PowerConnect M6220 ACL issues

Similar Questions

• reset the password on a Dell PowerConnect M6220

  Hello, I'm trying to reset the password on a Dell PowerConnect M6220.  Can connect to the CMC via the https Web page, I don't see how to do it from there.

  Then I'll try to plug a USB serial cable into the console port and reset the password via a console session using teraterm but when I do that all I get is a white screen.

  Parameters of the series are:

  Cable: The Null Modem

  Bits per second: 115200

  Data bits: 8

  Parity: None

  Stop bits: 1

  Flow control: no

  Any ideas on how I can access telnet access to the device to reset the DDT successfully

  Thank you

  Kevin

  You can connect to the console port internal to the switch via the CLI of CMC

  Telnet to the CMC, then connect switch-a1 (a2 or b1 etc. etc.)

  This will give you the > invites, so either delet the startupconfig and recharge it, or put into you own username and password - remember that you can set on the schema of the interface of the band or band in slecting the appropriate interface

• PowerConnect 6200 ACL does not seem to work

  Hello

  I have a total of four 6248 s two groups at different locations that are configured with VRRP + OSPF.  I tried to set up a simple ACL on either a VLAN to allow a portion of the traffic and block everything else, but I can't make it work.  I have tried many combinations to try to get this working, but so far without success.  It's just a simple ACL, which should allow the web/http traffic on the 10.1.30.100 server and blocks everything else.

  The only type of ACE that seem to work are either a "deny ip any any" or "permit ip any any" If you try an ACE with a destination host and subnet mask 0.0.0.0 it's just all this blocking.  Has anyone else had problems of the ACL or is it just my incompetence in preventing me from getting the 6200 ACL work properly?  I didn't have this problem, get the ACL list to work on our Cisco 2811 routers, just at the moment where I tried on the PC6248s.

  1. config
  2. int vlan 720
  3. no ip-group vlan720-in in access
  4. output
  5. No list of access-vlan720-en
  6. access-list vlan720-in permit tcp any 10.1.30.100 0.0.0.0 eq 80
  7. int vlan 720
  8. IP access-group vlan720-in in
  9. output
  10. output
  11. copy, run start
  12. There

  Just an update on this issue.  I worked with Dell to determine why the ACL does not seem to work.  We discovered that the 6200 apply ACL to the traffic as a VLAN ACL Cisco card as opposed to a router ACL entry.  This causes the ACL to apply to not only routed or transferred but also traffic switched in the same VLAN.

  This has been the source of my problems that my traffic is not limited to a single 6200.  I developed a simple laboratory to check that the 6200 applied traffic switched in the same VLAN ACL.

  First the 6200 has one ACL applied to VLAN5 both PC1 and PC2 are in VLAN 5.  They are both on the same subnet 192.168.5.0/24.  The ACL has a statement of "permit icmp any one" but nothing else.  The PC1 and PC2 are running Windows XP Pro with IIS is installed for the test.  The firewall on both is disabled.

  PC #1 IP: 192.168.5.2/24
  PC #2 IP: 192.168.5.3/24

  [6200]
  |    |
  |    |
  |   [2950T #2] <-->[PC #2]
  |
  |
  [2950T #1] <-->[PC #1]

  In this scenario PC1 and PC2 can ping each other without problem because of the permit icmp any any statement, but you cannot access the IIS site on each of the other computers.

  Dell said that this is normal and if you want communication VLAN VLAN you 'license ip ' to make it work properly.  I also found that traffic back from other VLANs were also denied because of the ACL applied on all of the incoming traffic.  As a solution, the license statement should be included for ALL traffic back to the limited subnet other subnets.  So in this case "ip enable any ".

  I find it a bit annoying that ACL is applied in the form of maps of VLAN not like real incoming router ACL as they are on similar Cisco devices as the 3750.  So there is a work around.  I hope they can solve the problem in a future update, because I really think that the 6200 is a great device.

  Here you can see the difference between VLAN ACLs cards and router entry ACL where they are applied in what concerns local traffic to VLAN.
  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1572522

• PowerConnect M6220 problem without tag switch of VLAN

  Good afternoon.
  I do not have much knowledge of networks and need help.
  M6220 have this connected to a HP ProCurve switch switch connected by a trunk.
  My problem is that I can not pass the 10 untagged procurve VLAN to the M6220 switch, can you help me?
  M6220 has firmware version 1.
  Thank you

  On a network connection VLAN native is the VLAN used to send and receive packets not marked. Here is an example of the configuration.

