PowerConnect 6248 routing / Management VLAN

Question

Is there some example configurations for VLAN routing with the PC6248 available?
I'm trying to setup a fairly simple config as follows

configure
vlan database
vlan 40-41
exit
stack
member 1 2
exit
ip address 192.168.40.241 255.255.255.0
ip address vlan 40
interface vlan 40
name "LAN"
exit
interface vlan 41
name "vr41"
routing
ip local-proxy-arp
exit

If I try to setup a routing VLAN, I get the following error

# interface vlan 41
# ip address 192.168.40.242 255.255.255.0

Subnet conflict between specified IP Address and current configuration.
All routing interfaces, service ports and network ports must be configured on
different subnets.

I tried just making the 40 VLAN a routing VLAN, but it complains about having the management port in a routed VLAN.

To be clear
- The users are in the subnet 192.168.40.0
- I want the 6248 to be a virtual router with IP 192.168.40.242, which will be their default gateway
- I want the 6248 management IP to be 192.168.40.241
- The router 192.168.40.242 is currently a 2-port Cisco router. The other port is 192.168.43.242, which I guess I also want to setup as a routing VLAN. And I want to apply some basic ACL's to the routed traffic.

Any help much appreciated!

spicew_k · Answer

I am having the exact same problem.  What is the issue with having the management port in the same subnet as our production/main vlan?  Is the assertion that my default vlan (containing the management port) may not overlap with a user-defined vlan?  I don't see why that is the case, as one cannot assign an ip address to the default vlan, nor make it route-able (I think... this is a long way from Cisco-land, pardon me as I stumble around in the dark for a bit).   Any help here is much appreciated. .

spicew_k · Answer

Never mind, I figured it out.  Info to follow....

camtex · Answer

Waiting with bated breath!

spicew_k · Answer

You have to create what is essentially an out-of-band management port (ie, assign an IP address that is not in any of your defined vlans).  I guess it is analagous to the Ethernet port on the back of a Cisco 3750E or something... I am working on a full config that I will share soon.   It is a rather bizarre scheme, but it's working for me, so...

stormytoad · Answer

That is what I had to do too. It is kind of bizarre. Here is what I did. I'm only using VLANs one and two. So I assigned the management interface to VLAN3 using these commands:

ip address 192.168.3.1 255.255.255.0
ip address vlan 3

Any other VLANs already assigned an IP address will be able to manage the switch.

What I've been wondering lately is what would be the easist way to block management access to VLANs that should not be able to manage the switch?

camtex · Answer

Thanks for that. Yeah, if the switch can be managed by any of it's routing interface IP's, locking it down would be ideal.   I noticed there is GUI interface to apply a management access profile. I tried enabling one, but only managed to lock myself out and had to go undo it all from the console.   The manual for these things is terrible. It basically consists of an alphabetical listing of commands that says 'Feature X: This command will enable Feature X.'

spicew_k · Answer

I did the same thing with the management profile.  I agree that the documentation is awful.  Dell really needs to get their InfoDev people to revise it and provide real examples and configurations, much like Cisco does (in fact, I think Cisco tends to drown the user in documentation - there is a guide for every conceivable configuration).   I would like to see documentation on routing setups, ACLs, Voice VLAN, and the reason for the wacky management interface thing.   There is a sample configuration at http://community.spiceworks.com/education/projects/Configuring_A_Dell_PowerConnect_6248

camtex · Answer

Thanks for the link to your sample config. An excellent start - certainly better than the non-existant Dell examples.

A couple of points from my experiments.

The "ip ssh pubkey-auth" command doesn't appear in a "show running", and it seems to be a one-off command.

You create a management access-list ("SSH"), but don't apply it. (with management access-class)

You're missing the crypto commands you would've had to issue for SSH support, and to create the HTTPS certificate. (Which, from my tests, always get created with a date of 1970, despite SNTP getting the right date)

The line ssh and password for it are pointless. (Yeah, I know the doco says to do that) The default authentication for ssh only allows "local". So I read that as you can only logon as the username "xxxxxxxxx" you created.

And another irksome thing - the CLI supports range:

interface range ethernet 1/g1-1/g32

switchport access vlan nnn

exit

But the config script does not support it - you need to list them all individually. Very painful for a stack of 5x48 ports !

Message Edited by camtex on 10-22-2007 08:47 PM

spicew_k · Answer

Thanks for the feedback.  I had applied the access list, but that is how I locked myself out.  I just didn't remove the declaration from the config.   Since all of this came from trial and error (and none came from the documentation), I figured there would be some issues with the config.  I appreciate you pointing things out.   The 6248 is a great price, but I guess you make up for it in config time......

Networking General

PowerConnect 6248 routing / Management VLAN

Was this post helpful?