Inter Vlan omniswitch 6400-P48
-
- Member
- Posts: 23
- Joined: 22 Jul 2009 03:03
Re: Inter Vlan omniswitch 6400-P48
ok thanks, i will try this weekend
Now the network administrator gave me one "omniaccess 4304".
Do you think that it's possible to plug in the "omniaccess" to the "omniswitch 6400" to use to discover the vlan with the adress mac ?
for example, one people come in the firm with one computer and connect to the wifi, the mac address is not know, it's directely conduct to the vlan1.
the same thing if the address is know, it's must conduct to the good vlan...
i think it's possible, but i have some questions:
- the omniaccess can't control the MAC address ==> that's to say it's will be the omniswitch, no ?
- so the people come in the firm, connect his wifi, the omniaccess transmit to the omniswitch, the omniswitch analyse the mac address and attribute a vlan for this mac address. It's correct ?
or maybe i can plug in a wifi antenn (AP65) directely in the omniswitch ? ( i think it's the same proccess)
- i must create one route between the omniswitch and the omniaccess ?
And for you it's a good idea to proccess like this ?
because after i must realize the same thing with 3 omniswitchs... 3 internet connexion... and when one people come in the firm it's analyse the mac address and transfert them in the good vlan. (i don't know if i must use 3 omniaccess or not ?)
thans for your help
Now the network administrator gave me one "omniaccess 4304".
Do you think that it's possible to plug in the "omniaccess" to the "omniswitch 6400" to use to discover the vlan with the adress mac ?
for example, one people come in the firm with one computer and connect to the wifi, the mac address is not know, it's directely conduct to the vlan1.
the same thing if the address is know, it's must conduct to the good vlan...
i think it's possible, but i have some questions:
- the omniaccess can't control the MAC address ==> that's to say it's will be the omniswitch, no ?
- so the people come in the firm, connect his wifi, the omniaccess transmit to the omniswitch, the omniswitch analyse the mac address and attribute a vlan for this mac address. It's correct ?
or maybe i can plug in a wifi antenn (AP65) directely in the omniswitch ? ( i think it's the same proccess)
- i must create one route between the omniswitch and the omniaccess ?
And for you it's a good idea to proccess like this ?
because after i must realize the same thing with 3 omniswitchs... 3 internet connexion... and when one people come in the firm it's analyse the mac address and transfert them in the good vlan. (i don't know if i must use 3 omniaccess or not ?)
thans for your help
-
- Member
- Posts: 23
- Joined: 22 Jul 2009 03:03
Re: Inter Vlan omniswitch 6400-P48
no idea , it's not important i will see soon
now i am trying with acl, i have read the manual (category acl manager) and i have some question :
I have 2 computer :
- 192.168.93.5 / 24 => vlan3 (port 7)
- 192.168.92.3 / 24 => vlan2 (port 2)
i would like that vlan3 could access to vlan2 but not the opposite.
I have try this but after all my 4 vlan are block...
access-list 101 permit ip 192.168.93.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list 101 deny ip 192.168.92.0 255.255.255.0 192.168.93.0 255.255.255.0
but after i must apply this rule somewhere, but where ? because it's for one vlan. In the documentation it's write only for interface ethernet. And i have seen in Internet it's write, use the command interface Vlan X (but don't work with alcatel equipment).
I have try with this:
- conf t
- interface ethernet 1/2
- ip access-group 101 in
- interface ethernet 1/7
- ip access-group 101 out
i don't find a lot of example in internet
if not maybe it's better to use one rule whose block all traffic and after open some things but i have try and the same..
can you help me
this is my script :
for aclman :
show running-config
access-list 101 permit ip 192.168.93.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list 101 deny ip 192.168.92.0 255.255.255.0 192.168.93.0 255.255.255.0
!
interface Ethernet 1/2
ip access-group 101 In
!
interface Ethernet 1/7
ip access-group 101 Out
!
