Inter Vlan omniswitch 6400-P48

avrilspirit · Post by **avrilspirit** » 14 Aug 2009 09:33

ok thanks, i will try this weekend

Now the network administrator gave me one "omniaccess 4304".
Do you think that it's possible to plug in the "omniaccess" to the "omniswitch 6400" to use to discover the vlan with the adress mac ?

for example, one people come in the firm with one computer and connect to the wifi, the mac address is not know, it's directely conduct to the vlan1.
the same thing if the address is know, it's must conduct to the good vlan...

i think it's possible, but i have some questions:
- the omniaccess can't control the MAC address ==> that's to say it's will be the omniswitch, no ?
- so the people come in the firm, connect his wifi, the omniaccess transmit to the omniswitch, the omniswitch analyse the mac address and attribute a vlan for this mac address. It's correct ?
or maybe i can plug in a wifi antenn (AP65) directely in the omniswitch ? ( i think it's the same proccess)
- i must create one route between the omniswitch and the omniaccess ?

And for you it's a good idea to proccess like this ?
because after i must realize the same thing with 3 omniswitchs... 3 internet connexion... and when one people come in the firm it's analyse the mac address and transfert them in the good vlan. (i don't know if i must use 3 omniaccess or not ?)

thans for your help

avrilspirit · Post by **avrilspirit** » 26 Aug 2009 10:34

no idea

, it's not important i will see soon

now i am trying with acl, i have read the manual (category acl manager) and i have some question :

I have 2 computer :
- 192.168.93.5 / 24 => vlan3 (port 7)
- 192.168.92.3 / 24 => vlan2 (port 2)

i would like that vlan3 could access to vlan2 but not the opposite.

I have try this but after all my 4 vlan are block...
access-list 101 permit ip 192.168.93.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list 101 deny ip 192.168.92.0 255.255.255.0 192.168.93.0 255.255.255.0

but after i must apply this rule somewhere, but where ? because it's for one vlan. In the documentation it's write only for interface ethernet. And i have seen in Internet it's write, use the command interface Vlan X (but don't work with alcatel equipment).
I have try with this:
- conf t
- interface ethernet 1/2
- ip access-group 101 in

- interface ethernet 1/7
- ip access-group 101 out

i don't find a lot of example in internet

if not maybe it's better to use one rule whose block all traffic and after open some things but i have try and the same..

can you help me

this is my script :
for aclman :
show running-config

access-list 101 permit ip 192.168.93.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list 101 deny ip 192.168.92.0 255.255.255.0 192.168.93.0 255.255.255.0
!
interface Ethernet 1/2
ip access-group 101 In
!
interface Ethernet 1/7
ip access-group 101 Out
!
end

and all the config :
write memory terminal
! Stack Manager :
! Chassis :
system name vxTarget
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 2 enable name "VLAN 2"
vlan 2 port default 1/2
vlan 2 port default 1/3
vlan 2 port default 1/4
vlan 3 enable name "VLAN 3"
vlan 3 port default 1/5
vlan 3 port default 1/6
vlan 3 port default 1/7
vlan 3 port default 1/8
vlan 4 enable name "VLAN 4"
vlan 4 port default 1/9
vlan 4 port default 1/10
vlan 4 port default 1/11
vlan 4 port default 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 1 ip 192.168.91.0 255.255.255.0
vlan 2 ip 192.168.92.0 255.255.255.0
vlan 3 ip 192.168.93.0 255.255.255.0
vlan 4 ip 192.168.94.0 255.255.255.0
! VLAN SL:
! IP :
ip service all
ip interface "vlan 1" address 192.168.91.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 2" address 192.168.92.1 mask 255.255.255.0 vlan 2 ifindex 3
ip interface "vlan 3" address 192.168.93.1 mask 255.255.255.0 vlan 3 ifindex 4
ip interface "vlan 4" address 192.168.94.1 mask 255.255.255.0 vlan 4 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
! Policy manager :
! Session manager :
! SNMP :
! RIP :
! IPv6 :
! IPRM :
! RIPng :
! Health monitor :
! Interface :
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
debug fscollect disable
! SSH :
! Web :
! AMAP :
! LLDP :
! Lan Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
->

cedric1 · Post by **cedric1** » 27 Aug 2009 06:43

hello

Is suugest you to use policy rule part of the documentation so you can configure Vlan wide for your condiction and not apply only to one interface

You will find all you need to make your job.

Try this to find some expemle

https://service.esd.alcatel-lucent.com/ ... rt=&pg=&q=

I never use ACL MAN so I can't help you for it.

avrilspirit · Post by **avrilspirit** » 31 Aug 2009 10:08

Ok ok

but even with policy rule, it's don't work for me

I have create my policy rule like in the documentation :

policy network group vlan2 192.168.92.1
policy network group vlan3 192.168.93.1
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule rule1 condition c1 action no

with this command, nothing are block, i don't know why...

