Private VLANs isolate the traffic to that VLAN and the management interface for the GUI is on VLAN 1. This switch doesn’t do routing so ports on one VLAN cannot communicate with ports on a different VLAN, so once you run those commands you are not allowing those ports to reach the management VLAN.
thank you josh -- any suggestions on how i might be able get around this? can VLAN-1 be altered somehow to allow access? can the management-interface be moved to a different VLAN ?
i can access the web-page from outside the switch itself. i am wondering now about setting up some sort of port-forwarding in the router itself.
On this switch the management VLAN is fixed to VLAN 1, so you will need devices on that VLAN to access it or something providing layer 3 routing that can communicate across VLANs, either a router or a L3 switch, like a powerconnect 6200 or higher series. As for your question about switchport modes, typically access mode is used for PCs on the network and trunk or general mode is used for other networking devices.
it appears that the web interface is not going to work for me at all!
can anybody recommend a free (or cheap) snmp-monitor tool? i see there is something called "splunk" that has a free license, and dell has the Dell NMP Configuration Tool -- i am wondering if either of these (or another one) would really do the same thing.
or will i discover that neither the snmp nor the web-interface works in my setup?
Once you have the configuration set you may not need to access the web interface regularly and could just set a static ip on a laptop on that subnet to do management functions.
Which port is the laptop connected to? Select that switchport
interface ethernet that port
switchport mode access
switchport access vlan 1
Why are you using private VLANs? this switch can't route between VLANs anyway so just setting ports on different VLANs should be enough. Maybe give me an overview of what your environment is like and what you are trying to do, it just seems like an overly complicated configuration.
i want to have one port [E1] "host" the wireless-access-point (WAP), and all the other ports [E2-48] part of the community. nobody using a wireless device should be able to access anything in the community, and nobody in the community should be able to access the wireless devices.
everybody in the community should be able to access everybody else in the community.
both the community and the wireless need to be able to go out on the internet [G4]
Ok, in that case you are using the best setup if you need them both to be able to access the internet without two separate connections to the internet gateway one for each vlan. That configuration looks fine but does not have access to vlan 1 on any of the ports for management access.
With this switch you would have to leave a port in VLAN 1 for it to be accessible, once you take the g4 port off of VLAN 1 then the management won’t be accessible, as VLAN 1 won’t route through other VLANs, it is designed as a security feature to prevent unauthorized access, but in your case it prevents you from accessing it remotely. There isn’t a tool to remotely get to the web management, you could probably get to the command line remotely by connecting a system to the serial port and remoting to that system, but nothing that can get you directly to the switch without going through something else.
the power-connect webpage is no longer available outside the network. is a setup configuration available where the powerconnect webpage can still be accessed from outside the network?
also, it appears my only option for ever seeing the powerconnect webpage again is to dedicate one of the ports specifically for this purpose? or is there a dell-utility that would work as well?
josh - it sounds as if my only option is to leave one port on vlan 1 and get a 'puter with two nic's and then install teamviewer in order to access the webpage remotely.
what do you think?
side-note: i notice this powerconnect seems to like the IE browser for some twisted reason. fortunately the chrome-IE plugin works fine ;-)
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 11th, 2013 09:00
Yeah that sounds like a good plan to use teamviewer to be able to access it remotely. As for it liking IE, the switch was released in 2005.
mark f edwards
26 Posts
0
December 10th, 2013 09:00
i am wondering if one of these other options would be more suitable?
console(config-if)# switchport mode ?
private-vlan - - - -private VLAN modes
general - - - - - - -generic port mode
access - - - - - - - vlan unaware port
trunk - - - - - - - - - vlan aware port
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 10th, 2013 09:00
Private VLANs isolate the traffic to that VLAN and the management interface for the GUI is on VLAN 1. This switch doesn’t do routing so ports on one VLAN cannot communicate with ports on a different VLAN, so once you run those commands you are not allowing those ports to reach the management VLAN.
mark f edwards
26 Posts
0
December 10th, 2013 10:00
thank you josh -- any suggestions on how i might be able get around this? can VLAN-1 be altered somehow to allow access? can the management-interface be moved to a different VLAN ?
i can access the web-page from outside the switch itself. i am wondering now about setting up some sort of port-forwarding in the router itself.
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 10th, 2013 11:00
On this switch the management VLAN is fixed to VLAN 1, so you will need devices on that VLAN to access it or something providing layer 3 routing that can communicate across VLANs, either a router or a L3 switch, like a powerconnect 6200 or higher series. As for your question about switchport modes, typically access mode is used for PCs on the network and trunk or general mode is used for other networking devices.
mark f edwards
26 Posts
0
December 10th, 2013 14:00
thank you josh -
it appears that the web interface is not going to work for me at all!
can anybody recommend a free (or cheap) snmp-monitor tool? i see there is something called "splunk" that has a free license, and dell has the Dell NMP Configuration Tool -- i am wondering if either of these (or another one) would really do the same thing.
or will i discover that neither the snmp nor the web-interface works in my setup?
sorry for all these newbie questions.
