Issues with inter-vLAN routing S4048t-ON

Question

I am hoping for a sanity check relating to inter-vLAN routing. I was hired to replace someone in the role of Systems Admin and have inheritied a reasonably sized collection of dell switches in production. The person that set everything up is a couple of position-generations ago, so I have nobody to ask whats going on. I have familiarity with switch CLI with HP and some Cisco, but this is my first foray with dell products as well as something to this scale. The core switch is a S4048T-ON, and for a few reasons I need to have it handle some inter-vLAN routing between a few networks. I am trying to break out servers, workstations, printers, and wireless onto different vLANs, but as of now the firewall has to do the routing because I can not get this switch to work the way I am trying to and is providing a bottleneck. This has all been made more frustrating as we also have N series switches and the CLI is completely different.

For testing purposes I put a machine on vLAN 10 with a static address with the core switch as gateway (192.168.0.7). I also attached a machine to vLAN 3 with a static address and the core switch as gateway (192.168.24.1). Neither machine can ping outside their vLAN, including internet access for vLAN 10. The firewall has a virtual interface/ip on all but the test vLAN and should be independently aware of what is where, and on it's own routes traffic fine as the default gateway, I just want to offload most of the traffic (Especially the fileserver which has a 10G link to the switch) from the firewall to the switch.

Here is the config (with the port list removed):