  Console (config-if-article gi1/0/1) #interface item in gi1/0/24
  trunk mode console (config-if-article gi1/0/24) #switchport
  Console (config-if-article gi1/0/24) #switchport trunk vlan 10 native
  trunk allowed vlan #switchport console (config-if-article gi1/0/24) add 10,11,12,13

  If trunk mode does not work, you can also try to use the general mode.

  Console (config-if-article gi1/0/1) #interface item in gi1/0/24
  mode console (config-if-article gi1/0/24) general #switchport
  Console (config-if-article gi1/0/24) #switchport general pvid 10
  Console (config-if-article gi1/0/24) #switchport general allowed vlan add 10 untagged
  Console (config-if-article gi1/0/24) #switchport general allowed vlan add 11,12,13 tag

  Hope this helps

• Question about Powerconnect M6220 and out-of-band/management 8024-K connection

  I'm sorry if this question belongs to another section, but with regard to the functionality of these switches I thought I would start here.

  My question is, the M6220 and 8024-K out-of-band connection are going through the connections on Board (for example port 18 for example) or through connection of the M1000e CMC?

  The reason for this question. We recently vlaned our network and CMC modules are VLAN 8 (10.100.8.0 255.255.248.0) and management of our switches is supposed to be on the VLAN 1 (10.100.1.0 255.255.255.0). I can't ping on the affected IPS (IE 10.100.1.15), but our CMC modules are fully accessible (IE10.100.9.120). Our blades are fully accessible and can access all the VLANS on them (they are the ESX host).

  Finally, I'm sorry if all necessary information has been provided, I'm not so much a networking guru.

  Thoughts?

  Thanks for your help

  The OOB interface is connected to the chassis management controller by the median plane of the chassis. Traffic on this

  port is separated from network traffic operating on the switch ports and cannot be lit or routed to the operational network.

• Dell Powerconnect 5424 connectivity issues

  Hi all

  I recently got a Powerconnect 5424 switch I would add to my current setup. My current setup is:

  Router (Linksys RV082) (has a few connected devices)-> concert switch 8 ports unmanaged netgeear (has other connected devices)-> switch 5 ports netgear (on 2nd floor rest of devices).

  I would like to put the 5424 in place and Switch 8 ports.

  So far, I was able to put the IP Address of the switch and this via the console, and I can connect 2 devices and make them communicate. However, when I plug the switch into my router, nothing will be on the switch. Cannot ping it, cannot ping the router when the devices are connected to the switch...

  Not very well where to go from here, or what to watch.

  Thanks in advance!

  Other options would be switchport access or switchport general.

  Console (config) # interface ethernet g1

  Console (config-if) # switchport General allowed vlan add 1

  General mode is a hybrid of the trunk and access.

  Console (config) # interface ethernet g1

  Console (config-if) # switchport access vlan 1

• PIX IPSec and ACL issues

  Hello

  On a PIX 515E v.6.3.5.

  There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')

  1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN

  2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

  3 ACL - ACL to allow | deny traffic after ACL #1 and #2.

  #3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?

  The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?

  Thank you

  Dan

  pdvcisco wrote:
  Hello,
  On a PIX 515E v.6.3.5.
  Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
  1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN
  2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
  3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
  Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
  The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
  Thanks,
  Dan
  

  Dan

  It depends on

  (1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal

  (2) always necessary

  (3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.

  Mirrored ACLs is required.

  Jon

• PowerConnect M6220 switch cannot set port speed

  I'm trying to define a port speed to 100 instead of the default value of 1000 using the following command:

  1 the Interface Configuration mode enter to port 1.

  Console #configurer
  Console (config) #interface gigabitEthernet 0/1/1
  2. change the speed and duplex settings for the port.
  Console (config-if-article gi1/0/1) #speed 100
  Console (config-if-article gi1/0/1) full #duplex
  Console (config-if-article gi1/0/1) #exit

  But I got an error: "an invalid interface was used for this function." Please refer to

  

  Try to update the speed of the port on the GUI also returned an error:

  

  Could someone advise what I'm doing wrong? Thank you!!

  The user guide says that not all ports support all speeds, even if they are available in the command. And the output of the command is the message you see. What NIC connects to the interface 1/0/8? I think that most adapters for servers are 1 GB or higher.

• PowerConnect m6220 cable console

  Hello. I need to reset the password to enable on the switch, but I don't have a USB-RS232 cable console.

  Someone has photo of pins of it?

  He is the type of cable you might be looking for.

  See you soon

• connect the m6220 switches stacked to existing Lan infrastructure

  I need to connect two powerconnect M6220 to LAN infrastructure existing.

  The switch of two are configured in the stack.

  Which is the best way to uplink the new switch to the other two powerconnect 5548.

