thank you for your answer. In general what I want to achieve is pretty easy in theory, but I do not know how to configure it exactly. Basically I do not need any VLAN tagging, I only want to make sure that on specific ports only specific IPs or subnets are allowed.
Lets assume I have 10.0.1.0/24 and 10.0.2.0/24 avaliable on the switch. Now I want to make sure that for example on Port 2 a device behind it can only assing IPs in range of 10.0.1.0/27 and a device on Port 3 can only assing lets say the single addresses 10.0.1.100 and 10.0.2.100. Ideally all devices with these individual assignments are in their own VLAN.
So I went the way that I create an own VLAN for each port and then use the vlan association subnet function to assign IPs or subnets to each VLAN for each port, but as I read this is not the way it works, right? Or am I just doing something wrong with the configuration of the VLANs.
Thank you for your answer. This is what I tried already as well. As soon as I set the ports to access mode with the VLAN I configured for the IPs I want to have assigned I do not get connection anymore.
The Uplink is always configured as general port with VLAN 1 and the additional VLANs for each of my ports.
description "iLo" switchport mode general switchport general allowed vlan add 11 exit
I tested it by pinging external from the internet. I´m working with external IP addresses. I did not ping from device to device only trough the switch.
thank you alot for your very detailed description. The problem I have is that I generally have absolutely no control of the configuration of the gateway. I can tell which configuration I need, but they are most likely not able to configure my VLANs on their infrastrcture. I´m in a data center and have the uplink provided together with all external ip addresses I´m allowed to use.
I just want to make sure that IP addresses are bound to specific ports, so I´m able to ensure that clients on a port can only use the IPs I want them to use. This means I´m only able to operate within the PowerConnect6248. Is it possible to perform this routing with the switch maybe with something like inter vlan routing?
Thank you for your reply. Currently no VLANs are in use but VLAN 1, so I´m already running on a flat network. The only reason applying VLANs for me was my intension to limit IP addresses on a port. I also have no idea about the gateways hardware, I´m sorry. Currently it is just Uplink -> 6248 -> Clients.
So my way would be that I create an IP ACL for each port to ensure that only the IPs/Subnets I specify there are usable. How is the syntax here? Do I need to allow the IPs I want in first place and deny all others afterwards or do I just need my allow rule?
Greetings!
-> UPDATE
I just tried it out and I set the following configuration for a Port which is only expected to use one single IP:
interface ethernet 1/g35 negotiation 100h description "iLo" ip access-group deny out 11 ip access-group deny in 10 ip access-group iLo in 9 ip access-group iLo out 8 exit
Deny is set to deny IP Protocol from 0.0.0.0. 0.0.0.0 so everything.
After that I set rule iLo to permit the specific IP I want once inbound and outbound with a higher priority. The result is that after I did the deny nothing was pinging, and after I applied the permit with rule iLo it was pinging again. So this is most likely what you suggested and I guess this solved my problem.
I will try this tomorrow on another interface with a server behind which is virtualized and uses several IPs to finally confirm this. So I can test it by applying foreign IPs I do not allow with ACL to a Linux VM and see if it gets a connection. (It´s really late here already). I will come back and share my results, but I´m very confident that this is exactly what I needed. Thank you so much!
tsch157
8 Posts
0
December 5th, 2017 09:00
Hello,
thank you for your answer. In general what I want to achieve is pretty easy in theory, but I do not know how to configure it exactly. Basically I do not need any VLAN tagging, I only want to make sure that on specific ports only specific IPs or subnets are allowed.
Lets assume I have 10.0.1.0/24 and 10.0.2.0/24 avaliable on the switch. Now I want to make sure that for example on Port 2 a device behind it can only assing IPs in range of 10.0.1.0/27 and a device on Port 3 can only assing lets say the single addresses 10.0.1.100 and 10.0.2.100. Ideally all devices with these individual assignments are in their own VLAN.
So I went the way that I create an own VLAN for each port and then use the vlan association subnet function to assign IPs or subnets to each VLAN for each port, but as I read this is not the way it works, right? Or am I just doing something wrong with the configuration of the VLANs.
