Unsolved
1 Message
0
1414
N3048 restrict InterVLAN routing on one VLAN
Hi everyone, I just bought 2x N3048ET-ON devices to replace my 6248 stack.
I need some help with the settings because something is different relative to the 6248.
I use the switch for L3 routing (to connect to my colocation provider). To use that I have 3 VLAN's, 1439, 2439 and 100. I have a redundant uplink and this is done by two subnets (VLAN 1439 and 2439 connected via linknets with 2 static default routes).
I got my /27 (32 public IPv4 addresses) and a IPv6:/48 routed to my own VLAN 100. So far so good.
This works just perfect. But I also want to manage/monitor my switch in-band on a separate management/own network VLAN50. The VLAN50 is connected with a regular router/firewall (outside the switch) and comes back into a tagged VLAN50 and originates from the VLAN100.
When I give my VLAN50 an IP-address on the switch (to manage) the subnet becomes routable. This is the difference with the 6248 where you specify this by the command "routing" in the "interface vlan {nr}"-scope. This command is not available anymore and every VLAN with an IP-address is routed.
So what I want to do is to restrict routing by ACL-policy (or another way). This is mentioned before in other threads, but I need help to configure.
I already restricted the access to the management interface by an accesslist "mlist".
What do I exactly need to change to disable the routing only for VLAN50?
Thanks in advance.
Kind regards, Hugo.
---
This is my config:
!Current Configuration:
!System Description "Dell EMC Networking N3048ET-ON, 6.6.0.54, Linux 3.6.5-ca31e31f, v1.0.5"
!System Software Version 6.6.0.54
!
configure
vlan 50,100,1439,2439
exit
vlan 50
name "LAN-50"
exit
vlan 100
name "Colo-1"
exit
vlan 1439
name "Linknet VLAN 1439"
exit
vlan 2439
name "Linknet VLAN 2439"
exit
hostname "sws01.rtd.xxx.net"
slot 1/0 9 ! Dell EMC Networking N3048ET-ON
slot 2/0 9 ! Dell EMC Networking N3048ET-ON
sntp unicast client enable
sntp server "0.nl.pool.ntp.org"
clock summer-time recurring EU
clock timezone 1 minutes 0 zone "EST"
stack
member 1 6 ! N3048ET-ON
member 2 6 ! N3048ET-ON
exit
ip name-server "8.8.8.8"
ip name-server "2001:4860:4860::8888"
ip name-server "2001:4860:4860::8844"
ip name-server "8.8.4.4"
ip routing
interface vlan 50
ip address 192.168.50.254 255.255.255.0
exit
interface vlan 100
ip address 5.x.x.x 255.255.255.224
ipv6 address 2a00:x:x::1/48
exit
interface vlan 1439
ip address 192.168.140.138 255.255.255.252
ipv6 address 2a00:x:x:x::x/126
exit
interface vlan 2439
ip address 192.168.240.138 255.255.255.252
ipv6 address 2a00:x:x:x::x/126
exit
ip route 0.0.0.0 0.0.0.0 192.168.140.137
ip route 0.0.0.0 0.0.0.0 192.168.240.137
username "admin" password {secret} privilege 15 encrypted
management access-list "mlist"
permit vlan 50 priority 1
exit
management access-class mlist
application install SupportAssist auto-restart start-on-boot
!
interface Gi1/0/1
description "Uplink VLAN 1439"
spanning-tree disable
switchport mode trunk
switchport trunk native vlan 1439
switchport trunk allowed vlan 1439
exit
!
interface Gi1/0/46
description "Service poort"
spanning-tree guard root
switchport access vlan 50
exit
!
interface Gi2/0/1
description "Uplink VLAN 2439"
spanning-tree disable
switchport mode trunk
switchport trunk native vlan 2439
switchport trunk allowed vlan 2439
exit
!
interface Gi2/0/46
description "Service poort"
spanning-tree guard root
switchport access vlan 50
exit
!
ipv6 route ::/0 2a00:x:x:x::x
ipv6 route ::/0 2a00:x:x:x::x
eula-consent hiveagent reject
exit
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
September 15th, 2020 09:00
Hi Hugo,
Page 1077 https://dell.to/35FArxx You should be able to use the management ACL functions to block traffic from the other VLANs. Let us know if you have any additional questions.