After i have try directly with the ip of the computer :

policy network group pc1 192.168.92.3
policy network group pc2 192.168.93.5
policy condition c2 source network group pc1 destination network group pc2
policy action no disposition deny
policy rule rule1 condition c2 action no

the communication between pc1 and pc2 are block but unfortunately in the 2 way... me i would like only one way

and why it's don't work with the vlan ?

cedric1 · Post by **cedric1** » 31 Aug 2009 16:53

hello

show qos config

you will qos is disable

so

qos enable
qos apply

after each change in rule : enter qos apply

cedric

avrilspirit · Post by **avrilspirit** » 01 Sep 2009 07:49

yes i checked if my qos in enable, and it was enable :

show qos config
QoS Configuration:
Enabled : Yes
Pending changes : None
Classifier:
Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : accept
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info

And yes i apply every time after change but i think it's not the problem

because you can verify in this configuration that my rule is present :

write terminal
! Stack Manager :
! Chassis :
system name vxTarget
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 2 enable name "VLAN 2"
vlan 2 port default 1/2
vlan 2 port default 1/3
vlan 2 port default 1/4
vlan 3 enable name "VLAN 3"
vlan 3 port default 1/5
vlan 3 port default 1/6
vlan 3 port default 1/7
vlan 3 port default 1/8
vlan 4 enable name "VLAN 4"
vlan 4 port default 1/9
vlan 4 port default 1/10
vlan 4 port default 1/11
vlan 4 port default 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan 1 ip 192.168.91.0 255.255.255.0
vlan 2 ip 192.168.92.0 255.255.255.0
vlan 3 ip 192.168.93.0 255.255.255.0
vlan 4 ip 192.168.94.0 255.255.255.0
! VLAN SL:
! IP :
ip service all
ip interface "vlan 1" address 192.168.91.1 mask 255.255.255.0 vlan 1 ifindex 2
ip interface "vlan 2" address 192.168.92.1 mask 255.255.255.0 vlan 2 ifindex 3
ip interface "vlan 3" address 192.168.93.1 mask 255.255.255.0 vlan 3 ifindex 4
ip interface "vlan 4" address 192.168.94.1 mask 255.255.255.0 vlan 4 ifindex 5
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
policy network group vlan2 192.168.92.1
policy network group vlan3 192.168.93.1
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule rule1 condition c1 action no
qos apply
! Policy manager :
! Session manager :
! SNMP :
! RIP :
! IPv6 :
! IPRM :
! RIPng :
! Health monitor :
! Interface :
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
debug fscollect disable
! SSH :
! Web :
! AMAP :
! LLDP :
! Lan Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :

cedric1 · Post by **cedric1** » 01 Sep 2009 08:18

hello

with vlan :

policy network group vlan2 192.168.92.1 -> you enter an ip not an network

so

policy network group vlan2 192.168.92.0 mask 255.255.255.0

and for rule use "reflexive" statement at the end of the command

reflexive permit return of packet from vlan 3 to vlan 2

you can use "log" after relexive and check with "show qos log" to see what happen with your packet

Cedric

avrilspirit · Post by **avrilspirit** » 01 Sep 2009 10:21

yes it's true, i'm stupid...
I phoned to alcated service to have someone and the technician says to me that the unique solution is to do this :

You have 2 vlan :
Assume that you have a data server in vlan 2
you don't want to allow any users in vlan 2 to communicate with vlan 3
policy network group vlan2 192.168.92.0 mask 255.255.255.0
policy network group vlan3 192.168.93.0 mask 255.255.255.0
policy condition c1 source network group vlan2 destination network group vlan3
policy action no disposition deny
policy rule r1 condition c1 action no
==> This configuartion will block access between vlan 2 and vlan 3
for this moment i am agree, it's work but after :

Now the IP address of your data server in vlan 2 is 192.168.92.100
policy condition c2 source ip 192.168.92.100 mask 255.255.255.0 destination network group vlan3
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 10000

this configuration will allow the traffic from data server to vlan 3 => but for me it doesn't work, if i realise this command all trafic between the vlan is block

Thanks cedric1 for your reponse

what is the syntaxe with reflexive that i try ? it's at the end of the line with the condition ? because me it's to do only one way communication.

cedric1 · Post by **cedric1** » 01 Sep 2009 16:29

hello

take care on that

policy condition c2 source ip 192.168.92.100 mask 255.255.255.0 destination network group vlan3

you must enter 255.255.255.255 because you speak about a host= your server

reflexive is used in rule, enter it after action parameter

use ? to see command available

so reflexive is as a stateful firewall, you don't give a policy for the "way back".

Regards

Cedric

cedric1 · Post by **cedric1** » 01 Sep 2009 16:31

in the same time look precedence value with

show policy rule

accept traffic must have a higher precedence

so accept have 15000
and deny have 10000

Alcatel Unleashed

Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48

Re: Inter Vlan omniswitch 6400-P48