwcnt/en/app_note_4.pdf

michaelbbwalker

7 Posts

September 25th, 2013 16:00

Sorry, should probably have explained...

The switches are just all one big switch yes - these are connected to a bunch of hyper-v / vmware hosts, so on the one set of ports (13-24), they are connecting to the vmotion / live migrate networks, but have these on separate VLANs - also the next set of ports (25-36) these are all the various other virtual machine VLANs and other bits and pieces.

The reason they are trunk ports is so obviously we can pass multiple VLANs over them, allowing VM traffic from multiple VM networks on different VLANs can travel over the same ports...

the reason I wanted to configure VLAN routing is, on the management VLAN (10) I have set up a KMS server - I want to use this KMS to activate all VMs in the "customer" networks as well, which are on separate VLANs. So I didnt want just allowing communication of these separate customer VLANs to the management VLAN, so was going to create the separate VLAN 20, attach this to the KMS VM and then allow routing from each VLAN required to this KMS VLAN network.

would the VLAN route setup I posted work? How do I configure then, server side, is it just a case of assigning the VLAN interface as the default gateway, and then when I ping the foreign network, the switch routes it?


Thanks :emotion-1:

DELL-Josh Cr

Moderator

 • 

9.4K Posts

September 26th, 2013 08:00

That configuration looks like it should work fine for the ip routing, which should allow the KMS server to interact on any of the VLANs and you shouldn’t need to change the default gateway of the server from what it is now. Is the KMS server 2008 R2 or 2012?

michaelbbwalker

7 Posts

September 26th, 2013 08:00

When you say the KMS server should be able to interact on any VLANs, I assume that means only VLANs I specify routes to? Or will enabling IP routing globally mean that the VLANs can all talk to each other?

At the moment, there is no default gateway - it is a lab environment, so there is only internal traffic, not given anything a default gateway...
The KMS server is 2012 (full 2012 environment)...

So are you saying that on the customer VLANs (for example, VLAN 40), if I was to ping an IP on VLAN 20 (my KMS server, say), it would ping, even with no gateway configured? Sorry if I am asking the same question over and over again :emotion-2:

michaelbbwalker

7 Posts

September 26th, 2013 09:00

Interesting :emotion-1: well I will probably be having a crack at this tomorrow, so hopefully it will just be a quick config and my KMS will be activating VMs all over the place!
Will report back hopefully with a successful outcome ... thanks for your help so far

DELL-Josh Cr

Moderator

 • 

9.4K Posts

September 26th, 2013 09:00

The VLANs that you specify routes to. It should resolve with a default gateway as the ping request goes to the switch and the switch should know what to do with it to get it to the proper VLAN. Default gateway routing is for when the switch/router does not know what to do with the packet. This document shows an example of how VLAN routing works. http://www.dell.com/downloads/global/products/pwcnt/en/app_note_38.pdf

michaelbbwalker

7 Posts

October 2nd, 2013 04:00

I have enabled this, to some extent now, but have some more questions...

the first thing I did was ran the "ip routing" command globally, and then configured a few VLANS with ip addresses.

I tried to enter the "routing" command against each each vlan interface, but this didn't work, so perhaps I misunderstood the need for this to be run?

When I do a show run, it does not say "routing" against each VLAN as I have seen on other configs.

I also did not specify any routes, it just seemed to start working - do I need to put the routes in?

I also needed to add a default gateway to each VM (I added the VLAN IP address as the default gateway) - when I didn't, I couldn't ping different VLANs, when I added a default gateway on the VM I was pinging FROM, I could ping the remote VLAN gateway address, but could only ping the remote VM when I added a default gateway on the remote VM as well - is this correct?

It does appear to be working as I want - I can ping from VLAN 40 (I did 30 but will keep 40 for the examples I have used) to VLAN 20, and my VMs are activating using the KMS server, so I know they can communicate.

Does this mean then, however, that any VLAN can communicate with each other? As it seems that way? I would not want, for example, VLAN 30 and VLAN 40 to be able to communicate, as these would be separate customer VMs so need these to not communicate...

 

michaelbbwalker

7 Posts

October 2nd, 2013 08:00

Hi Josh,

Yes exactly - that is why I set up the KMS VLAN, so they can communicate with my KMS server, but if all VLANs can communicate with one another, it makes the VLAN segregation pretty redundant... I also set up another VLAN (backup) which I want to access each of the customer VLANs, 30, 40, etc... but actually between the customer VLANs, I don't want communication, eg the only VLANs that can communicate with each customer vlan is the KMS and Backup VLANs - is this possible?

Thanks for your help

DELL-Josh Cr

Moderator

 • 

9.4K Posts

October 2nd, 2013 08:00

Hi, With this switch you do not need to use static routes, so enabling globally will allow the VLANs to communicate. So what you are wanting to do is have all VLANS interact with the KMS server but not interact with each other?

DELL-Josh Cr

Moderator

 • 

9.4K Posts

October 2nd, 2013 15:00

What we would recommend doing is using ACLs to limit access to the VLANs. Page 554 of the manual explains them ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/powerconnect-7048_User%27s%20Guide_en-us.pdf

 

Here is a whitepaper with some ACL configuration info http://www.dell.com/downloads/global/products/pwcnt/en/pwcnt_IP_ACLs.pdf

Was this post helpful?

View All

No Events found!

Top