Question

Extreme X440 specific intervlan configuration

  • 22 August 2019
  • 7 replies
  • 234 views

Hello guys
i hope to find someone that could help me out, i'm new into networking , i've just got my Cisco CCNA certificate and i've received a request to configure 3 X440 , that seems to have different commands.
Ps. sorry for my english

my goal is :
1) rename the 3 switches (switch1-2-3) and connect them all using Trunk connection
2) create 4 vlans , and assign ports to the specific one (ex. vlan10, 20, 30, 40)
3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan

Basically i'm stuck on the point n.3...

// rename the switch
config snmp sysName "switch1"

// configure Date & Time
config time (month/day/year/hour/minute/second)

// change psw for admin user
config account "administrator"
new password : xxxxxx

// create 4 vlan , add an IP for each interface
create Vlan n10 tag 10
create Vlan n20 tag 20
create Vlan n30 tag 30
create Vlan n40 tag 40

// add an IP address to each Vlan interface
configure vlan n10 ipaddress 192.168.10.1/24
configure vlan n20 ipaddress 192.168.20.1/24
configure vlan n30 ipaddress 192.168.30.1/24
configure vlan n40 ipaddress 192.168.40.1/24

// add ports to the specific vlan
configure vlan n10 add ports 2 - 20
configure vlan n20 add ports 21- 30
configure vlan n30 add ports 31 - 40
configure vlan n40 add portst 41 - 48

// configured port 1 (same for all the switches) as a trunk port
configure vlan n10 add port 1 tagged
configure vlan n20 add port 1 tagged
configure vlan n30 add port 1 tagged
configure vlan n40 add port 1 tagged

Now, just to be sure that the configuration made till this point was working, i've connected several devices to the ports of the switch and i've assigned a static IP to all of them , IP based on the Vlan:
  • i can ping all the Vlan interfaces
  • i can ping all devices inside the same vlan
  • i cannot ping devices from different vlan
  • configuring another switch with the same settings, i can communicate with same vlan , and not with another vlan
How can i setup the point n. 3) making all the vlan able to communicate only with n10 and n10 with all the other vlans ?

Kind regards
Daniele

7 replies

"enable ipforwarding vlan 10"

but attention, after problem with ipforwarding, i've seen i must do reboot before apply ipforwarding
Userlevel 2
Hi!

If you want to do routing between the VLANs, but not allow traffic via certain VLANs, your #3 gets a little tricky:

"3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan"

You need this:

enable ipforwarding (to enable globally for all VLANs with an IP address)

or

enable ipforwarding vlan n10
enable ipforwarding vlan n20
enable ipforwarding vlan n30
enable ipforwarding vlan n40

"enable ipforwarding {ipv4 | broadcast} {vlan vlan_name}
Description
Enables IPv4 routing or IPv4 broadcast forwarding for one or all VLANs. If no argument is provided,
enables IPv4 routing for all VLANs that have been configured with an IP address on the current VR or
VRF."

Now, test routing between the VLANs so all VLANs can talk to each other.

After testing the basic setup, you need a policy (ACL) that denies traffic from VLANs n20-n40 to each other.

edit policy deny-traffic

i (for enabling editing, an ugly vi editor monstrosity)

# Policy for denying traffic from some VLANs to some others
entry deny n20-n30 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}

entry deny n30-n20 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}

entry deny n20-n40 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}

entry deny n40-n20 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}

entry deny n30-n40 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}

entry deny n40-n30 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}

Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)

Apply the policy to the VLANs:

configure access-list deny-traffic add vlan n20
configure access-list deny-traffic add vlan n40
configure access-list deny-traffic add vlan n40

Now, you should not be able to route traffic internally among n20-n40 but they should all reach n10.

Please note that this policy is based on IP addresses, so if you add another subnet to some VLAN (20-40), that subnet will be routed and allowed to all others, despite being in a "forbidden" VLAN.

I did this as a dry-run, no testing, so if not all is correct, please forgive me ;)

/Fredrik
Hi FredrikB and V3ras
Thank you for the answer !!

The ACL that u've wrote , will help me for sure once i will reach that point!!
thank you very much!!

BTW..
while i was waiting for an answer here on the forum, i've tried to add the commands

enable ipforwarding vlan n10enable ipforwarding vlan n20enable ipforwarding vlan n30enable ipforwarding vlan n40

the intervlan routing seems to work but i've noticed another issue ...

i will try my best to describe the issue...
is like i'm missing a basic command that on CISCO switches is enabled by default...

i've noticed that i cannot ping "all" the devices connected to the switch also if they are on the same VLAN
(Actually i'm only working with a single switch, no trunk involved)

this is an example:

i've tried to connect 3 devices on the VLAN 10
added the VLAN interface 192.168.10.1/24
setted the 3 devices with IP
192.168.10.2 - 255.255.255.0 - 192.168.10.1
192.168.10.3 - 255.255.255.0 - 192.168.10.1
192.168.10.4 - 255.255.255.0 - 192.168.10.1
(ports are enabled / and in the correct VLAN)

