This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Re: Extreme X440 specific intervlan configuration
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Extreme X440 specific intervlan configuration
Extreme X440 specific intervlan configuration
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-22-2019 01:18 PM
Hello guys
i hope to find someone that could help me out, i'm new into networking , i've just got my Cisco CCNA certificate and i've received a request to configure 3 X440 , that seems to have different commands.
Ps. sorry for my english
my goal is :
1) rename the 3 switches (switch1-2-3) and connect them all using Trunk connection
2) create 4 vlans , and assign ports to the specific one (ex. vlan10, 20, 30, 40)
3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan
Basically i'm stuck on the point n.3...
// rename the switch
config snmp sysName "switch1"
// configure Date & Time
config time (month/day/year/hour/minute/second)
// change psw for admin user
config account "administrator"
new password : xxxxxx
// create 4 vlan , add an IP for each interface
create Vlan n10 tag 10
create Vlan n20 tag 20
create Vlan n30 tag 30
create Vlan n40 tag 40
// add an IP address to each Vlan interface
configure vlan n10 ipaddress 192.168.10.1/24
configure vlan n20 ipaddress 192.168.20.1/24
configure vlan n30 ipaddress 192.168.30.1/24
configure vlan n40 ipaddress 192.168.40.1/24
// add ports to the specific vlan
configure vlan n10 add ports 2 - 20
configure vlan n20 add ports 21- 30
configure vlan n30 add ports 31 - 40
configure vlan n40 add portst 41 - 48
// configured port 1 (same for all the switches) as a trunk port
configure vlan n10 add port 1 tagged
configure vlan n20 add port 1 tagged
configure vlan n30 add port 1 tagged
configure vlan n40 add port 1 tagged
Now, just to be sure that the configuration made till this point was working, i've connected several devices to the ports of the switch and i've assigned a static IP to all of them , IP based on the Vlan:
Kind regards
Daniele
i hope to find someone that could help me out, i'm new into networking , i've just got my Cisco CCNA certificate and i've received a request to configure 3 X440 , that seems to have different commands.
Ps. sorry for my english
my goal is :
1) rename the 3 switches (switch1-2-3) and connect them all using Trunk connection
2) create 4 vlans , and assign ports to the specific one (ex. vlan10, 20, 30, 40)
3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan
Basically i'm stuck on the point n.3...
// rename the switch
config snmp sysName "switch1"
// configure Date & Time
config time (month/day/year/hour/minute/second)
// change psw for admin user
config account "administrator"
new password : xxxxxx
// create 4 vlan , add an IP for each interface
create Vlan n10 tag 10
create Vlan n20 tag 20
create Vlan n30 tag 30
create Vlan n40 tag 40
// add an IP address to each Vlan interface
configure vlan n10 ipaddress 192.168.10.1/24
configure vlan n20 ipaddress 192.168.20.1/24
configure vlan n30 ipaddress 192.168.30.1/24
configure vlan n40 ipaddress 192.168.40.1/24
// add ports to the specific vlan
configure vlan n10 add ports 2 - 20
configure vlan n20 add ports 21- 30
configure vlan n30 add ports 31 - 40
configure vlan n40 add portst 41 - 48
// configured port 1 (same for all the switches) as a trunk port
configure vlan n10 add port 1 tagged
configure vlan n20 add port 1 tagged
configure vlan n30 add port 1 tagged
configure vlan n40 add port 1 tagged
Now, just to be sure that the configuration made till this point was working, i've connected several devices to the ports of the switch and i've assigned a static IP to all of them , IP based on the Vlan:
- i can ping all the Vlan interfaces
- i can ping all devices inside the same vlan
- i cannot ping devices from different vlan
- configuring another switch with the same settings, i can communicate with same vlan , and not with another vlan
Kind regards
Daniele
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-29-2019 07:47 AM
Hi FredrikB and V3ras
Thank you for the answer !!
The ACL that u've wrote , will help me for sure once i will reach that point!!
thank you very much!!
BTW..
while i was waiting for an answer here on the forum, i've tried to add the commands
the intervlan routing seems to work but i've noticed another issue ...
i will try my best to describe the issue...
is like i'm missing a basic command that on CISCO switches is enabled by default...
i've noticed that i cannot ping "all" the devices connected to the switch also if they are on the same VLAN
(Actually i'm only working with a single switch, no trunk involved)
this is an example:
i've tried to connect 3 devices on the VLAN 10
added the VLAN interface 192.168.10.1/24
setted the 3 devices with IP
192.168.10.2 - 255.255.255.0 - 192.168.10.1
192.168.10.3 - 255.255.255.0 - 192.168.10.1
192.168.10.4 - 255.255.255.0 - 192.168.10.1
(ports are enabled / and in the correct VLAN)
The switch cannot ping all the devices (maybe it can ping only 10.2 )
the PC 10.2 maybe can ping 10.1 - 10.2 - 10.3
PC 10.3 can ping 10.1 - 10.3
and so on..
i've tried also to replace the PC used for the test
i've tride to use other IP, other switch ports, another VLAN
i've noticed the same issue also using another switche
i've deleted all the config for a switch and configured it again
i've also tried to use the 3rd switch that was brand new, without any setup... i've skipped all the setups and i've tried to connect 3 devices to 3 ports using the default vlan...
same issue
now, i'm not an expert, but i cannot understand how this is possible.
a new switch should let 3 PC on the same Subnet to connect without issues....and the switch should see all of them...
i'm missing something stupid like
"enable switch" or something like that ?
Kind regards
Daniele
i've tried
Thank you for the answer !!
The ACL that u've wrote , will help me for sure once i will reach that point!!
thank you very much!!