  The old switch are not stacked and bound together by two 10GB Ethernet cable (one of the links is disabled).

  I need to implement the network tolerant to failures, maybe I need to configure the tree covering weight on the two links of 10 GB.

  I use Spanning tree to configure the uplink between the old and the new, too?

  Is there a better alternative? There is another way to prevent the loop network?

  Thanks, Francesco

  You have a few options.

  1. you can simply connect the cables between the M6220 switch stack and the 5548.  Set up a trunk connection which allows for VLAN needed overall.  Tree covering weight until it is enabled on the switch and not off on specific ports connecting the default switches prevent loops and allow the most profitable link to be active, leaving the second connection as an alternative link in a blocking state.

  2. you can configure LAG (aggregation of links).  This is where you configure the individual physical ports in a virtual port channel.  This indicates a covering tree to treat multiple physical ports as a single link aggregated to the other switch.  You will need to have the port at each end of the connection channel mapping. (On each switch).  This allows the same speed but more flow.  To move traffic more.

• M620 IO CARDS

  Hello

  We have a client and that he wants to buy two new servers M620 blade with the following configuration:
  Fabric A - Broadcom 57810S NDC
  Fabric B - Broadcom 57810S NIC
  Fabric C - Qlogic QME2572

  In the meantime, he has the following configuration of the i/o Modules:
  Fabric A - PowerConnect M6220 x 2
  Fabric B - PowerConnect M6220 x 2
  Fabric C - Brocade M5424 x 2

  Question: New M620 blades are compatible with the current configuration of Modules e/s?

  The following message by DELL - Kevin Ho has been proposed as a response to "Re: M620 i/o CARDS:

  Quick response - YES, the M620 are compatible with your current configuration of the i/o Module.

  Long answer - Broadcom network you have installed are 10GbE, but they will work with 1GbE switches, you have fabric A and B.  The HBA Qlogic that you have will work as long as you have a fabric fiber c/o module.  Your list of configurations of the currently listed I/O module a Qlogic HBA, so assuming that it is actually a fiber I/O module, you should be fine.

• Set up multiple paths to EqualLogic PS4000 iSCSI

  I have two Dell PowerEdge M610 in a PowerEdge M1000e that my team was given as units of seeds (thanks Dell) and we ended up buying storage, they sent with it, an EqualLogic PS4000.  The representative of Dell came and helped to get the basic running configuration and how iSCSI worked and showed us a doc (the same doc Configuring_VMware_vSphere_Software_iSCSI_with_Dell_EqualLogic_PS_Series_Storage.pdf noted many threads here) on how get v4.1 ESX (i) running with this storage.  We all stood up and running most of the time before he left, but after going on documentation, again, I have seen that we should be able to establish connections mutable and "Round Robin" to improve performance.  As I see so far in the two vSphere Client and in the management of the EqualLogic console console, I get only one per server (as seen on the attached screenshots).  I've been beating my head on this for the last few days trying to get the connections going.  In fact, I've seen it work once but for other reasons, I had to redo the raid on the host computer and reload and have not been able to get it working again... :'-(

  So, here's how the hardware is configured.  From the module of control PS4000 0, I have eth0 goes 1 Dell PowerConnect M6220 in the slot C2 chassis, eth1 goes to another port M6220 in C2.  If the storage is connected directly to the chassis.  And the same configuration on the modal control 1.  These ports connect to the vmnic4 & 5.

  Switch name Num used Ports configured Ports MTU rising ports

  vSwitch0 128 4 128 1500 vmnic0, vmnic1

  Name PortGroup VLAN ID used rising Ports

  The VM network 0 0 vmnic0, vmnic1

  Management network 0 1 vmnic0, vmnic1

  Switch name Num used Ports configured Ports MTU rising ports

  vSwitch2 128 6 128 9000 vmnic4, vmnic5

  Name PortGroup VLAN ID used rising Ports

  iSCSIMgnt 1 0 vmnic5, vmnic4

  0 1 vmnic5 iSCSI2

  0 1 vmnic4 iSCSI1

  ~ # esxcfg - vmknic - l

  Interface Port Group/DVPort IP IP family address Netmask Broadcast MAC address MTU TSO MSS active Type

  Managing IPv4 10.131.172.74 network vmk0 255.255.255.0 10.131.172.255 00:26:b9:31:d6:a9 1500 65535 true STATIC

  vmk1 iSCSI1 IPv4 192.168.1.21 255.255.255.0 192.168.1.255 true 9000 65535 STATIC 00:50:56:71:e7:f5

  vmk2 iSCSI2 IPv4 192.168.1.22 255.255.255.0 192.168.1.255 true 9000 65535 STATIC 00:50:56:75:92:76

