Inter Vlan omniswitch 6400-P48

[avrilspirit]

Thanks again cedric for your help, thanks to you i find new command and new possibility
but with the "reflexive" command nothing... when i tried like in the documentation : policy rule rule_name [no reflexive] [no save] [no log], on the screen it's write : invalid entry : "reflexive", I don't know if it's possible to use this command with the 6400 but it's strange when i put show policy rule, there is this category...

after i tried a lot of things and analysed the log file to see where is the problem.


Configuration:
policy network group vlan2 192.168.92.0 mask 255.255.255.0
policy network group vlan3 192.168.93.0 mask 255.255.255.0
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule r1 condition c1 action no precedence 10000 log
policy condition c2 source ip 192.168.92.3 mask 255.255.255.255 destination network group vlan3
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 15000 log
qos apply

show policy rule
Policy From Prec Enab Act Refl Log Trap Save
r2 cli 15000 Yes Yes No Yes Yes Yes
(L2/3): c2 -> allow
log interval: 30

r1 cli 10000 Yes Yes No Yes Yes Yes
(L2/3): c1 -> no
log interval: 30


==> from the manager computer : ping 192.168.92.3 => ok
and on he log file it's good :
9/02/09 9:15:20 [@09:15:19] rule 'r2' matched:accept
9/02/09 9:15:20 DoubleTagged. svlan 3 802.1p 0 cvlan 0 c802.1p 0 port Switch
-> 1/7
9/02/09 9:15:20 MAC 00:E0:B1:B3:95:BD -> 00:30:05:44:A5:72
9/02/09 9:15:20 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:15:20 [@09:15:19] rule 'r2' matched:accept
9/02/09 9:15:20 svlan 2 port 1/2
9/02/09 9:15:20 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:15:20 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:15:25 [@09:15:20] rule 'r2' matched:accept
9/02/09 9:15:25 svlan 2 port 1/2
9/02/09 9:15:25 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:15:25 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:15:25 [@09:15:21] rule 'r2' matched:accept
9/02/09 9:15:25 svlan 2 port 1/2
9/02/09 9:15:25 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:15:25 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:15:25 [@09:15:22] rule 'r2' matched:accept
9/02/09 9:15:25 svlan 2 port 1/2
9/02/09 9:15:25 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:15:25 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5

after i try from the employee computer : ping 192.168.93.5
we can see on the log file that it's use again the r2 and not the r1 that's why the ping is ok :
9/02/09 9:21:15 [@09:21:12] rule 'r2' matched:accept
9/02/09 9:21:15 DoubleTagged. svlan 3 802.1p 0 cvlan 0 c802.1p 0 port Switch
-> 1/7
9/02/09 9:21:15 MAC 00:E0:B1:B3:95:BD -> 00:30:05:44:A5:72
9/02/09 9:21:15 TOS 0x00 (ICMP 8:0) 192.168.92.3 -> 192.168.93.5

But for me there is an error for the c2 because it's the vlan3 the source and the computer the destination (maybe it's the same) i tried to change but it's the same :
policy network group vlan2 192.168.92.0 mask 255.255.255.0
policy network group vlan3 192.168.93.0 mask 255.255.255.0
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule r1 condition c1 action no precedence 10000 log
policy condition c2 source network group vlan3 destination ip 192.168.92.3 mask 255.255.255.255
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 15000 log
qos apply