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 10th, 2013 14:00
Once you have the configuration set you may not need to access the web interface regularly and could just set a static ip on a laptop on that subnet to do management functions.
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 10th, 2013 15:00
Which port is the laptop connected to? Select that switchport
interface ethernet that port
switchport mode access
switchport access vlan 1
Why are you using private VLANs? this switch can't route between VLANs anyway so just setting ports on different VLANs should be enough. Maybe give me an overview of what your environment is like and what you are trying to do, it just seems like an overly complicated configuration.
mark f edwards
26 Posts
0
December 10th, 2013 15:00
hello josh - once again, i thank you for showing such patience with a newbie!
i tried that earlier, but will try again - you can see my setup below:
console# show running-config
interface ethernet e1
switchport mode private-vlan isolated
exit
interface range ethernet e(2-48)
switchport mode private-vlan community
exit
interface ethernet g4
switchport mode private-vlan promiscuous
exit
vlan database
vlan 1000
exit
interface vlan 1000
private-vlan primary
private-vlan isolated 20
private-vlan community add 10
exit
interface range ethernet e(2-48)
switchport private-vlan community 10
exit
interface ethernet g4
switchport private-vlan promiscuous 1000
exit
interface ethernet e1
switchport private-vlan isolated 1000
exit
interface vlan 1
ip address 192.168.123.234 255.255.255.0
exit
ip default-gateway 192.168.123.254
username admin password 21232f297a57a5a743894a0e4a801fc3 level 15 encrypted
and here you can see my laptop settings.
any idea what i might be doing wrong?
thanks again, josh.
mark f edwards
26 Posts
0
December 10th, 2013 16:00
hi josh -
once again, i thank you for answering me.
i want to have one port [E1] "host" the wireless-access-point (WAP), and all the other ports [E2-48] part of the community. nobody using a wireless device should be able to access anything in the community, and nobody in the community should be able to access the wireless devices.
everybody in the community should be able to access everybody else in the community.
both the community and the wireless need to be able to go out on the internet [G4]
i just followed this setup guide which uses vlans.
my current setup commands are below:
enable
config
interface vlan 1
ip address 192.168.123.234 /24
exit
ip default-gateway 192.168.123.254
username admin password admin level 15
interface ethernet e1
switchport mode private-vlan isolated
exit
interface range ethernet e(2-48)
switchport mode private-vlan community
exit
interface ethernet g4
switchport mode private-vlan promiscuous
exit
vlan database
vlan 1000
exit
interface vlan 1000
private-vlan primary
private-vlan isolated 20
private-vlan community add 10
exit
interface range ethernet e(2-48)
switchport private-vlan community 10
exit
interface ethernet g4
switchport private-vlan promiscuous 1000
exit
interface ethernet e1
switchport private-vlan isolated 1000
exit
exit
copy running-config startup-config
Y
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 11th, 2013 07:00
Ok, in that case you are using the best setup if you need them both to be able to access the internet without two separate connections to the internet gateway one for each vlan. That configuration looks fine but does not have access to vlan 1 on any of the ports for management access.
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 11th, 2013 08:00
With this switch you would have to leave a port in VLAN 1 for it to be accessible, once you take the g4 port off of VLAN 1 then the management won’t be accessible, as VLAN 1 won’t route through other VLANs, it is designed as a security feature to prevent unauthorized access, but in your case it prevents you from accessing it remotely. There isn’t a tool to remotely get to the web management, you could probably get to the command line remotely by connecting a system to the serial port and remoting to that system, but nothing that can get you directly to the switch without going through something else.
mark f edwards
26 Posts
0
December 11th, 2013 08:00
once again, thank you josh!
i notice when i issue the following commands:
interface ethernet g4
switchport mode private-vlan promiscuous
the power-connect webpage is no longer available outside the network. is a setup configuration available where the powerconnect webpage can still be accessed from outside the network?
also, it appears my only option for ever seeing the powerconnect webpage again is to dedicate one of the ports specifically for this purpose? or is there a dell-utility that would work as well?
mark f edwards
26 Posts
0
December 11th, 2013 09:00
josh - it sounds as if my only option is to leave one port on vlan 1 and get a 'puter with two nic's and then install teamviewer in order to access the webpage remotely.
what do you think?
side-note: i notice this powerconnect seems to like the IE browser for some twisted reason. fortunately the chrome-IE plugin works fine ;-)