11 Replies Latest reply on Jul 11, 2013 12:43 PM by noor Branched to a new discussion.

    Native VLAN's??

    jgard New Member

      Hello all,

      I need some help with native vlans??. When I plug in my web filter device(iprism) in line

      with my adtran I can't ping the device directly when i have the port untagged on my hp

      switch. I can however continue to ping everything else on the network. When I tag the

      port, i can ping the iprism but cannot ping anything else....including the router. I

      spoke directly with iPrism support, and they mentioned I need to figure out the native

      vlan on the adtran. Once I do that, I'll need to add it to the same vlan-id. I'm a bit

      confused since i thought the adtran would be aware of any of those vlans since it's

      inline using the same connection regardless. Any suggestions?

      adtran 3430------> iprism-----> procurve L3


      ip subnet-zero
      ip classless
      ip routing
      !!!
      ip domain-proxy
      ip name-server 10.7.32.7 4.2.2.1
      !

      no auto-config
      !

      !
      !

      no dot11ap access-point-controller
      !
      !
      !
      !
      !
      !
      qos map SET-DSCP 1
        match list VOIP
        set dscp 46
      !
      !
      !
      interface eth 0/1
        encapsulation 802.1q
        no shutdown
      !
      interface eth 0/1.1
        description Admin_Vlan
        vlan-id 20
        no shutdown
        ip address  10.7.32.1  255.255.255.0
      access-policy Private

      interface eth 0/1.2
        description Student_Vlan
        vlan-id 2
        no shutdown
        ip address  10.9.32.1  255.255.255.0

      interface eth 0/1.3
        description Voice_Vlan
        vlan-id 3
        shutdown
        ip address  10.8.32.3  255.255.255.0
        access-policy Private

      !
      interface eth 0/2
        no ip address
        shutdown
      !
      !
      !
      !

      interface t1 1/1
        description Teacher
        tdm-group 1 timeslots 1-24 speed 64
        no shutdown
      !
      interface modem 1/1
        shutdown
      !
      interface ppp 1
        ip address  154.232.92.88  255.255.255.252
        access-policy Public
        no shutdown
        cross-connect 1 t1 1/1 1 ppp 1
      !
      !
      !
      !
      !
      !
      !
      ip access-list standard wizard-ics
        remark Internet Connection Sharing
        permit any

      !
      ip access-list extended self
        remark Traffic to NetVanta
        permit ip any  any     log

      ip policy-class Private
        allow list self self
        nat source list wizard-ics interface ppp 1 overload
      !
      ip policy-class Public
        ! Implicit discard!
      !
      !

      ip route 0.0.0.0 0.0.0.0 154.232.92.88
      ip route 10.7.12.0 255.255.255.0 10.7.32.11
      ip route 10.8.19.0 255.255.255.0 10.7.32.11

        • Re: Native VLAN's??
          Employee

          jgard - Thanks for posting your question on the forum!

           

          When you enable 802.1q on an ethernet interface of an AOS router, there is no default native VLAN set. You will need to go into one of the sub-interfaces and specify one of the VLANs as being the native. Keep in mind this is different than AOS switches, where if the switch is in trunk mode, the default native VLAN is 1. The command to do this is:

           

          int eth 0/1.<sub-int>

            vlan-id <VLAN> native

           

          Whichever VLAN you specify on the Adtran as your native VLAN, is the one you should probably set on the iprism.

           

          Please do not hesitate to let us know if you have any further questions. Thanks.

           

          Sincerely,

          Noor

            • Re: Native VLAN's??
              jgard New Member

              Awesome!!! that worked. I can now ping everything on the network including all other vlans. However, even though I can ping my servers it doesn't let me bring up any of the network shares. Any thoughts?

                • Re: Native VLAN's??
                  Employee

                  jgard - Are you able to ping the servers by name? Usually network share issues tend to be related to the NetBIOS or WINS functionality in a network. The only way the NetVanta would be involved is if it was acting as the DNS server or if it was handing out the incorrect WINS/NetBIOS server information to clients via its DHCP server.

                   

                  Let us know if you have any further questions.

                   

                  Thanks,

                  Noor

                    • Re: Native VLAN's??
                      jgard New Member

                      Yes. I can ping by DNS names, and reverse look up works fine. However, I cannot ping from 10.7.12.0/24 into 10.7.32.0/24. Would I need an ACL to allow this? Perhaps that's what's causing it to drop the packets? If so, what would be the statement to allow this?

                       

                      Thanks again,

                        • Re: Native VLAN's??
                          Employee

                          jgard - I think you are right. Traffic going between VLANs is being NATted to your public interface IP. You will need to add an allow rule to the 'Private' security zone to allow your VLAN subnets to talk to each other without being NATted.

                           

                          For the networks you mentioned in your last post, there would need to be an 'allow' rule for traffic sourced from 10.7.12.0 /24 going to 10.7.32.0/24 and another rule for the return traffic (sourced from 10.7.32.0 /24 going to 10.7.12.0 /24).

                           

                          Please do not hesitate to let us know if you have any further questions.

