Dell 7000 Series manual Creating a Separate Vlan for File Downloads, Ftp

Creating a Separate VLAN for File Downloads

When updating the firmware, it is helpful to keep the in-band management port in a different VLAN and configure the port VLAN ID (PVID) appropriately to avoid the possibility of network congestion or flooding issues impacting the file download.

The CLI commands in the following example show how to configure port gi1/0/17 as an in-band management port for firmware downloads or management access.

console#configure

console (config)#vlan database console (vlan)#vlan 1000 console (vlan)#exit

console (config)#interface vlan 1000

console (config-if-vlan1000)#ip address 192.168.21.11 255.255.255.0 console (config-if-vlan1000)#exit

console (Config)#interface ethernet gi1/0/17 console (config-if-gi1/0/7)#switchport mode general console (config-if-gi1/0/7)#switchport general pvid 1000

console (config-if-gi1/0/7)#switchport general allowed vlan add 1000 console (config-if-gi1/0/7)#switchport general allowed vlan remove 1 console (config-if-gi1/0/7)#exit

console (config-macal)#management access-list MGMT_VLAN

console (config-macal)#permit ip-source 192.168.21.0 mask /24 vlan 1000 console (config-macal)#service ssh

console (config-macal)#exit

console (config)#management access-class MGMT_VLAN

The switch now segregates traffic arriving on port gi1/0/17 onto VLAN 1000. All untagged packets that enter the port are tagged with a VLAN ID of 1000. Additionally, only hosts with an IP address in the 192.168.21.XXX subnet are allowed access to the switch using SSH. The 192.168.XXX.XXX address block is a private address space per RFC 1918. As an added security measure, network administrators can configure their organization’s edge routers to drop ingress and egress traffic destined to this address block.

Page 11