==> from the manager computer : ping 192.168.92.3 => block
and on he log file :
9/02/09 9:29:50 [@09:29:48] rule 'r2' matched:accept
9/02/09 9:29:50 DoubleTagged. svlan 2 802.1p 0 cvlan 0 c802.1p 0 port Switch
-> 1/2
9/02/09 9:29:50 MAC 00:E0:B1:B3:95:BD -> 00:30:05:3E:B7:AF
9/02/09 9:29:50 TOS 0x00 (ICMP 8:0) 192.168.93.5 -> 192.168.92.3
9/02/09 9:29:50 [@09:29:48] rule 'r2' matched:accept
9/02/09 9:29:50 svlan 3 port 1/7
9/02/09 9:29:50 MAC 00:30:05:44:A5:72 -> 00:E0:B1:B3:95:BD
9/02/09 9:29:50 TOS 0x00 (ICMP 8:0) 192.168.93.5 -> 192.168.92.3
9/02/09 9:29:50 [@09:29:48] rule 'r1' matched:deny
9/02/09 9:29:50 svlan 2 port 1/2
9/02/09 9:29:50 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:29:50 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:29:55 [@09:29:53] rule 'r2' matched:accept
9/02/09 9:29:55 svlan 3 port 1/7
9/02/09 9:29:55 MAC 00:30:05:44:A5:72 -> 00:E0:B1:B3:95:BD
9/02/09 9:29:55 TOS 0x00 (ICMP 8:0) 192.168.93.5 -> 192.168.92.3
9/02/09 9:29:55 [@09:29:53] rule 'r1' matched:deny
9/02/09 9:29:55 svlan 2 port 1/2
9/02/09 9:29:55 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:29:55 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:30:00 [@09:29:59] rule 'r2' matched:accept
9/02/09 9:30:00 svlan 3 port 1/7
9/02/09 9:30:00 MAC 00:30:05:44:A5:72 -> 00:E0:B1:B3:95:BD
9/02/09 9:30:00 TOS 0x00 (ICMP 8:0) 192.168.93.5 -> 192.168.92.3
9/02/09 9:30:00 [@09:29:59] rule 'r1' matched:deny
9/02/09 9:30:00 svlan 2 port 1/2
9/02/09 9:30:00 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:30:00 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:30:05 [@09:30:04] rule 'r2' matched:accept
9/02/09 9:30:05 svlan 3 port 1/7
9/02/09 9:30:05 MAC 00:30:05:44:A5:72 -> 00:E0:B1:B3:95:BD
9/02/09 9:30:05 TOS 0x00 (ICMP 8:0) 192.168.93.5 -> 192.168.92.3
9/02/09 9:30:05 [@09:30:04] rule 'r1' matched:deny
9/02/09 9:30:05 svlan 2 port 1/2
9/02/09 9:30:05 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:30:05 TOS 0x00 (ICMP 0:0) 192.168.92.3 -> 192.168.93.5



after i try from the employee computer : ping 192.168.93.5
it's good because it's use r1 and the employee don't access to manager
9/02/09 9:32:00 [@09:31:58] rule 'r1' matched:deny
9/02/09 9:32:00 svlan 2 port 1/2
9/02/09 9:32:00 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:32:00 TOS 0x00 (ICMP 8:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:32:05 [@09:32:03] rule 'r1' matched:deny
9/02/09 9:32:05 svlan 2 port 1/2
9/02/09 9:32:05 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:32:05 TOS 0x00 (ICMP 8:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:32:10 [@09:32:08] rule 'r1' matched:deny
9/02/09 9:32:10 svlan 2 port 1/2
9/02/09 9:32:10 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:32:10 TOS 0x00 (ICMP 8:0) 192.168.92.3 -> 192.168.93.5
9/02/09 9:32:15 [@09:32:14] rule 'r1' matched:deny
9/02/09 9:32:15 svlan 2 port 1/2
9/02/09 9:32:15 MAC 00:30:05:3E:B7:AF -> 00:E0:B1:B3:95:BD
9/02/09 9:32:15 TOS 0x00 (ICMP 8:0) 192.168.92.3 -> 192.168.93.5

can you help me

[cedric1]

Hello

I will check for availability of reflexvie.

this should work

policy network group vlan2 192.168.92.0 mask 255.255.255.0
policy network group vlan3 192.168.93.0 mask 255.255.255.0
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule r1 condition c1 action no precedence 10000 log
policy condition c2 source network group vlan3 destination ip 192.168.92.3 mask 255.255.255.255
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 15000 log
qos apply



but you can see in your log :

packet go from vlan3 to vlan2 and is accpet ( echo request)

but

when reply go from vlan2 to vlan3 it's dropped.

With reflexive availlable, packet should be in session from vlan3 to vlan2 and pass.

Key of your issue is reflexive.

I keep you update

Cedric

[cedric1]

hello

I get from support that there is an error in doc with reflexive.

It is not supported on 6400 switch.

So I think you have no solution.
You can block traffic from vlan2 to vlan3. but with that vlan3 will not be able to communicate to vlan2.

Perhaps use a firewall to do that

Cedric

[avrilspirit]

ok Cedric, thanks a lot
and with the 6850 ? it's the same thing ?

[cedric1]

Hello

It is the same for 9000 and 6850

For 6600 and 7700/7800 switch reflexive was available.

I think it's an issue to not have this in new chassis.