  ~ # esxcfg - NICS - l

  Name PCI Driver link speed Duplex MAC address MTU Description

  vmnic0 0000:01:00.00 bnx2 up to 1000Mbps Full 00:26:b9:31:d6:a9 1500 Broadcom Corporation of Broadcom NetXtreme II BCM5709 1000Base-SX

  vmnic1 0000:01:00.01 bnx2 up to 1000Mbps Full 00:26:b9:31:d6:ab 1500 Broadcom Corporation of Broadcom NetXtreme II BCM5709 1000Base-SX

  vmnic2 0000:03:00.00 bnx2 up to 1000Mbps Full 00:26:b9:31:d6:ad 1500 Broadcom Corporation of Broadcom NetXtreme II BCM5709 1000Base-SX

  vmnic3 0000:03:00.01 bnx2 up to 1000Mbps Full 00:26:b9:31:d6:af 1500 Broadcom Corporation of Broadcom NetXtreme II BCM5709 1000Base-SX

  vmnic4 0000:05:00.00 bnx2 up to 1000Mbps Full 00:26:b9:31:d6:b1 9000 Broadcom Corporation of Broadcom NetXtreme II BCM5709 1000Base-SX

  vmnic5 0000:05:00.01 bnx2 up to 1000Mbps Full 00:26:b9:31:d6:b3 9000 Broadcom Corporation of Broadcom NetXtreme II BCM5709 1000Base-SX

  ... OK, after all that, here's another conclusion after tinkering with the network settings for vSwitch2.  If I change:

  0 1 vmnic5 iSCSI2

  0 1 vmnic4 iSCSI1

  ... à...

  iSCSI2 1 0 vmnic4

  0 1 vmnic5 iSCSI1

  The connection to the storage is lost... for a while.  About 5 min later I see the connection on the EqualLogic, but on the other port (eth0 to eth1).  So I don't know the connection MAY work, but just does not do both at the same time.

  So what I am doing wrong?  I tried to read on other threads, but haven't read the answer to this question.  Thanks for your help.

  There is a step in this configuration guide where you link all of your VMkernel ports to the iSCSI initiator.  You will remember to do this step?

  What looks like the output of the following control air: esxcli swiscsi nic list vmhba39 d

  You should see the vmk1 and vmk2 in there.

  Matt

  My blog: http://www.thelowercasew.com

• PIX ACL user downloadable issues

  Recently, I opened a TAC case on an issue that I had with user downloadable ACLs on a radius server. I use the user acl on an intranet pix firewall that protects some servers. We have programmers who need special access for them and tried to have the ACL of assigned dynamically. It turns out that TAC said even if I had the correct ACL and they were applied to the user, I must have the same ACL allowing traffic on the interface which runs incoming traffic. There is no sense to me due to the fact that my goal was to get rid of permanent acl and not have to worry about the use of IP source addresses. I could have just the connection of the user through http and it gets the acl. Then finally the active uauth timer and removes the ACL so do not leave a hole on the PIX. I totally miss the downloadable ACLs goal, so if someone could shed some light on the subject I would appreciate it :) I have that someone has a solution or another solution to the problem that I have please do not hesitate to post! Thanks advance!

  Tony

  For authentication and ACL downloadable works, you need two ACLs on the PIX, the ACL interface and authentication ACL. You can consider the ACL interface as a trigger for the ACL authentication should it allow traffic through to trigger authentication. It must also allow the same traffic that the auth acl which means it is sometimes easier to make more restrictive the more permissive acl interface and the auth acl.

  for example if you have users on 192.168.1.0 24 inside interface and you want to authenticate you to access Terminal Server services, you can if you want to configure the inside access list to allow all traffic to 192.168.1.0/24

  ! inside the 192.168.1.0 auth trigger

  permit 192.168.1.0 ip access list inside_access_in 255.255.255.0 any

  but deny all in the acl of authentication, which means that all traffic required authentication/authorization first.

  ! authentication for 192.168.1.0

  ! don't authenticate DNS and ICMP

  inside_authentication list access deny udp 192.168.1.0 255.255.255.0 any eq 53

  inside_authentication list access deny icmp 192.168.1.0 255.255.255.0 any

  ! authenticate everything.

  permit 192.168.1.0 ip access list inside_authentication 255.255.255.0

  ! apply access lists

  inside_access_in access to the interface inside group

  AAA game inside_authentication inside RADIUS authentication

  Your ACL ACS/RADIUS would be configured to

  ! term serv

  permit tcp 192.168.1.0 255.255.255.0 any eq 3389

  ! http

  permit tcp 192.168.1.0 255.255.255.0 any eq 80

  That would provide the term serv and http access to an authenticated user. Your logs show permission denied for all other access to this user after authentication.

