cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jgard
New Contributor

Native VLAN's??

Jump to solution

Hello all,

I need some help with native vlans??. When I plug in my web filter device(iprism) in line

with my adtran I can't ping the device directly when i have the port untagged on my hp

switch. I can however continue to ping everything else on the network. When I tag the

port, i can ping the iprism but cannot ping anything else....including the router. I

spoke directly with iPrism support, and they mentioned I need to figure out the native

vlan on the adtran. Once I do that, I'll need to add it to the same vlan-id. I'm a bit

confused since i thought the adtran would be aware of any of those vlans since it's

inline using the same connection regardless. Any suggestions?

adtran 3430------> iprism-----> procurve L3


ip subnet-zero
ip classless
ip routing
!!!
ip domain-proxy
ip name-server 10.7.32.7 4.2.2.1
!

no auto-config
!

!
!

no dot11ap access-point-controller
!
!
!
!
!
!
qos map SET-DSCP 1
  match list VOIP
  set dscp 46
!
!
!
interface eth 0/1
  encapsulation 802.1q
  no shutdown
!
interface eth 0/1.1
  description Admin_Vlan
  vlan-id 20
  no shutdown
  ip address  10.7.32.1  255.255.255.0
access-policy Private

interface eth 0/1.2
  description Student_Vlan
  vlan-id 2
  no shutdown
  ip address  10.9.32.1  255.255.255.0

interface eth 0/1.3
  description Voice_Vlan
  vlan-id 3
  shutdown
  ip address  10.8.32.3  255.255.255.0
  access-policy Private

!
interface eth 0/2
  no ip address
  shutdown
!
!
!
!

interface t1 1/1
  description Teacher
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface modem 1/1
  shutdown
!
interface ppp 1
  ip address  154.232.92.88  255.255.255.252
  access-policy Public
  no shutdown
  cross-connect 1 t1 1/1 1 ppp 1
!
!
!
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any

!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log

ip policy-class Private
  allow list self self
  nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
  ! Implicit discard!
!
!

ip route 0.0.0.0 0.0.0.0 154.232.92.88
ip route 10.7.12.0 255.255.255.0 10.7.32.11
ip route 10.8.19.0 255.255.255.0 10.7.32.11

Labels (1)
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- Thanks for posting your question on the forum!

When you enable 802.1q on an ethernet interface of an AOS router, there is no default native VLAN set. You will need to go into one of the sub-interfaces and specify one of the VLANs as being the native. Keep in mind this is different than AOS switches, where if the switch is in trunk mode, the default native VLAN is 1. The command to do this is:

int eth 0/1.<sub-int>

  vlan-id <VLAN> native

Whichever VLAN you specify on the Adtran as your native VLAN, is the one you should probably set on the iprism.

Please do not hesitate to let us know if you have any further questions. Thanks.

Sincerely,

Noor

View solution in original post

0 Kudos
11 Replies
Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- Thanks for posting your question on the forum!

When you enable 802.1q on an ethernet interface of an AOS router, there is no default native VLAN set. You will need to go into one of the sub-interfaces and specify one of the VLANs as being the native. Keep in mind this is different than AOS switches, where if the switch is in trunk mode, the default native VLAN is 1. The command to do this is:

int eth 0/1.<sub-int>

  vlan-id <VLAN> native

Whichever VLAN you specify on the Adtran as your native VLAN, is the one you should probably set on the iprism.

Please do not hesitate to let us know if you have any further questions. Thanks.

Sincerely,

Noor

0 Kudos
jgard
New Contributor

Re: Native VLAN's??

Jump to solution

Awesome!!! that worked. I can now ping everything on the network including all other vlans. However, even though I can ping my servers it doesn't let me bring up any of the network shares. Any thoughts?

Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- Are you able to ping the servers by name? Usually network share issues tend to be related to the NetBIOS or WINS functionality in a network. The only way the NetVanta would be involved is if it was acting as the DNS server or if it was handing out the incorrect WINS/NetBIOS server information to clients via its DHCP server.

Let us know if you have any further questions.

Thanks,

Noor

jgard
New Contributor

Re: Native VLAN's??

Jump to solution

Yes. I can ping by DNS names, and reverse look up works fine. However, I cannot ping from 10.7.12.0/24 into 10.7.32.0/24. Would I need an ACL to allow this? Perhaps that's what's causing it to drop the packets? If so, what would be the statement to allow this?