Cedric

[avrilspirit]

Thanks Cedric, but the 7700 is more expensive…
But it’s not important, now I know block traffic, it’s good (Even if it’s in the two ways…)

I don't know if i must create a new topic or stay in the same...
I putted a 6400 between two 6200, now I test only with one but I think it’s the same thing. I have a small problem, I can’t ping or access from the 6400 to the 6200, I don’t know why. I separated the 6400 in 3 vlan (91 92 93) and create route like this :
system name Conv-6400
vlan 1 enable name "VLAN 1"
vlan 91 enable name "Data Conv"
vlan 91 port default 1/2
vlan 91 port default 1/3
vlan 91 port default 1/4
vlan 91 port default 1/5
vlan 91 port default 1/6
vlan 91 port default 1/7
vlan 91 port default 1/8
vlan 91 port default 1/9
vlan 91 port default 1/10
vlan 91 port default 1/11
vlan 91 port default 1/12
vlan 91 port default 1/13
vlan 91 port default 1/14
vlan 91 port default 1/15
vlan 91 port default 1/16
vlan 91 port default 1/17
vlan 91 port default 1/18
vlan 91 port default 1/19
vlan 91 port default 1/20
vlan 91 port default 1/21
vlan 91 port default 1/22
vlan 91 port default 1/23
vlan 91 port default 1/24
vlan 92 enable name "Data Comu"
vlan 92 port default 1/25
vlan 92 port default 1/26
vlan 92 port default 1/27
vlan 92 port default 1/28
vlan 92 port default 1/29
vlan 92 port default 1/30
vlan 92 port default 1/31
vlan 92 port default 1/32
vlan 92 port default 1/33
vlan 92 port default 1/34
vlan 92 port default 1/35
vlan 92 port default 1/36
vlan 93 enable name "Data Bus"
vlan 93 port default 1/37
vlan 93 port default 1/38
vlan 93 port default 1/39
vlan 93 port default 1/40
vlan 93 port default 1/41
vlan 93 port default 1/42
vlan 93 port default 1/43
vlan 93 port default 1/44
vlan 93 port default 1/45
vlan 93 port default 1/46
vlan 93 port default 1/47
vlan 93 port default 1/48
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 91 ip 192.168.91.0 255.255.255.0
vlan 92 ip 192.168.92.0 255.255.255.0
vlan 93 ip 192.168.93.0 255.255.255.0
ip service all
ip interface "vlan 91" address 192.168.91.1 mask 255.255.255.0 vlan 91 ifindex 1
ip interface "vlan 1" address 192.168.1.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 92" address 192.168.92.1 mask 255.255.255.0 vlan 92 ifindex 3
ip interface "vlan 93" address 192.168.93.1 mask 255.255.255.0 vlan 93 ifindex 4
aaa authentication console "local"
aaa authentication http "local"
bridge mode 1x1
debug fscollect disable

I have plug in a cable from the port 25 to the port 13 of the 6200. If I have a computer in the 6200 with the address 192.168.92.200 it’s ok, but if I try 192.168.92.250, it doesn’t works.


6200 config:

interface range ethernet e(1-12),g(1-2)
switchport mode trunk
exit
vlan database
vlan 10,91-92
exit
interface range ethernet e(1-12),g(1-2)
switchport trunk allowed vlan add 10
exit
interface range ethernet e(10-11)
switchport trunk native vlan 91
exit
interface range ethernet e(1-9),g1
switchport trunk native vlan 92
exit
interface range ethernet e12,g2
switchport trunk allowed vlan add 92
exit
interface vlan 10
name VOIP
exit
interface vlan 91
name "DATA CONV"
exit
interface vlan 92
name "DATA COMU"
exit
interface vlan 1
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 10
ip address 192.168.10.1 255.255.255.0
exit
interface vlan 91
ip address 192.168.91.249 255.255.255.0
exit
interface vlan 92
ip address 192.168.92.250 255.255.255.0
exit
ip default-gateway 192.168.91.1
username admin password 21232f297a57a5a743894a0e4a801fc3 level 15 encrypted

can you help me

[cedric1]

Hello

Create a new post for this.

You are not able to ping from 192.168.92.1 to 192.168.92.250 ?
Ping from pc on 6200 to 192.168.92.250 is working ?
Ping from pc on 6200 to 192.168.92.1 is working ?

Cedric

[avrilspirit]

thanks but i found my problem...
it's only the gateway whose was not good...
now all work.
I will test with the optic fiber now and i will create a new post if i have problem

[cedric1]

ok

we are waiting your post

[swathiu]

Hi,

Can anyone help me out with configuring ip access-list on alcatel omniswitch 6450 and apply the created access-list on the any given interface..

Thank you