end
and all the config :
write memory terminal
! Stack Manager :
! Chassis :
system name vxTarget
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 2 enable name "VLAN 2"
vlan 2 port default 1/2
vlan 2 port default 1/3
vlan 2 port default 1/4
vlan 3 enable name "VLAN 3"
vlan 3 port default 1/5
vlan 3 port default 1/6
vlan 3 port default 1/7
vlan 3 port default 1/8
vlan 4 enable name "VLAN 4"
vlan 4 port default 1/9
vlan 4 port default 1/10
vlan 4 port default 1/11
vlan 4 port default 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 1 ip 192.168.91.0 255.255.255.0
vlan 2 ip 192.168.92.0 255.255.255.0
vlan 3 ip 192.168.93.0 255.255.255.0
vlan 4 ip 192.168.94.0 255.255.255.0
! VLAN SL:
! IP :
ip service all
ip interface "vlan 1" address 192.168.91.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 2" address 192.168.92.1 mask 255.255.255.0 vlan 2 ifindex 3
ip interface "vlan 3" address 192.168.93.1 mask 255.255.255.0 vlan 3 ifindex 4
ip interface "vlan 4" address 192.168.94.1 mask 255.255.255.0 vlan 4 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
! Policy manager :
! Session manager :
! SNMP :
! RIP :
! IPv6 :
! IPRM :
! RIPng :
! Health monitor :
! Interface :
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
debug fscollect disable
! SSH :
! Web :
! AMAP :
! LLDP :
! Lan Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
->
now i am trying with acl, i have read the manual (category acl manager) and i have some question :
I have 2 computer :
- 192.168.93.5 / 24 => vlan3 (port 7)
- 192.168.92.3 / 24 => vlan2 (port 2)
i would like that vlan3 could access to vlan2 but not the opposite.
I have try this but after all my 4 vlan are block...
access-list 101 permit ip 192.168.93.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list 101 deny ip 192.168.92.0 255.255.255.0 192.168.93.0 255.255.255.0
but after i must apply this rule somewhere, but where ? because it's for one vlan. In the documentation it's write only for interface ethernet. And i have seen in Internet it's write, use the command interface Vlan X (but don't work with alcatel equipment).
I have try with this:
- conf t
- interface ethernet 1/2
- ip access-group 101 in
- interface ethernet 1/7
- ip access-group 101 out
i don't find a lot of example in internet
if not maybe it's better to use one rule whose block all traffic and after open some things but i have try and the same..
can you help me
this is my script :
for aclman :
show running-config
access-list 101 permit ip 192.168.93.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list 101 deny ip 192.168.92.0 255.255.255.0 192.168.93.0 255.255.255.0
!
interface Ethernet 1/2
ip access-group 101 In
!
interface Ethernet 1/7
ip access-group 101 Out
!
end
and all the config :
write memory terminal
! Stack Manager :
! Chassis :
system name vxTarget
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 2 enable name "VLAN 2"
vlan 2 port default 1/2
vlan 2 port default 1/3
vlan 2 port default 1/4
vlan 3 enable name "VLAN 3"
vlan 3 port default 1/5
vlan 3 port default 1/6
vlan 3 port default 1/7
vlan 3 port default 1/8
vlan 4 enable name "VLAN 4"
vlan 4 port default 1/9
vlan 4 port default 1/10
vlan 4 port default 1/11
vlan 4 port default 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 1 ip 192.168.91.0 255.255.255.0
vlan 2 ip 192.168.92.0 255.255.255.0
vlan 3 ip 192.168.93.0 255.255.255.0
vlan 4 ip 192.168.94.0 255.255.255.0
! VLAN SL:
! IP :
ip service all
ip interface "vlan 1" address 192.168.91.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 2" address 192.168.92.1 mask 255.255.255.0 vlan 2 ifindex 3
ip interface "vlan 3" address 192.168.93.1 mask 255.255.255.0 vlan 3 ifindex 4
ip interface "vlan 4" address 192.168.94.1 mask 255.255.255.0 vlan 4 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
! Policy manager :
! Session manager :
! SNMP :
! RIP :
! IPv6 :
! IPRM :
! RIPng :
! Health monitor :
! Interface :
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
debug fscollect disable
! SSH :
! Web :
! AMAP :
! LLDP :
! Lan Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
->
Re: Inter Vlan omniswitch 6400-P48
hello
Is suugest you to use policy rule part of the documentation so you can configure Vlan wide for your condiction and not apply only to one interface
You will find all you need to make your job.
Try this to find some expemle
https://service.esd.alcatel-lucent.com/ ... rt=&pg=&q=
I never use ACL MAN so I can't help you for it.
Is suugest you to use policy rule part of the documentation so you can configure Vlan wide for your condiction and not apply only to one interface
You will find all you need to make your job.
Try this to find some expemle
https://service.esd.alcatel-lucent.com/ ... rt=&pg=&q=
I never use ACL MAN so I can't help you for it.
-
- Member
- Posts: 23
- Joined: 22 Jul 2009 03:03
Re: Inter Vlan omniswitch 6400-P48
Ok ok
but even with policy rule, it's don't work for me
I have create my policy rule like in the documentation :
policy network group vlan2 192.168.92.1
policy network group vlan3 192.168.93.1
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule rule1 condition c1 action no
with this command, nothing are block, i don't know why...
