c3g124-48 configuration intervlan routing and access policy and hyper-v integration

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello, I'm new in configuring C3g124-48
I have a switch from you and it has the firmware in its last version, however I have some difficulties in the configuration shown below:
What I intend to create:

VLAN ID

ID   NAME    IP (/24) Gtw

1   Cliente          10.1.0.1

10  Administração  10.1.1.1

20 Tecnica         10.1.2.1

30  Servidores  10.1.3.1

40  Voip            10.1.4.1

50  Cameras     10.1.5.1

60  Testes         10.1.6.1

70   Public         10.1.7.1


      Rules of Access:

Inter Vlan Access

ID    1  10   20  30  40  50  60  70

1  X - - X - - - -

10 X X X X X X X -

20 X - X X X X X X

30 X X X X X X X -

40 - - - X - X - -

50 - X - X - X - -

60 X - X X - - - X

70 X - - - - - - X


Vlan 30 - LACP configured on ports 44 - 48 Ports

Swicth Data:
IP Layer Vlan Default: 10.1.0.254/24
Each of the VLANs the switch would be the default gateway and the static routing between the gateway, switch and vlans.
Configuring access rules to filter traffic as shown above.

This configuration below do not know if it would be possible to create in this swicth:

Dynamic VLAN configured on port 42-43, where the Hyper-V Mac Source is: 0A: F1: 04: xx: xx: xx and will receive virtual machines with dynamic routing that only have access to them and to the router's ip, in addition to Access to the gateway IP, in case 10.1.0.1/24
Each VM Created with this MAC start belongs to a VLAN that can not access any of the other VLANs, only Gateway access.
Can you tell me if it would be possible to create this scenario on your Switch? If you can not create this whole scenario, how far can I go with your switch and which product of yours could satisfy the requirements for a network with this complexity.
Att,

Bruno D'Anna
Photo of Bruno D Annna

Bruno D Annna

  • 154 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Bruno D Annna

Bruno D Annna

  • 154 Points 100 badge 2x thumb
this is my config file:

# Firmware Revision:  06.61.16.0002#ip
set ip address 10.1.0.254 mask 255.255.255.0 gateway 10.1.0.1
set switch member 1 11
#vlan
set vlan create 10
set vlan create 20
set vlan create 30
set vlan create 40
set vlan create 50
set vlan create 60
set vlan create 70
set vlan name 10 "adm"
set vlan name 20 "tecnica"
set vlan name 30 "Servidores"
set vlan name 40 "Voip"
set vlan name 50 "camera"
set vlan name 60 "testes"
set vlan name 70 "publica"
clear vlan egress 1 ge.1.16
set vlan egress 10 ge.1.16 tagged
set vlan egress 20 ge.1.16 untagged
set vlan dynamicegress 20 enable
set vlan association subnet 10.1.2.0 255.255.255.0 20
!

#Router Configuration
router
enable
configure
ip igmp
interface vlan 10
ip address 10.1.1.1 255.255.255.0
ip igmp enable
ip rip enable
no shutdown
exit
interface vlan 20
ip address 10.1.2.1 255.255.255.0
ip rip enable
no shutdown
exit
interface vlan 30
ip address 10.1.3.1 255.255.255.0
ip igmp enable
ip rip enable
no shutdown
exit
interface vlan 40
ip address 10.1.4.1 255.255.255.0
no shutdown
exit
interface vlan 50
ip address 10.1.5.1 255.255.255.0
no shutdown
exit
interface vlan 60
ip address 10.1.6.1 255.255.255.0
no shutdown
exit
router rip
distance 30
exit
exit
exit
exit
!
#dhcp
!
set dhcp enable
set dhcp bootp enable
!
#lacp
set lacp static lag.0.1
set lacp aadminkey lag.0.1 1
!
#port
set port lacp port ge.1.40 aadminkey 1
set port lacp port ge.1.41 aadminkey 1
set port lacp port ge.1.42 aadminkey 1
set port lacp port ge.1.43 aadminkey 1
set port lacp port ge.1.44 aadminkey 1
set port lacp port ge.1.45 aadminkey 1
set port lacp port ge.1.46 aadminkey 1
set port lacp port ge.1.47 aadminkey 1
set port lacp port ge.1.48 aadminkey 1
set port lacp port ge.1.40 disable
set port lacp port ge.1.41 disable
set port lacp port ge.1.42 disable
set port lacp port ge.1.43 disable
set port lacp port ge.1.45 disable
set port lacp port ge.1.46 disable
set port lacp port ge.1.47 disable
set port lacp port ge.1.48 disable
set port vlan ge.1.16 20
!
#ssh
set ssh enabled
!
end
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Bruno,

it should be possible to implement your scenario using a C3. You could use ACLs to implement the access restrictions.

If you want the C3 to route in the same VLAN you want to use for management, you should not use the host IP interface at all, just use SVIs (Switched Virtual Interface, interface vlan X).

For an SVI to become active, the VLAN needs to have at least one port active. As long as an SVI is not active, the network will not show up as directly connected and you will not be able to ping the configured address.