show running-config
Current Configuration ...
! Version 9.10(0.1P6)
! Last configuration change at Thu May  5 16:04:55 2022 by admin
! Startup-config last updated at Tue Apr 26 18:17:05 2022 by admin
!
boot system stack-unit 1 primary system://A
boot system stack-unit 1 secondary system://B
boot system stack-unit 1 default system://A
boot system stack-unit 2 primary system://A
boot system stack-unit 2 secondary system://B
boot system stack-unit 2 default system://A
!
hardware watchdog stack-unit 1
hardware watchdog stack-unit 2
hardware watchdog stack-unit 3
hardware watchdog stack-unit 4
hardware watchdog stack-unit 5
hardware watchdog stack-unit 6
!
hostname 40Gb-Stack
!
protocol lldp
!
redundancy auto-synchronize full
!
protocol spanning-tree mstp
!
stack-unit 1 provision S4048T-ON
!
stack-unit 1 port 49 portmode quad
!
stack-unit 1 stack-group 16
!
stack-unit 1 stack-group 17
###Interfaces go here##
!
 port-channel-protocol LACP
  port-channel 5 mode active
 no shutdown
!
interface fortyGigE 2/50
 no ip address
 shutdown
!
interface fortyGigE 2/51
 no ip address
 shutdown
!
interface fortyGigE 2/52
 no ip address
 shutdown
!
interface ManagementEthernet 1/1
 no ip address
 no shutdown
!
interface ManagementEthernet 2/1
 no shutdown
!
interface ManagementEthernet 3/1
 no shutdown
!
interface ManagementEthernet 4/1
 shutdown
!
interface ManagementEthernet 5/1
 shutdown
!
interface ManagementEthernet 6/1
 shutdown
!
interface Port-channel 1
 no ip address
 switchport
 channel-member TenGigabitEthernet 1/1-1/2
 channel-member TenGigabitEthernet 2/1-2/2
 no shutdown
!
interface Port-channel 2
 no ip address
 portmode hybrid
 switchport
 no shutdown
!
interface Port-channel 3
 no ip address
 portmode hybrid
 switchport
 no shutdown
!
interface Port-channel 4
 no ip address
 portmode hybrid
 switchport
 no shutdown
!
interface Port-channel 5
 no ip address
 portmode hybrid
 switchport
 no shutdown
!
interface Port-channel 6
 description Prod1 Server Trunk
 no ip address
 portmode hybrid
 switchport
 no shutdown
!
interface Vlan 1
!untagged TenGigabitEthernet 1/3-1/4,1/11-1/13,1/29-1/30,1/39
!untagged TenGigabitEthernet 2/3,2/13
!untagged Port-channel 6
!
interface Vlan 3 ###This is the test network I made to try to figure this out###
 name Test
 ip address 192.168.24.1/24
 untagged TenGigabitEthernet 2/47
 no shutdown
!
interface Vlan 10
 name Data
 ip address 192.168.0.7/22
 tagged TenGigabitEthernet 1/5-1/10,1/23-1/25,1/27,1/29
 tagged TenGigabitEthernet 2/23-2/24
 tagged Port-channel 1
 untagged TenGigabitEthernet 1/28,1/35-1/38,1/40-1/48
 untagged TenGigabitEthernet 2/4-2/12,2/25-2/46,2/48
 untagged Port-channel 2-5
 ip helper-address 10.13.1.10
 no shutdown
!
interface Vlan 11 ###Not in active use###
 ip address 192.168.11.2/24
 tagged TenGigabitEthernet 1/25,1/29
 tagged Port-channel 1,3,5
 no shutdown
!
interface Vlan 160
 name Prod Wireless
 ip address 10.1.5.2/23
 tagged TenGigabitEthernet 1/25-1/27,1/29-1/30
 tagged Port-channel 1-5
 ip helper-address 10.13.1.10
 no shutdown
!
interface Vlan 200 ###Will be phased out###
 name Guest WiFi
 no ip address
 tagged TenGigabitEthernet 1/25-1/27,1/29-1/30
 tagged Port-channel 1-5
 shutdown
!
interface Vlan 260
 name Printers
 no ip address
 tagged TenGigabitEthernet 1/25,1/29
 tagged Port-channel 1-5
 ip helper-address 10.13.1.10
 shutdown
!
interface Vlan 300
 name Mfg Network
 ip address 192.168.16.40/23
 tagged TenGigabitEthernet 1/25,1/27,1/29
 tagged Port-channel 1-5
 no shutdown
!
interface Vlan 400 ###Not sure what this is doing###
 ip address 10.0.4.5/24
 tagged Port-channel 1,5
 no shutdown
!
interface Vlan 500
 name Guest Wireless
 no ip address
 tagged TenGigabitEthernet 1/25-1/27,1/29-1/30
 tagged Port-channel 1-5
 shutdown
!
interface Vlan 990 ###Not 100% sure what this is doing###
 description Transport-10Gb
 name Transport-10Gb
 ip address 10.0.0.1/30
 tagged Port-channel 1
 no shutdown
!
interface Vlan 1000
 name DMZ
 no ip address
 tagged TenGigabitEthernet 1/5-1/10,1/23-1/25,1/29
 tagged TenGigabitEthernet 2/23-2/24
 tagged Port-channel 1
 shutdown
!
interface Vlan 1020
 description Prod Servers
 name prod
 ip address 10.13.1.1/24
 tagged TenGigabitEthernet 1/23-1/25,1/29
 tagged TenGigabitEthernet 2/23-2/24
 tagged Port-channel 1-5
 ip helper-address 10.13.1.10
 no shutdown
!
interface Vlan 1200
 description ISCSI-A
 name ISCSI-A
 no ip address
 tagged TenGigabitEthernet 1/5-1/10,1/42
 untagged TenGigabitEthernet 1/15-1/16,1/19-1/22
 shutdown
!
interface Vlan 1202
 description ISCSI-B
 name ISCSI-B
 no ip address
 tagged TenGigabitEthernet 1/5-1/10,1/42
 untagged TenGigabitEthernet 2/15-2/16,2/19-2/22
 shutdown
!
interface Vlan 1201
 description REPLICATION
 name REPLICATION
 no ip address
 tagged TenGigabitEthernet 1/5-1/10,1/25,1/29,1/42
 untagged TenGigabitEthernet 1/17-1/18
 untagged TenGigabitEthernet 2/17-2/18
 shutdown
!
interface Vlan 1300
 description Management network
 name Management
 ip address 10.13.20.1/24
 tagged TenGigabitEthernet 1/25,1/29
 tagged Port-channel 1-5
 untagged TenGigabitEthernet 1/14,1/23-1/24,1/31-1/34
 untagged TenGigabitEthernet 2/14,2/23-2/24
 ip helper-address 10.13.1.10
 no shutdown
!
interface Vlan 1220
 name New DMZ
 no ip address
 tagged TenGigabitEthernet 1/25,1/29
 shutdown
!
ip route 0.0.0.0/0 192.168.0.2 ###This is the Firewall###
ip route 192.168.51.0/24 192.168.0.4 ###This is for a VPN appliance###
!
ip ssh server enable
!
storm-control broadcast 200 in
!
storm-control unknown-unicast 200 in
!
storm-control multicast 200 in
!
line console 0
line vty 0
line vty 1
line vty 2
line vty 3
line vty 4
line vty 5
line vty 6
line vty 7
line vty 8
line vty 9
!
http-server secure-http
!
reload-type
 boot-type normal-reload
 config-scr-download enable
!
end
40Gb-Stack#

DELL-Young E · Answer

Hi, thanks for choosing Dell. The configuration should be like this


ip route https://dell.to/3yick6p 192.168.0.4 ###This is for a VPN appliance###
ip route https://dell.to/3yiF1QU

Please refer to this

https://dell.to/3MW7m3C

! Version 9.10(0.1P6) >> not recommended and need to be upgrade to the latest firmware( its 4yrs outdated firmware)

https://dell.to/3MPcu9m

JeffM3614654 · Answer

It looks like something in your system mangled the response. I am guessing you swapped the order of the two ip route entries though? I can not figure out how to do that, the switch seems to order those items by its self.