After i have try directly with the ip of the computer :
policy network group pc1 192.168.92.3
policy network group pc2 192.168.93.5
policy condition c2 source network group pc1 destination network group pc2
policy action no disposition deny
policy rule rule1 condition c2 action no
the communication between pc1 and pc2 are block but unfortunately in the 2 way... me i would like only one way
and why it's don't work with the vlan ?
but even with policy rule, it's don't work for me
I have create my policy rule like in the documentation :
policy network group vlan2 192.168.92.1
policy network group vlan3 192.168.93.1
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule rule1 condition c1 action no
with this command, nothing are block, i don't know why...
After i have try directly with the ip of the computer :
policy network group pc1 192.168.92.3
policy network group pc2 192.168.93.5
policy condition c2 source network group pc1 destination network group pc2
policy action no disposition deny
policy rule rule1 condition c2 action no
the communication between pc1 and pc2 are block but unfortunately in the 2 way... me i would like only one way
and why it's don't work with the vlan ?
Re: Inter Vlan omniswitch 6400-P48
hello
show qos config
you will qos is disable
so
qos enable
qos apply
after each change in rule : enter qos apply
cedric
show qos config
you will qos is disable
so
qos enable
qos apply
after each change in rule : enter qos apply
cedric
-
- Member
- Posts: 23
- Joined: 22 Jul 2009 03:03
Re: Inter Vlan omniswitch 6400-P48
yes i checked if my qos in enable, and it was enable :
show qos config
QoS Configuration:
Enabled : Yes
Pending changes : None
Classifier:
Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : accept
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info
And yes i apply every time after change but i think it's not the problem
because you can verify in this configuration that my rule is present :
write terminal
! Stack Manager :
! Chassis :
system name vxTarget
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 2 enable name "VLAN 2"
vlan 2 port default 1/2
vlan 2 port default 1/3
vlan 2 port default 1/4
vlan 3 enable name "VLAN 3"
vlan 3 port default 1/5
vlan 3 port default 1/6
vlan 3 port default 1/7
vlan 3 port default 1/8
vlan 4 enable name "VLAN 4"
vlan 4 port default 1/9
vlan 4 port default 1/10
vlan 4 port default 1/11
vlan 4 port default 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 1 ip 192.168.91.0 255.255.255.0
vlan 2 ip 192.168.92.0 255.255.255.0
vlan 3 ip 192.168.93.0 255.255.255.0
vlan 4 ip 192.168.94.0 255.255.255.0
! VLAN SL:
! IP :
ip service all
ip interface "vlan 1" address 192.168.91.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 2" address 192.168.92.1 mask 255.255.255.0 vlan 2 ifindex 3
ip interface "vlan 3" address 192.168.93.1 mask 255.255.255.0 vlan 3 ifindex 4
ip interface "vlan 4" address 192.168.94.1 mask 255.255.255.0 vlan 4 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
policy network group vlan2 192.168.92.1
policy network group vlan3 192.168.93.1
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule rule1 condition c1 action no
qos apply
! Policy manager :
! Session manager :
! SNMP :
! RIP :
! IPv6 :
! IPRM :
! RIPng :
! Health monitor :
! Interface :
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
debug fscollect disable
! SSH :
! Web :
! AMAP :
! LLDP :
! Lan Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
show qos config
QoS Configuration:
Enabled : Yes
Pending changes : None
Classifier:
Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : accept
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info
And yes i apply every time after change but i think it's not the problem
because you can verify in this configuration that my rule is present :
write terminal
! Stack Manager :
! Chassis :
system name vxTarget
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 2 enable name "VLAN 2"
vlan 2 port default 1/2
vlan 2 port default 1/3
vlan 2 port default 1/4
vlan 3 enable name "VLAN 3"
vlan 3 port default 1/5
vlan 3 port default 1/6
vlan 3 port default 1/7
vlan 3 port default 1/8
vlan 4 enable name "VLAN 4"
vlan 4 port default 1/9
vlan 4 port default 1/10
vlan 4 port default 1/11
vlan 4 port default 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 1 ip 192.168.91.0 255.255.255.0
vlan 2 ip 192.168.92.0 255.255.255.0
vlan 3 ip 192.168.93.0 255.255.255.0
vlan 4 ip 192.168.94.0 255.255.255.0
! VLAN SL:
! IP :
ip service all
ip interface "vlan 1" address 192.168.91.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 2" address 192.168.92.1 mask 255.255.255.0 vlan 2 ifindex 3
ip interface "vlan 3" address 192.168.93.1 mask 255.255.255.0 vlan 3 ifindex 4