  I hope this helps.

• Issue of ACL:Technical DMVPN TUNNEL ENTERING to Expert

  Hello

  I have a problems with an access list configured by ENTERING the Tunnel routers (HUB1 and HUB2) HUB interface.

  I enclose a simple drawing of my configuration:drawing-Lab - Setup.Jpeg

  Let me quickly explain my setup:

  • I have configureddual HUB and layout DOUBLE DMVPN
  • The phase 3 of DMVPN is configured and I'm using EIGRP
  • All traffic passes (including Internet) by location of HUB
  • All rays are configured with FVRF and receive only a default route HUB routers
  • Talk to traffic talk is possible and can be restricted if necessary by setting up a route to null on rays router
  • HUB1 is the main router and HUB2 is the backup router

  Security requirements:

  • Rays access the Internet through a HUB, and are allowed to access HTTP, HTTPS, FTP, and ICMP
  • Rays can reach everything by the location of the hub

  In order to meet the requirements of security and simplify the configuration on the shelves, I thought that I could set up an inbound access list on the tunnel interface to HUB1 and HUB2. So like that every time I have add a new talk that I don't have to set up more lines in the config spoke. I enclose the access list that I have configured on HUB1 and HUB2 and also the configuration of the tunnel interface (only for HUB1, HUB 2 is the same).

  DMVPN-TunnelIN-Acl-and - TunnelConf.txt

  My isssue starts here. When I apply the access list that is called DMVPN_INSIDE_IN in the interface of tunne, rays can ping the location of the hub, no problem. The question is when a host talks try to access Internet (ping 192.168.100.2) in this case 200.200.200.200 (see drawing) the access list refuse the package by saying the following:

  % S 6-IPACCESSLOGDP: DMVPN_INSIDE_IN icmp 80.10.10.2-> 200.200.200.200 denied (8/0), list 1 packet

  But the firewall doesn't actually see the good address before being natted source:

  
  

  % SESS_AUDIT_TRAIL_START-6-FW: start session icmp: initiator (192.168.100.2:8) - answering machine (200.200.200.200:0)

  If I remove the access list everything works fine! It seems that the access list inspects the package after the NAT process. Actually sometimes works sometimes not. If I remove the access list and put it back again 192.168.100.2 can ping 200.200.200.200 without problem.

  While I don't understand, is how I can apply the access list to the tunnel interface? He's not leaving instead of INBOUND, wouldn't? I don't really understand the process of Cisco IOS here. How the read in this case Tunnel Interface?

  Any ideas what is going on here?

  Best regards

  Laurent

  Laurent,

  Seems to be related to the CEF, and then (at least for me not knowing too much about). No doubt now a valid contiguity is installed and it will work until it is removed from the FIB for some reason any.

  A good test would be to check if it will continue to work after you remove and add the cef or is just a minor issue with access lists.

  Marcin

• Basic ACL - PowerConnect 6224

  Interfaces:
  G1 = Internet
  G3, g4 = Server (1 GAL)

  G1 has no bound ACL

  I'm trying to bind ACL (s) to 1 SHIFT that will allow a specific Internet traffic-> server and all (later, restrict) the server-> Internet traffic
  (because it is linked to the GAL, as opposed to g1, ACL is applied to the "out" direction)
  (to simplify things I use src/dest all - but later restricted to the IP addresses of the server)

  My rules:

  access-list webau permit tcp any any eq 22
  access-list webau permit tcp any any eq http
  access-list webau permit tcp any any eq 443
  access-list webau permit tcp any any eq 3389
  access-list webau permit tcp any any eq 1935

  Binding of the ACL:

  interface port-channel 1
  IP access-group out webau

  This allowed successfully than traffic from Internet-> server on TCP port numbers specified - well.

  However, the server is unable to get out to the Internet at all.
  (for example, ping, telnet google.com 80)

  I would have thought with no ACLs in, we could deduct all the traffic of the LAG to the switch.

  I also tried:
  access-list permit Allowall each
  interface port-channel 1
  IP access-group Allowall in

  In addition, if I have add the rule to the ACL webau (related to out LAG1):
  Allow Access-list icmp a whole webau

  I can ping the server-> Internet

  or...
  access-list webau permit each

  Server-> Internet is OK

  Finally - any recommendation on whether to apply to ports/channel of the server, with OUT management (as I am) vs apply to the Internet port with direction IN

  Thank you!
  Nick