Skip to main content
Start a Conversation

Solved!

Go to Solution

JSL2

1 Rookie

 • 

10 Posts

1146

November 14th, 2021 18:00

Interaction between route-map and access-group on powerconnect vlan

Device: N3048 version: 6.5.4.18

I'm doing PBR on a vlan to route out a secondary ISP as describing in the PBR Guide. This works fine. On this vlan, I also need to implement port restrictions to other vlans. If I add a access-group to the vlan interface, the route-map stops working, even if the access-group only has one entry to permit everything. Is there a trick to get this to work?

 

interface vlan 3
ip address 172.27.3.1 255.255.255.0
ip helper-address discard dhcp
no ip redirects
ip policy route-map equal-access
ip access-group dmz-access in 1
exit

 

route-map "equal-access" deny 10
match ip address inter-communications
exit
route-map "equal-access" permit 20
match ip address dmz-twc-hosts
set ip default next-hop 172.27.12.3
exit

Dell- Maria J

Moderator

 • 

278 Posts

November 19th, 2021 07:00

Hello JSL2,

 

Sorry for delay in reply, I've needed time to make a research. I’ve spoken with colleagues from Networking Team, however it is a configuration question and device is out of warranty, so there is a limit in troubleshooting steps, which could be provided. It is recommended to contact phone support for enterprise Configuration & Deployment, maybe this document could be useful:

https://dell.to/32hEbG6

 

Also my colleagues recommended as a troubleshooting step to use ip prefix-list from this document:

https://dell.to/3FxEV8s p. 1430,  but it won’t work exactly as you described, it should still deny access.

 

Please let us know, if you have any questions.

Thank you

Maria Januszka

#IWork4Dell

Dell | Social Outreach Services - Enterprise

Dell- Maria J

Moderator

 • 

278 Posts

November 15th, 2021 04:00

Hello JSL2,

 

Thank you for choosing Dell.

 

Did you try to apply follow command:

 

console(config-route-map)#set interface null0

 

PBR does however provide a way to drop a packet if desired. By using the set interface null0 command, users can drop any packet that matches the criteria on a permit statement. Simply add the following set statement to your permit sequence.

 

Source:

https://dell.to/323eMjj  p.20

 

Please ask me if you have any questions.

Maria Januszka

#IWork4Dell

Dell | Social Outreach Services - Enterprise

 

JSL2

1 Rookie

 • 

10 Posts

November 15th, 2021 07:00

No I haven't tried the command yet. I'm going to wait until non-business-hours. This device is not under support unfortunately.

Dell- Maria J

Moderator

 • 

278 Posts

November 15th, 2021 07:00

Hello  JSL2, 

 

Thank you for your reply. Did you already try to apply this command? 
I would also like to recommend you contact phone support, if you have active warranty, because support can check logs and also could check the configuration. 

Thanks, 
Maria Januszka 
#IWork4Dell
Dell | Social Outreach Services - Enterprise

JSL2

1 Rookie

 • 

10 Posts

November 15th, 2021 07:00

Ah ok, so the idea would be not to use ip group-access at all, and just put all of the port restricting/firewalling into the PBR?

JSL2

1 Rookie

 • 

10 Posts

November 15th, 2021 17:00

Since you cannot use a match statement on a route-map with the set interface null0, how would you actually implement a rule that blocks access to a specific network?

!-- What the DMZ hosts are allowed to access on the LAN
route-map "dmz-map" deny 10
     Match clauses:
       ip address (access-lists) : dmz-lan-allowed
     Set clauses:

!-- select hosts routing out 2nd ISP
route-map "dmz-map" permit 20
     Match clauses:
       ip address (access-lists) : dmz-twc-outbound
     Set clauses:
       ip default next-hop 172.27.12.3

!-- MAGIC PERMIT/DENY 30 RULE

!-- the default packet dropper. I need to add a "match" to this to only
!-- drop dmz-lan-denied, but I can't put a "match" on this.
route-map "dmz-map" permit 40
   Match clauses:
   Set clauses:
       interface null0

 

I would need to implement a deny 30 that matched everything that wasn't the in dmz-lan-denied ACL. How would I do that?

ip access-list dmz-lan-denied
1000 permit ip 172.27.3.0 0.0.0.255 172.27.9.0 0.0.0.255
1010 permit ip 172.27.3.0 0.0.0.255 172.27.10.0 0.0.0.255
1020 permit ip 172.27.3.0 0.0.0.255 172.27.15.0 0.0.0.255
1030 permit ip 172.27.3.0 0.0.0.255 172.27.30.0 0.0.0.255
exit

Dell- Maria J

Moderator

 • 

278 Posts

November 16th, 2021 03:00

Hello JSL2, 

 

Thank you for your reply. May I please ask you to provide Service Tag and location of the switch in Private Messages? I would like to contact colleagues from Networking Team and I need this information.

 

Thanks, 
Maria Januszka 
#IWork4Dell
Dell | Social Outreach Services - Enterprise

JSL2

1 Rookie

 • 

10 Posts

November 16th, 2021 18:00

I PM'ed you that information

JSL2

1 Rookie

 • 

10 Posts

November 22nd, 2021 18:00

Well, thanks for the response anyway!

Was this post helpful?

View All

No Events found!

Top