ip interface "vlan 4" address 192.168.94.1 mask 255.255.255.0 vlan 4 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
policy network group vlan2 192.168.92.1
policy network group vlan3 192.168.93.1
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule rule1 condition c1 action no
qos apply
! Policy manager :
! Session manager :
! SNMP :
! RIP :
! IPv6 :
! IPRM :
! RIPng :
! Health monitor :
! Interface :
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
debug fscollect disable
! SSH :
! Web :
! AMAP :
! LLDP :
! Lan Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
Re: Inter Vlan omniswitch 6400-P48
hello
with vlan :
policy network group vlan2 192.168.92.1 -> you enter an ip not an network
so
policy network group vlan2 192.168.92.0 mask 255.255.255.0
and for rule use "reflexive" statement at the end of the command
reflexive permit return of packet from vlan 3 to vlan 2
you can use "log" after relexive and check with "show qos log" to see what happen with your packet
Cedric
with vlan :
policy network group vlan2 192.168.92.1 -> you enter an ip not an network
so
policy network group vlan2 192.168.92.0 mask 255.255.255.0
and for rule use "reflexive" statement at the end of the command
reflexive permit return of packet from vlan 3 to vlan 2
you can use "log" after relexive and check with "show qos log" to see what happen with your packet
Cedric
-
- Member
- Posts: 23
- Joined: 22 Jul 2009 03:03
Re: Inter Vlan omniswitch 6400-P48
yes it's true, i'm stupid...
I phoned to alcated service to have someone and the technician says to me that the unique solution is to do this :
You have 2 vlan :
Assume that you have a data server in vlan 2
you don't want to allow any users in vlan 2 to communicate with vlan 3
policy network group vlan2 192.168.92.0 mask 255.255.255.0
policy network group vlan3 192.168.93.0 mask 255.255.255.0
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule r1 condition c1 action no
==> This configuartion will block access between vlan 2 and vlan 3
for this moment i am agree, it's work but after :
Now the IP address of your data server in vlan 2 is 192.168.92.100
policy condition c2 source ip 192.168.92.100 mask 255.255.255.0 destination network group vlan3
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 10000
this configuration will allow the traffic from data server to vlan 3 => but for me it doesn't work, if i realise this command all trafic between the vlan is block
Thanks cedric1 for your reponse
what is the syntaxe with reflexive that i try ? it's at the end of the line with the condition ? because me it's to do only one way communication.
I phoned to alcated service to have someone and the technician says to me that the unique solution is to do this :
You have 2 vlan :
Assume that you have a data server in vlan 2
you don't want to allow any users in vlan 2 to communicate with vlan 3
policy network group vlan2 192.168.92.0 mask 255.255.255.0
policy network group vlan3 192.168.93.0 mask 255.255.255.0
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule r1 condition c1 action no
==> This configuartion will block access between vlan 2 and vlan 3
for this moment i am agree, it's work but after :
Now the IP address of your data server in vlan 2 is 192.168.92.100
policy condition c2 source ip 192.168.92.100 mask 255.255.255.0 destination network group vlan3
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 10000
this configuration will allow the traffic from data server to vlan 3 => but for me it doesn't work, if i realise this command all trafic between the vlan is block
Thanks cedric1 for your reponse
what is the syntaxe with reflexive that i try ? it's at the end of the line with the condition ? because me it's to do only one way communication.
Re: Inter Vlan omniswitch 6400-P48
hello
take care on that
policy condition c2 source ip 192.168.92.100 mask 255.255.255.0 destination network group vlan3
you must enter 255.255.255.255 because you speak about a host= your server
reflexive is used in rule, enter it after action parameter
use ? to see command available
so reflexive is as a stateful firewall, you don't give a policy for the "way back".
Regards
Cedric
take care on that
policy condition c2 source ip 192.168.92.100 mask 255.255.255.0 destination network group vlan3
you must enter 255.255.255.255 because you speak about a host= your server
reflexive is used in rule, enter it after action parameter
use ? to see command available
so reflexive is as a stateful firewall, you don't give a policy for the "way back".
Regards
Cedric
Re: Inter Vlan omniswitch 6400-P48
in the same time look precedence value with
show policy rule
accept traffic must have a higher precedence
so accept have 15000
and deny have 10000
show policy rule
accept traffic must have a higher precedence
so accept have 15000
and deny have 10000