Also, when I run show ip route I get this:

40Gb-Stack#show ip route

Codes: C - connected, S - static, R - RIP,
       B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated,
       O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type 2, E1 - OSPF external type 1,
       E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1,
       L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default,
       > - non-active route, + - summary route

Gateway of last resort is 192.168.0.2 to network 0.0.0.0

       Destination        Gateway                   Dist/Metric Last Change
       -----------        -------                   ----------- -----------
 *S    0.0.0.0/0          via 192.168.0.2, Vl 10            1/0    00:00:04
  C    10.0.0.0/30        Direct, Vl 99                     0/0       20w3d
  C    10.0.4.0/24        Direct, Vl 400                    0/0       40w6d
  C    10.10.5.0/23      Direct, Vl 160                    0/0       3d23h
  C    10.130.10.0/24     Direct, Vl 1010                   0/0       22w4d
  C    10.130.200.0/24    Direct, Vl 1300                   0/0       25w3d
  C    192.168.0.0/22     Direct, Vl 10                     0/0       40w6d
  C    192.168.11.0/24    Direct, Vl 11                     0/0       11w3d
  C    192.168.16.0/23    Direct, Vl 300                    0/0       40w6d
  C    192.168.24.0/24    Direct, Vl 3                      0/0       3d22h
  S    192.168.50.0/24    via 192.168.0.5, Vl 10            1/0    00:00:05

Which seems like the table is right.

I watched that video you sent, and this is what I get on the test vLAN:

40Gb-Stack#show ip int vl 3
Vlan 3 is up, line protocol is up
Internet address is 192.168.24.1/24
Broadcast address is 192.168.24.255
Address determined by user input
IP MTU is 1500 bytes
Directed broadcast forwarding is disabled
Proxy ARP is enabled
Split Horizon is enabled
Poison Reverse is disabled
ICMP redirects are not sent
ICMP unreachables are not sent

And this is from vLAN 10

40Gb-Stack#
J-40Gb-Stack#show ip int vl 10
Vlan 10 is up, line protocol is up
Internet address is 192.168.0.7/22
Broadcast address is 192.168.3.255
Address determined by config file
IP MTU is 1500 bytes
Helper address is 10.130.10.10
Directed broadcast forwarding is disabled
Proxy ARP is enabled
Split Horizon is enabled
Poison Reverse is disabled
ICMP redirects are not sent
ICMP unreachables are not sent

Also it looks like the demo switch was on the Force 10 operating system and I am on 9, could that make a difference? I am going to try to get a maint window to upgrade the switch, but that could be a while off.

DELL-Young E · Answer

Hi yes for now let's upgrade everything first so that the automation will fall in place.
In the meantime,

interface Vlan 19
ip address https://dell.to/3ynnKpL
tagged TenGigabitEthernet 1/34,1/36,1/38,1/40
tagged Port-channel 1
no shutdown
!
interface Vlan 20
ip address https://dell.to/3ysPlG8
tagged TenGigabitEthernet 1/1-1/8
tagged Port-channel 1
no shutdown
!

ip route https://dell.to/3wbEzBc 192.168.16.1
ip route https://dell.to/3wbEzBc 192.168.16.4

>> sample inter-vlan routing on Os9 firmware

interface Vlan 19
ip address 192.168.x.1/24
tagged TenGigabitEthernet 1/34,1/36,1/38,1/40
tagged Port-channel 1
no shutdown
!
interface Vlan 20
ip address 192.168.x.1/24
tagged TenGigabitEthernet 1/1-1/8
tagged Port-channel 1
no shutdown
!

ip route https://dell.to/3wbEzBc 192.168.x.1
ip route https://dell.to/3wbEzBc 192.168.x.4

This is method to configure inter-vlan routes in FTOS.

JeffM3614654 · Answer

So I translated your 9OS commands to:

interface Vlan 19
ip address 192.168.19.1/24
tagged TenGigabitEthernet 1/34,1/36,1/38,1/40
tagged Port-channel 1
no shutdown
!
interface Vlan 20
ip address 192.168.20.1/24
tagged TenGigabitEthernet 1/1-1/8
tagged Port-channel 1
no shutdown
!

ip route 0.0.0.0/0 192.168.16.1
ip route 0.0.0.0/0 192.168.16.4

Maybe I am just being slow but I do not understand how that is supposed to work. I checked the CLI reference here:

https://www.dell.com/support/manuals/en-tt/dell-emc-os-9/s4048-on-9.14.2.5-cli-pub/ip-route?guid=guid-d509d55d-4d37-403c-a570-af8aef696f45&lang=en-us

and I do not see what your snippet is doing.

DELL-Chris H · Answer

Jeff,   In regard to OS9 and inter-VLAN, I would look at page 387 here, as it discusses the steps and gives and example for the configuration.   Let me know if this helps.

Aphx-Jules · Answer

Hello Chris,

I do not see how page 387 of the document helps with inter-vlan routing.
Enabling L3 on a vlan interface is not enough to do inter-vlan routing.
For example, a network with VLAN 1 as 192.168.1.0/24, VLAN 2 as 192.168.2.0/24, the router takes the first IP in each VLAN, the switch takes the second IP in each VLAN (ie 192.168.1.2); using the switch as gateway doesn't allow client 192.168.1.3 to ping client 192.168.2.3.

The switch will have one route per VLAN with respective gateways of "Direct, VL 1" and "Direct, VL 2", adding any manual route for a /32 from one of the VLAN is discarded by the system.

The page mention OSPF, does it imply we MUST use OSPF for inter-vlan routing here?

I'm probably missing something here.

Aphx-Jules · Answer

I was missing something and had a case of assymetrical routing filtered by another gateway.

Networking General

Issues with inter-vLAN routing S4048t-ON

Was this post helpful?