Unsolved
1 Message
0
147
December 29th, 2023 02:25
DELL EMC S4128F-ON Access List deny not working for specific VLAN
I have two core switches and which running VRRP for high availability. (config file attached). In my case I need to create a new VLAN which will be using for guest wifi access. I need to isolate guest wifi from other internal networks.
I have created VLAN 995 (192.168.40.0/24) for Guest wifi
VLAN 997 (192.168.31.0/24) is firewall Side and we have two firewalls running active - passive (192.168.31.253 and 192.168.31.254 / virtual Ip is 192.168.31.252)
I have created below access list to allow guest VLAN traffic only to firewall side and need to deny other all traffics
--more--[2K[0Gip access-list Guest
--more--[2K[0G seq 6 permit ip 192.168.40.0/24 192.168.40.253/32
--more--[2K[0G seq 8 permit ip 192.168.40.0/24 192.168.31.252/32
--more--[2K[0G seq 9 permit ip 192.168.40.0/24 192.168.31.253/32
--more--[2K[0G seq 10 permit ip 192.168.40.0/24 192.168.31.254/32
--more--[2K[0G seq 11 deny ip 192.168.40.0/24 192.168.37.0/24
If I created deny rule to 192.168.37.0/24 still guest users can access the internal network.
Could you guys check my configuration and let me know what is the error here please ?
Configuration=====================================================
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2023.12.21 17:04:02 =~=~=~=~=~=~=~=~=~=~=~=
show version
Dell EMC Networking OS10 Enterprise
Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved.
OS Version: 10.5.1.4
Build Version: 10.5.1.4.249
Build Time: 2020-07-22T21:29:21+0000
System Type: S4128F-ON
Architecture: x86_64
Up Time: 136 weeks 3 days 01:36:59
Server2#
Server2#
Server2#
Server2#
Server2# show running-configuration
! Version 10.5.1.4
! Last configuration change at Dec 19 13:09:19 2023
!
ip vrf default
!
interface breakout 1/1/25 map 100g-1x
interface breakout 1/1/26 map 100g-1x
hostname Server2
iscsi enable
iscsi target port 860
iscsi target port 3260
system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibppMXs1KM4Y.gbTPcxyMP/PHUkMc5rdk/ZLv9Sfv3ALtB61
spanning-tree vlan 100,400,558,997-999,1700,2200 priority 28672
spanning-tree vlan 100,400,558,997-999,1700,2200 root secondary
username admin password $6$rounds=656000$RaTaN8eOw0./RT3/$EglJiXYqga78RQBbfUmJe8VUfnsf4TvrVTWg49QjhMK70F.YLIF9kHCvlQUjBqdzU1SJ/g38vJBEZvmXxw17G. role sysadmin priv-lvl 15
username dell password $6$rounds=656000$lKdpinbd330XYERt$KSMTXj1O7banCf2aMuZcblwhvYNdofZZLnsIWqf439BqEtL6juoUjTfsNCAd.xUNkTNmVv5.OiUb.Ncz/uKXp/ role sysadmin priv-lvl 15
aaa authentication login default local
aaa authentication login console local
!
wred mem
!
class-map type application class-iscsi
!
--more--[2K[0Gpolicy-map type application policy-iscsi
--more--[2K[0G!
--more--[2K[0Ginterface vlan1
--more--[2K[0G no shutdown
--more--[2K[0G!
--more--[2K[0Ginterface vlan66
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.66.252/24
--more--[2K[0G ip helper-address 192.168.37.210
--more--[2K[0G !
--more--[2K[0G vrrp-group 9
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.66.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan100
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.37.252/24
--more--[2K[0G !
--more--[2K[0G vrrp-group 1
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.37.253
--more--[2K[0G no preempt
--more--[2K[0G!
--more--[2K[0Ginterface vlan400
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.36.252/24
--more--[2K[0G ip helper-address 192.168.34.170
--more--[2K[0G !
