Ethernet Fabric (VDX, CNA)

Reply
Occasional Visitor
Posts: 1
Registered: ‎06-15-2016

VDX6740 VCS, fabric virtual gateway, arp response, no isolated l3 traffic.

Hi Everybody,

 

I have 5 VDX6740 with nos6.0.2a and mode than 20 ICX7250.

The 5 VDX6740 are configured in VCS logical chassis mode :

VCSID 357

rbridge-id 11, 12, 21, 22, 31.

I have configure fabric virtual gateway as following :

 

router fabric-virtual-gateway
address-family ipv4
enable
gratuitous-arp timer 60
accept-unicast-arp-request
!
address-family ipv6
no enable
!
!
interface Vlan 1
name Admin
description Admin
!
interface Vlan 2
name Data
description Data
!
interface Vlan 5
name Wifi-Invites
description Wifi-Invites
!

interface Ve 1
no shutdown
attach rbridge-id add 11-12,21-22,31
ip fabric-virtual-gateway
gateway-address 192.168.1.254/24
enable
!
!
interface Ve 2
no shutdown
attach rbridge-id add 11-12,21-22,31
ip fabric-virtual-gateway
gateway-address 192.168.2.254/24
gratuitous-arp timer 60
enable
!
!
interface Ve 5
no shutdown
attach rbridge-id add 11-12,21-22,31
ip fabric-virtual-gateway
gateway-address 192.168.5.254/24
enable
!
!

fabric route mcast rbridge-id 11
!
fabric route mcast rbridge-id 12
!
fabric route mcast rbridge-id 21
!
fabric route mcast rbridge-id 22
!
fabric route mcast rbridge-id 31
!

interface TenGigabitEthernet 11/0/6
switchport
switchport mode trunk
switchport trunk allowed vlan all
no switchport trunk tag native-vlan
spanning-tree shutdown
fabric isl enable
fabric trunk enable
no shutdown
!

Interface 11/0/6 is an uplink to one ICX 7250 port 1/2/1 (10G uplink).

 

Config of ICX7250 :

vlan 1 name DEFAULT-VLAN by port
!
vlan 2 name Data by port
tagged ethe 1/1/2 ethe 1/2/1 to 1/2/8
untagged ethe 1/1/2

!
vlan 5 name Wifi-Invites by port
tagged ethe 1/1/2 ethe 1/2/1 to 1/2/8

untagged ethe 1/1/3

!

 

interface ethernet 1/1/1
inline power
!
interface ethernet 1/1/2
inline power
!
interface ethernet 1/1/3
inline power

!

interface ethernet 1/1/4
inline power

!

interface ethernet 1/2/1
dual-mode
!
interface ethernet 1/2/2
dual-mode
!
interface ethernet 1/2/3
dual-mode
!
interface ethernet 1/2/4
dual-mode
!
interface ethernet 1/2/5
dual-mode
!
interface ethernet 1/2/6
dual-mode
!
interface ethernet 1/2/7
dual-mode
!
interface ethernet 1/2/8
dual-mode
!
!

 

PC1 have the following configuration :

IP : 192.168.1.1 255.255.255.0 gtw 192.168.1.254

 

PC2 have the following configuration :

IP : 192.168.2.2 255.255.255.0 gtw 192.168.2.254

 

PC5 have the following configuration :

IP : 192.168.5.5 255.255.255.0 gtw 192.168.5.254

 

PC1Bis have the following configuration :

IP : 192.168.1.11 255.255.255.0 gtw 192.168.1.254

 

If I connecte PC1 on port 1/1/1, PC2 on port 1/1/2, PC3 on port 1/1/3 and PC1Bis on port 1/1/4 all work fine and all PC can reach each other.

 

Now my pb :

I unplug PC2 from port 1/1/2 and I plug in on port 1/1/3.

    Normaly, wrong IP config for vlan5

   But surprise this PC2 reach is gateway 192.168.2.254.

   This PC can reach PC1 and PC1Bis.

   I can reach PC5 if I plug it in 1/1/2 or 1/1/6 or other any port with defaut config (untagged on vlan1).

   PC5 can reach pluged in 1/1/2 (vlan2 with IP configuration for vlan5) can reach all other PC.

 

I think it was strange and may left many attack possibility.

 

Perhaps I have wrong in my configuration, anyone can help me ?

 

To bypass this PB, I have boot one ICX7250 with L3 enabled.

Define router with ve interface.

   By defaut, wrong configuration not work, if PCs have not right IP range according to connected vlan he cannot reach other PC and other PC cannont reach it. If I manually add an ARP entry for gateway, the wrong configuration can communicate!!! Same security issue i think, but ARP no answer in ICX7250.