                           

                          Thanks,

                          Noor

                            • Re: Native VLAN's??
                              jgard New Member

                              Not sure what I'm missing, but it does look like it's NATing to my public IP. I added the following lines below, and moved it up on the list. Am I missing something?

                               

                              ip access-list extended MCC

                                permit ip 10.7.32.0 0.0.0.255  10.7.12.0 0.0.0.255   

                                permit ip 10.7.12.0 0.0.0.255  10.7.32.0 0.0.0.255  

                               

                              ip policy-class Private

                                allow list MCC self

                                allow list self self

                                nat source list wizard-ics interface ppp 1 overload

                                • Re: Native VLAN's??
                                  Employee

                                  jgard - You are close. The only thing that you need to change is that "allow list MCC self" should be "allow list MCC". In the GUI, this would mean that the destination policy-class should be set to 'Any Security Zone'.

                                   

                                  Let us know if you have any further questions.

                                   

                                  Thanks,

                                  Noor

                                    • Re: Native VLAN's??
                                      jgard New Member

                                      no luck.... I'm still kinda new to all this, so i'm not sure where else to look or how to debug.

                                        • Re: Native VLAN's??
                                          Employee

                                          jgard - Could you reply to this post with an updated version of your configuration? I would have thought the suggested change would have been it.

                                           

                                          Thanks,

                                          Noor

                                            • Re: Native VLAN's??
                                              jgard New Member
                                              As mentioned my port is tagged on the HP procurve 5406. Once I changed the interface to vlan-id 20 native, everything stops working. But changing it back works fine. The reason I need the native, is to keep the web content filtering device to communicate between all devices. Thanks again.
                                              Also....if I leave the native vlan, and change the hp to untagged everything works fine. But like I stated before, the network shares don't work.

                                               

                                              ip subnet-zero

                                              ip classless

                                              ip routing

                                              !!!

                                              ip domain-proxy

                                              ip name-server 10.7.32.7 4.2.2.1

                                              !

                                              no auto-config

                                              !

                                              !

                                              !

                                              no dot11ap access-point-controller

                                              !

                                              !

                                              !

                                              !

                                              !

                                              !

                                              qos map SET-DSCP 1

                                                match list VOIP

                                                set dscp 46

                                              !

                                              !

                                              !

                                              interface eth 0/1

                                                encapsulation 802.1q

                                                no shutdown

                                              !

                                              interface eth 0/1.1

                                                description Admin_Vlan

                                                vlan-id 20 native

                                                no shutdown

                                                ip address  10.7.32.1  255.255.255.0

                                              access-policy Private

                                              interface eth 0/1.2

                                                description Student_Vlan

                                                vlan-id 2

                                                no shutdown

                                                ip address  10.9.32.1  255.255.255.0

                                              interface eth 0/1.3

                                                description Voice_Vlan

                                                vlan-id 3

                                                shutdown

                                                ip address  10.8.32.3  255.255.255.0

                                                access-policy Private

                                              !

                                              interface eth 0/2

                                                no ip address

                                                shutdown

                                              !

                                              !

                                              !

                                              !

                                              interface t1 1/1

                                                description Teacher

                                                tdm-group 1 timeslots 1-24 speed 64

                                                no shutdown

                                              !

                                              interface modem 1/1

                                                shutdown

                                              !

                                              interface ppp 1

                                                ip address  154.232.92.88  255.255.255.252

                                                access-policy Public

                                                no shutdown

                                                cross-connect 1 t1 1/1 1 ppp 1

                                              !

                                              !

                                              !

                                              !

                                              !

                                              !

                                              !

                                              ip access-list standard wizard-ics

                                                remark Internet Connection Sharing

                                                permit any

                                              !

                                              ip access-list extended self

                                                remark Traffic to NetVanta

                                                permit ip any  any     log

                                               

                                               

                                              ip access-list extended MCC

                                                permit ip 10.7.32.0 0.0.0.255  10.7.12.0 0.0.0.255 

                                                permit ip 10.7.12.0 0.0.0.255  10.7.32.0 0.0.0.255

                                               

                                              ip policy-class Private

                                                allow list MCC self

                                                allow list self self

                                                nat source list wizard-ics interface ppp 1 overload

                                              !

                                              ip policy-class Public

                                                ! Implicit discard!

                                              !

                                              !

                                              ip route 0.0.0.0 0.0.0.0 154.232.92.88

                                              ip route 10.7.12.0 255.255.255.0 10.7.32.11

                                              ip route 10.8.19.0 255.255.255.0 10.7.32.11

                                                • Re: Native VLAN's??
                                                  Employee

                                                  jgard - Taking a look at your configuration, I still see you have the "self" option applied to "allow list MCC" statement. The order is correct, however, the Private security zone should look like this:

                                                   

                                                  ip policy-class Private

                                                    allow list MCC

                                                    allow list self self

                                                    nat source list wizard-ics interface ppp 1 overload

                                                   

                                                  Let us know if you have any questions.

                                                   

                                                  Thanks,

                                                  Noor