--more--[2K[0G vrrp-group 8
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.36.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan558
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.35.252/24
--more--[2K[0G !
--more--[2K[0G vrrp-group 7
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.35.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan995
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.40.252/24
--more--[2K[0G ip access-group Guest out
--more--[2K[0G !
--more--[2K[0G vrrp-group 20
--more--[2K[0G virtual-address 192.168.40.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan997
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.31.251/24
--more--[2K[0G !
--more--[2K[0G vrrp-group 2
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.31.252
--more--[2K[0G!
--more--[2K[0Ginterface vlan998
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.32.252/24
--more--[2K[0G ip helper-address 192.168.37.210
--more--[2K[0G !
--more--[2K[0G vrrp-group 5
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.32.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan999
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.30.252/24
--more--[2K[0G !
--more--[2K[0G vrrp-group 3
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.30.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan1700
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.33.252/24
--more--[2K[0G ip helper-address 192.168.37.210
--more--[2K[0G !
--more--[2K[0G vrrp-group 4
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.33.253
--more--[2K[0G!
--more--[2K[0Ginterface vlan2200
--more--[2K[0G no shutdown
--more--[2K[0G ip address 192.168.34.252/24
--more--[2K[0G ip helper-address 192.168.37.210
--more--[2K[0G !
--more--[2K[0G vrrp-group 6
--more--[2K[0G priority 50
--more--[2K[0G virtual-address 192.168.34.253
--more--[2K[0G!
--more--[2K[0Ginterface port-channel1
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 997
--more--[2K[0G!
--more--[2K[0Ginterface mgmt1/1/1
--more--[2K[0G no shutdown
--more--[2K[0G ip address dhcp
--more--[2K[0G ipv6 address autoconfig
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/1
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/2
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/3
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/4
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/5
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/6
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/7
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 100
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/8
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/9
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 100
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/10
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/11
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 100
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/12
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/13
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/14
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/15
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/16
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/17
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/18
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/19
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/20
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/21
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/22
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/23
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/24
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/25
--more--[2K[0G no shutdown
--more--[2K[0G switchport mode trunk
--more--[2K[0G switchport access vlan 100
--more--[2K[0G switchport trunk allowed vlan 66,400,558,995,997-999,1700,2200
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/26
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/27
--more--[2K[0G no shutdown
--more--[2K[0G switchport mode trunk
--more--[2K[0G switchport access vlan 1
--more--[2K[0G switchport trunk allowed vlan 66,100,400,558,995,997-999,1700,2200
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/28
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/29
--more--[2K[0G no shutdown
--more--[2K[0G channel-group 1 mode active
--more--[2K[0G no switchport
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Ginterface ethernet1/1/30
--more--[2K[0G no shutdown
--more--[2K[0G switchport access vlan 1
--more--[2K[0G flowcontrol receive on
--more--[2K[0G!
--more--[2K[0Gip route 0.0.0.0/0 192.168.31.253
--more--[2K[0G!
--more--[2K[0Gip access-list Guest
--more--[2K[0G seq 6 permit ip 192.168.40.0/24 192.168.40.253/32
--more--[2K[0G seq 8 permit ip 192.168.40.0/24 192.168.31.252/32
--more--[2K[0G seq 9 permit ip 192.168.40.0/24 192.168.31.253/32
--more--[2K[0G seq 10 permit ip 192.168.40.0/24 192.168.31.254/32
--more--[2K[0G!
--more--[2K[0Gsnmp-server contact "Contact Support"
--more--[2K[0G!
--more--[2K[0Gtelemetry
--more--[2K[0GServer2#
DELL-Joey C
Moderator
•
3.9K Posts
0
December 29th, 2023 09:57
Hi,
Most likely it should be the routing issue, but we don't have the capability to analyze the configuration of the switch. This would need the technical support to check on it, hence you may need to raise a ticket for it. If you're looking for any of the public to provide feedback, we will wait for someone and monitor the post.