 

I'am not sure, but I think ve interface was not binding only on interface vlan associated.

 

Thank in advance for any help to find definitive solution or bypass with suffisant security to prevent any risk.

 

Kind regards.

Gilles

External Moderator
Posts: 4,857
Registered: ‎02-23-2004

Re: VDX6740 VCS, fabric virtual gateway, arp response, no isolated l3 traffic.

Gilles,

 

vlan 2 name Data by port
tagged ethe 1/1/2 ethe 1/2/1 to 1/2/8
untagged ethe 1/1/2

!
vlan 5 name Wifi-Invites by port
tagged ethe 1/1/2 ethe 1/2/1 to 1/2/8

untagged ethe 1/1/3

!

 

show as you have configured a double VLAN, ( vlan2 and vlan5)  ?

 

 

TechHelp24
New Contributor
Posts: 4
Registered: ‎09-23-2015

Sorry i need some news.

I am sorry yesterday I have add one post concerning virtual-router-gateway in VDX environment.

Today I can not see this post.

 

Thank in advance for your feedback...

 

Kind regards.

Gilles

External Moderator
Posts: 4,857
Registered: ‎02-23-2004

Re: Sorry i need some news.

Gilles,

 

here is you thread, which I've moved to correct Forum, as the question is related primary to ICX Switches

 

http://community.brocade.com/t5/Ethernet-Switches-Routers/bd-p/ethernetswitches

 

you post yesterday in VIRTUAL ROUTER/FIREWALL/VPN

 

http://community.brocade.com/t5/Ethernet-Switches-Routers/VDX6740-VCS-fabric-virtual-gateway-arp-response-no-isolated-l3/m-p/87120

 

BTW. you are again in wrong Forum,

 

http://community.brocade.com/t5/Virtual-Router-Firewall-VPN/bd-p/virtual

 

I'll merge this thread with the old one.

TechHelp24
New Contributor
Posts: 4
Registered: ‎09-23-2015

Re: VDX6740 VCS, fabric virtual gateway, arp response, no isolated l3 traffic.

[ Edited ]

Hi,

 

Thank you for your help.

 

Fabric-virtual-gateway is a feature of VDX6740 in VCS fabric mode. Not ICX pb.

 

TO bypass awaiting solution, I use ICX7250 stack as router. And it work fine.

 

Kind regards.

Gilles

External Moderator
Posts: 4,857
Registered: ‎02-23-2004

Re: VDX6740 VCS, fabric virtual gateway, arp response, no isolated l3 traffic.

I moved the Threads now in VDX Forum.

 

 

 

TechHelp24
New Contributor
Posts: 4
Registered: ‎09-23-2015

Re: VDX6740 VCS, fabric virtual gateway, arp response, no isolated l3 traffic.

Hi,

 

The right config is

vlan 2 name Data by port
tagged ethe 1/2/1 to 1/2/8
untagged ethe 1/1/2

!
vlan 5 name Wifi-Invites by port
tagged ethe 1/2/1 to 1/2/8

untagged ethe 1/1/3

!

 

The uplink between VDX and ICX is on port 1/2/1

 

Kind regards.

Gilles

New Contributor
Posts: 4
Registered: ‎09-23-2015

Re: VDX6740 VCS, fabric virtual gateway, arp response, no isolated l3 traffic.

For ICX, I have find, I think...

My ICX has booted with firmware layer 2.

With this firmware, when I configure ip management adresse with the following line :

ip address 192.168.1.36 255.255.255.0

 

and followinf vlan configuration :

vlan 1 name DEFAULT-VLAN by port

 

vlan 2 name Data by port

untagged ethe 1/1/2

 

vlan 5 name Wifi by port

untagged ethe 1/1/3

 

If my pc have ip 192.168.1.77 255.255.255.0

It's possible to ping 192.168.1.36 from my PC from any port 1/1/1 or 1/1/2 or 1/1/3.

The ip address of switch is not bind to specifique vlan.

 

I have turn my ICX in L3 firmware with the following configuration

 

vlan 1 name DEFAULT-VLAN by port

router-interface ve 1

 

vlan 2 name Data by port

untagged ethe 1/1/2

 

vlan 5 name Wifi by port

untagged ethe 1/1/3

 

interface ve 1
ip address 192.168.1.36 255.255.255.0

 

Now I can only ping this address from port configured as untagged in vlan1.

 

Routing pb for VDX explain in my first post are always unresolve

 

Kind regards.

Gilles

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.