The switch cannot ping all the devices (maybe it can ping only 10.2 )
the PC 10.2 maybe can ping 10.1 - 10.2 - 10.3
PC 10.3 can ping 10.1 - 10.3
and so on..

i've tried also to replace the PC used for the test
i've tride to use other IP, other switch ports, another VLAN
i've noticed the same issue also using another switche
i've deleted all the config for a switch and configured it again
i've also tried to use the 3rd switch that was brand new, without any setup... i've skipped all the setups and i've tried to connect 3 devices to 3 ports using the default vlan...
same issue

now, i'm not an expert, but i cannot understand how this is possible.
a new switch should let 3 PC on the same Subnet to connect without issues....and the switch should see all of them...

i'm missing something stupid like
"enable switch" or something like that ?

Kind regards
Daniele
i've tried




Hi!

If you want to do routing between the VLANs, but not allow traffic via certain VLANs, your #3 gets a little tricky:

"3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan"

You need this:

enable ipforwarding (to enable globally for all VLANs with an IP address)

or

enable ipforwarding vlan n10
enable ipforwarding vlan n20
enable ipforwarding vlan n30
enable ipforwarding vlan n40

"enable ipforwarding {ipv4 | broadcast} {vlan vlan_name}
Description
Enables IPv4 routing or IPv4 broadcast forwarding for one or all VLANs. If no argument is provided,
enables IPv4 routing for all VLANs that have been configured with an IP address on the current VR or
VRF."

Now, test routing between the VLANs so all VLANs can talk to each other.

After testing the basic setup, you need a policy (ACL) that denies traffic from VLANs n20-n40 to each other.

edit policy deny-traffic

i (for enabling editing, an ugly vi editor monstrosity)

# Policy for denying traffic from some VLANs to some others
entry deny n20-n30 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}

entry deny n30-n20 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}

entry deny n20-n40 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}

entry deny n40-n20 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}

entry deny n30-n40 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}

entry deny n40-n30 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}

Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)

Apply the policy to the VLANs:

configure access-list deny-traffic add vlan n20
configure access-list deny-traffic add vlan n40
configure access-list deny-traffic add vlan n40

Now, you should not be able to route traffic internally among n20-n40 but they should all reach n10.

Please note that this policy is based on IP addresses, so if you add another subnet to some VLAN (20-40), that subnet will be routed and allowed to all others, despite being in a "forbidden" VLAN.

I did this as a dry-run, no testing, so if not all is correct, please forgive me ;)

/Fredrik
Userlevel 2
Hi!

It seems something else is weird, unlikely the switch. There is no command that would fix this issue because it really must be something else. Do the Windows (or Linux or whatever you use) have a software firewall that prevents the pings from reaching the other PCs?

Try this:

Connect all PCs to a VLAN, say v20
configure vlan n20 add ports 1-10 untagged (or similar)
Make sure no ACLs or policies are active in the switch.
On all PCs, ping all other PCs and the switch (192.168.20.1 or whatever VLAN you choose)
While still pinging, check the ARP tables on the PCs (arp -a in Windows, arp -n in Linux)

If you can see the ARP entries for all other PCs in all PCs, you at least have ARP traffic coming. If not... well, let's look at that then. In that case, connect PC1 to PC2 directly with a cable only (no switch in between) and try pingin between them. Go back to basic :)

Download and run Wireshark on all PCs (or use tcpdump in Linux CLI if you wish). You will see a lot of chatter when starting Wireshark, but mostly, that's the PC announcing stuff to other PCs, broadcasting its services (in Windows). Look for pings (excho request and replies). Do you see any?

/Fredrik
According to all the tests that i ve made today, i ve isolated the issue and excluded the switch.
I have the same problem connecting 2 Pc direcrly with am ethernet cable.
I ve disabled the firewall but the issue still occur.
I ve contacted the technician that managed the network before i ve entered the company and he affirmed that there was a GPO that prevent ping from devices outside our network... 2 days hitting the wall with my head and the problem was totally somewhere else 😅
Tomorrow i will try to remove this GPO , unconfigure all the 3 switches and i will configure them again using the commands that we've wrote on this thread, then i will add the ACL rules for the vlan isolation.
Thank you very much for all the help !
Userlevel 2
You're welcome! As so often in troubleshooting, it pays off to start from scratch, excluding nothing, even a patch cable, or, as in your case, software settings in the test device (PC).

Give it your best shot and post again if you're still seeing problems!

/Fredrik
if you want to see if a devices is connected you can write this command

sh fdb | grep [@mac]

if your mac address appear after this command its that the level 2 is correct and in that case it s a pc problem not network problem except if this mac address does not passed on the good vlan

very useful command 😉

Reply