Greetings!
tsch157
8 Posts
0
December 5th, 2017 10:00
Fully static IP addresses. They are always set manually.
tsch157
8 Posts
0
December 5th, 2017 11:00
Thank you for your answer. This is what I tried already as well. As soon as I set the ports to access mode with the VLAN I configured for the IPs I want to have assigned I do not get connection anymore.
The Uplink is always configured as general port with VLAN 1 and the additional VLANs for each of my ports.
Greetings!
tsch157
8 Posts
0
December 5th, 2017 11:00
Thank you for your answer and your help!
The relevant configuration is currently like this:
console#show running-config
!Current Configuration:
!System Description "PowerConnect 6248, 3.3.16.1, VxWorks 6.5"
!System Software Version 3.3.16.1
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 11
vlan association subnet XXX.230.163.0 255.255.255.248 11
vlan association subnet XXX.230.163.10 255.255.255.255 11
description "Uplink"
switchport mode general
switchport general allowed vlan add 11
exit
!
interface ethernet 1/g34
negotiation 100h
description "INET"
switchport mode general
switchport general allowed vlan add 11
exit
!
interface ethernet 1/g35
negotiation 100h
description "iLo"
switchport mode general
switchport general allowed vlan add 11
exit
I tested it by pinging external from the internet. I´m working with external IP addresses. I did not ping from device to device only trough the switch.
Greetings!
tsch157
8 Posts
0
December 5th, 2017 13:00
Hello,
thank you alot for your very detailed description. The problem I have is that I generally have absolutely no control of the configuration of the gateway. I can tell which configuration I need, but they are most likely not able to configure my VLANs on their infrastrcture. I´m in a data center and have the uplink provided together with all external ip addresses I´m allowed to use.
I just want to make sure that IP addresses are bound to specific ports, so I´m able to ensure that clients on a port can only use the IPs I want them to use. This means I´m only able to operate within the PowerConnect6248. Is it possible to perform this routing with the switch maybe with something like inter vlan routing?
Greetings!
tsch157
8 Posts
0
December 5th, 2017 15:00
Thank you for your reply. Currently no VLANs are in use but VLAN 1, so I´m already running on a flat network. The only reason applying VLANs for me was my intension to limit IP addresses on a port. I also have no idea about the gateways hardware, I´m sorry. Currently it is just Uplink -> 6248 -> Clients.
So my way would be that I create an IP ACL for each port to ensure that only the IPs/Subnets I specify there are usable. How is the syntax here? Do I need to allow the IPs I want in first place and deny all others afterwards or do I just need my allow rule?
Greetings!
-> UPDATE
I just tried it out and I set the following configuration for a Port which is only expected to use one single IP:
interface ethernet 1/g35
negotiation 100h
description "iLo"
ip access-group deny out 11
ip access-group deny in 10
ip access-group iLo in 9
ip access-group iLo out 8
exit
Deny is set to deny IP Protocol from 0.0.0.0. 0.0.0.0 so everything.
After that I set rule iLo to permit the specific IP I want once inbound and outbound with a higher priority. The result is that after I did the deny nothing was pinging, and after I applied the permit with rule iLo it was pinging again. So this is most likely what you suggested and I guess this solved my problem.
I will try this tomorrow on another interface with a server behind which is virtualized and uses several IPs to finally confirm this. So I can test it by applying foreign IPs I do not allow with ACL to a Linux VM and see if it gets a connection. (It´s really late here already). I will come back and share my results, but I´m very confident that this is exactly what I needed. Thank you so much!
Greetings!
tsch157
8 Posts
0
December 6th, 2017 03:00
Hello!
As a summary in case this is relevant for anyone else:
I configured one ACL like this:
console(config)# access-list test permit ip 192.230.163.0 0.0.0.7 0.0.0.0 255.255.255.255
This will allow subnet 192.230.163.0/29 to be reachable by 0.0.0.0/0 (everything)
After that the rule named test just needs to be applied to a port:
console(config-if)# ip access-group test
Thats it, only ip packets matching this rule will be able to be transfered. Everything else will be dropped.