Erik
Photo of Bruno D Annna

Bruno D Annna

  • 154 Points 100 badge 2x thumb
Hello, Erick, the problem I'm facing at this point, if I notice in the configuration file, port 16 is mapped to vlan 20, but I can not turn on the switch routing with the command:
#ip routing

He accepts the command but it does not appear in the
#show running-config

I'm afraid I'm doing something wrong.
Photo of Bruno D Annna

Bruno D Annna

  • 154 Points 100 badge 2x thumb
this is a resume of config used in Vlan 20, please help us to review the problem in this config file:

#set vlan create 20set vlan name 20 "tecnica"
#set vlan dynamicegress 20 enable   --> dinamic association for hosts, but not use in this moment, only one test
#set vlan association subnet 10.1.2.0 255.255.255.0 20
#Router Configuration
#router
#enable
#configure
i#nterface vlan 20
#ip address 10.1.2.1 255.255.255.0
i#p rip enable
#no shutdown
#exit
#set port vlan ge.1.16 20

the command "#ip routing" do not show in the config file
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi,

I think that "ip routing" is default on the C3, thus it does not show up in "show run." You could try something like "show config all router" in the switch mode of the CLI. A "no ip routing" might show up in the running configuration, if accepted.

Routing is easily testable, just connect two devices (e.g. PCs) to ports in different VLANs, configure SVIs for each VLAN, give the two test devices appropriate IP addresses and default gateways, and verify packet forwarding between the two devices. The switch will show the SVI's subnets as directly connected routes with "show ip route."

Without anything connected to the switch, the SVIs will be down (inactive), and no routes will show up in "show ip route."

Erik
Photo of Bruno D Annna

Bruno D Annna

  • 154 Points 100 badge 2x thumb

Hello Friend,

 I run several tests and Intervlan routing does not seem to be working

For the purpose of testing, I isolated a Swicth port and defined a static IP, along with a static VLAN, these command lines were used in the Switch:

#set ip address 10.1.0.254 mask 255.255.255.0 gateway 10.1.0.1

#set vlan create 20

#set vlan name 20 "tecnica"

#set vlan egress 20 ge.1.5 untagged

#clear vlan egress 1 ge.1.5

#set vlan association subnet 10.1.2.0 255.255.255.0 20

#router

#enable

#configure

I#nterface vlan 20

I#p address 10.1.2.1 255.255.255.0

#ip rip enable (no necessary)

#no shutdown

#exit

#set port vlan ge.1.5 20

 

#show ip route

Destination                   Gateway                       Flags    Use   If    Metric

0.0.0.0/0                     10.1.0.1                      UG       1     host   5

10.1.0.0/24                   10.1.0.254                    UC       33    host   5

10.1.0.254                    10.1.0.254                    UH       0     lo0    5

10.1.2.0/24                   10.1.0.254                    UC       0     rt2    5

10.1.2.1                      10.1.0.254                    UH       0     lo0    5

#ping 10.1.2.1

 10.1.2.1 is alive


On the computer connected to VLAN Default:

Ip: 10.1.0.4/24 gtw: 10.1.0.1

#route add 10.1.2.0 mask 255.255.255.0 10.1.0.254

#ping 10.1.2.1

(no response)

#tracert 10.1.2.1

(no trace to route)

Route Print

endereço de rede          Máscara   Ender. gateway       Interface   Custo

       0.0.0.0          0.0.0.0         10.1.0.1         10.1.0.4    266

       10.1.0.0       255.255.255.0         No vínculo          10.1.0.4    266

       10.1.0.4       255.255.255.255     No vínculo          10.1.0.4    266

       10.1.0.255   255.255.255.255     No vínculo          10.1.0.4    266

       10.1.2.0       255.255.255.0       10.1.0.254         10.1.0.4     11

 


Config in the Computer Connected to the port 5 Vlan 20:

IP: 10.1.2.3/24 gtw: 10.1.2.1

#ping 10.1.2.1 (alive)

#Ping 10.1.0.254 (switch)

No response

#Ping 10.1.0.1 (router)

No response

 

Router Config:  10.1.0.1/24

#route add -net 10.1.2.0/24 gateway 10.1.0.254

#route

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         200-1-58-201. 0.0.0.0         UG    0      0        0 ppp1

1.1.1.0         *               255.255.255.0   U     0      0        0 eth1

10.1.0.0        *               255.255.255.0   U     0      0        0 br0

10.1.2.0        10.1.0.254      255.255.255.0   UG    0      0        0 br0

200-1-58-201. *               255.255.255.255 UH    0      0        0 ppp1

#ping 10.1.2.1 (no response)

But no response or track to VLAN 20

Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi,

the switch interface, configured with "set ip address", cannot be used for routing. You should probably remove that address from a console session with "clear ip address" and then add an SVI to VLAN 1. Otherwise the C3 cannot route from or to VLAN 1.

Erik
Photo of Bruno D Annna

Bruno D Annna

  • 154 Points 100 badge 2x thumb
Understand, in this case the default Vlan will remain without IP address and routing is run on the other VLan ́ s.
So how do I set a default gateway to switch in Vlan 1 interface?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Bruno,

I would not recommend to use both the switch's host IP interface (set ip address) and SVIs on the same switch. I would recommend to use only SVIs, including for VLAN 1 (if you really want to use VLAN 1 at all).

If you want to use an SVI for VLAN 1 use the following:
clear ip address
router
enable
configure
interface vlan 1
ip address 10.1.0.254 255.255.255.0
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 10.1.0.1
exit
exit
exit
Erik