BTW..
while i was waiting for an answer here on the forum, i've tried to add the commands
enable ipforwarding vlan n10enable ipforwarding vlan n20enable ipforwarding vlan n30enable ipforwarding vlan n40
the intervlan routing seems to work but i've noticed another issue ...
i will try my best to describe the issue...
is like i'm missing a basic command that on CISCO switches is enabled by default...
i've noticed that i cannot ping "all" the devices connected to the switch also if they are on the same VLAN
(Actually i'm only working with a single switch, no trunk involved)
this is an example:
i've tried to connect 3 devices on the VLAN 10
added the VLAN interface 192.168.10.1/24
setted the 3 devices with IP
192.168.10.2 - 255.255.255.0 - 192.168.10.1
192.168.10.3 - 255.255.255.0 - 192.168.10.1
192.168.10.4 - 255.255.255.0 - 192.168.10.1
(ports are enabled / and in the correct VLAN)
The switch cannot ping all the devices (maybe it can ping only 10.2 )
the PC 10.2 maybe can ping 10.1 - 10.2 - 10.3
PC 10.3 can ping 10.1 - 10.3
and so on..
i've tried also to replace the PC used for the test
i've tride to use other IP, other switch ports, another VLAN
i've noticed the same issue also using another switche
i've deleted all the config for a switch and configured it again
i've also tried to use the 3rd switch that was brand new, without any setup... i've skipped all the setups and i've tried to connect 3 devices to 3 ports using the default vlan...
same issue
now, i'm not an expert, but i cannot understand how this is possible.
a new switch should let 3 PC on the same Subnet to connect without issues....and the switch should see all of them...
i'm missing something stupid like
"enable switch" or something like that ?
Kind regards
Daniele
i've tried
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-28-2019 03:03 PM
Hi!
If you want to do routing between the VLANs, but not allow traffic via certain VLANs, your #3 gets a little tricky:
"3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan"
You need this:
enable ipforwarding (to enable globally for all VLANs with an IP address)
or
enable ipforwarding vlan n10
enable ipforwarding vlan n20
enable ipforwarding vlan n30
enable ipforwarding vlan n40
"enable ipforwarding {ipv4 | broadcast} {vlan vlan_name}
Description
Enables IPv4 routing or IPv4 broadcast forwarding for one or all VLANs. If no argument is provided,
enables IPv4 routing for all VLANs that have been configured with an IP address on the current VR or
VRF."
Now, test routing between the VLANs so all VLANs can talk to each other.
After testing the basic setup, you need a policy (ACL) that denies traffic from VLANs n20-n40 to each other.
edit policy deny-traffic
i (for enabling editing, an ugly vi editor monstrosity)
# Policy for denying traffic from some VLANs to some others
entry deny n20-n30 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}
entry deny n30-n20 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}
entry deny n20-n40 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}
entry deny n40-n20 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}
entry deny n30-n40 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}
entry deny n40-n30 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}
Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)
Apply the policy to the VLANs:
configure access-list deny-traffic add vlan n20
configure access-list deny-traffic add vlan n40
configure access-list deny-traffic add vlan n40
Now, you should not be able to route traffic internally among n20-n40 but they should all reach n10.
Please note that this policy is based on IP addresses, so if you add another subnet to some VLAN (20-40), that subnet will be routed and allowed to all others, despite being in a "forbidden" VLAN.
I did this as a dry-run, no testing, so if not all is correct, please forgive me 😉
/Fredrik
If you want to do routing between the VLANs, but not allow traffic via certain VLANs, your #3 gets a little tricky:
"3) All the Vlan should be able to communicate with the Vlan 10 , but not with the other Vlan"
You need this:
enable ipforwarding (to enable globally for all VLANs with an IP address)
or
enable ipforwarding vlan n10
enable ipforwarding vlan n20
enable ipforwarding vlan n30
enable ipforwarding vlan n40
"enable ipforwarding {ipv4 | broadcast} {vlan vlan_name}
Description
Enables IPv4 routing or IPv4 broadcast forwarding for one or all VLANs. If no argument is provided,
enables IPv4 routing for all VLANs that have been configured with an IP address on the current VR or
VRF."
Now, test routing between the VLANs so all VLANs can talk to each other.
After testing the basic setup, you need a policy (ACL) that denies traffic from VLANs n20-n40 to each other.
edit policy deny-traffic
i (for enabling editing, an ugly vi editor monstrosity)
# Policy for denying traffic from some VLANs to some others
entry deny n20-n30 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}
entry deny n30-n20 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}
entry deny n20-n40 {
if {
source-address 192.168.20.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}
entry deny n40-n20 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}
entry deny n30-n40 {
if {
source-address 192.168.30.0/24;
destination-address 192.168.40.0/24;
} then {
deny;
}
}
entry deny n40-n30 {
if {
source-address 192.168.40.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}
Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)
Apply the policy to the VLANs:
configure access-list deny-traffic add vlan n20
configure access-list deny-traffic add vlan n40
configure access-list deny-traffic add vlan n40
Now, you should not be able to route traffic internally among n20-n40 but they should all reach n10.
Please note that this policy is based on IP addresses, so if you add another subnet to some VLAN (20-40), that subnet will be routed and allowed to all others, despite being in a "forbidden" VLAN.
I did this as a dry-run, no testing, so if not all is correct, please forgive me 😉
/Fredrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2019 02:20 PM
"enable ipforwarding vlan 10"
but attention, after problem with ipforwarding, i've seen i must do reboot before apply ipforwarding
but attention, after problem with ipforwarding, i've seen i must do reboot before apply ipforwarding