Thanks again,

Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- I think you are right. Traffic going between VLANs is being NATted to your public interface IP. You will need to add an allow rule to the 'Private' security zone to allow your VLAN subnets to talk to each other without being NATted.

For the networks you mentioned in your last post, there would need to be an 'allow' rule for traffic sourced from 10.7.12.0 /24 going to 10.7.32.0/24 and another rule for the return traffic (sourced from 10.7.32.0 /24 going to 10.7.12.0 /24).

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

jgard
New Contributor

Re: Native VLAN's??

Jump to solution

Not sure what I'm missing, but it does look like it's NATing to my public IP. I added the following lines below, and moved it up on the list. Am I missing something?

ip access-list extended MCC

  permit ip 10.7.32.0 0.0.0.255  10.7.12.0 0.0.0.255   

  permit ip 10.7.12.0 0.0.0.255  10.7.32.0 0.0.0.255  

ip policy-class Private

  allow list MCC self

  allow list self self

  nat source list wizard-ics interface ppp 1 overload

Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- You are close. The only thing that you need to change is that "allow list MCC self" should be "allow list MCC". In the GUI, this would mean that the destination policy-class should be set to 'Any Security Zone'.

Let us know if you have any further questions.

Thanks,

Noor

jgard
New Contributor

Re: Native VLAN's??

Jump to solution

no luck.... I'm still kinda new to all this, so i'm not sure where else to look or how to debug.

Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- Could you reply to this post with an updated version of your configuration? I would have thought the suggested change would have been it.

Thanks,

Noor

jgard
New Contributor

Re: Native VLAN's??

Jump to solution
As mentioned my port is tagged on the HP procurve 5406. Once I changed the interface to vlan-id 20 native, everything stops working. But changing it back works fine. The reason I need the native, is to keep the web content filtering device to communicate between all devices. Thanks again.
Also....if I leave the native vlan, and change the hp to untagged everything works fine. But like I stated before, the network shares don't work.

ip subnet-zero

ip classless

ip routing

!!!

ip domain-proxy

ip name-server 10.7.32.7 4.2.2.1

!

no auto-config

!

!

!

no dot11ap access-point-controller

!

!

!

!

!

!

qos map SET-DSCP 1

  match list VOIP

  set dscp 46

!

!

!

interface eth 0/1

  encapsulation 802.1q

  no shutdown

!

interface eth 0/1.1

  description Admin_Vlan

  vlan-id 20 native

  no shutdown

  ip address  10.7.32.1  255.255.255.0

access-policy Private

interface eth 0/1.2

  description Student_Vlan

  vlan-id 2

  no shutdown

  ip address  10.9.32.1  255.255.255.0

interface eth 0/1.3

  description Voice_Vlan

  vlan-id 3

  shutdown

  ip address  10.8.32.3  255.255.255.0

  access-policy Private

!

interface eth 0/2

  no ip address

  shutdown

!

!

!

!

interface t1 1/1

  description Teacher

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

interface modem 1/1

  shutdown

!

interface ppp 1

  ip address  154.232.92.88  255.255.255.252

  access-policy Public

  no shutdown

  cross-connect 1 t1 1/1 1 ppp 1

!

!

!

!

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

ip access-list extended MCC

  permit ip 10.7.32.0 0.0.0.255  10.7.12.0 0.0.0.255 

  permit ip 10.7.12.0 0.0.0.255  10.7.32.0 0.0.0.255

ip policy-class Private

  allow list MCC self

  allow list self self

  nat source list wizard-ics interface ppp 1 overload

!

ip policy-class Public

  ! Implicit discard!

!

!

ip route 0.0.0.0 0.0.0.0 154.232.92.88

ip route 10.7.12.0 255.255.255.0 10.7.32.11

ip route 10.8.19.0 255.255.255.0 10.7.32.11

Anonymous
Not applicable

Re: Native VLAN's??

Jump to solution

- Taking a look at your configuration, I still see you have the "self" option applied to "allow list MCC" statement. The order is correct, however, the Private security zone should look like this:

ip policy-class Private

  allow list MCC

  allow list self self

  nat source list wizard-ics interface ppp 1 overload

Let us know if you have any questions.

Thanks,

Noor