3 Replies Latest reply on Oct 7, 2014 11:33 AM by levi

    Netvanta 3120 traffic not traversing between WANs

    mainenetworks New Member

      I have (2) 3120 routers connected via a layer 2 point to point.  Both routers are configured as follows; eth 0/1 is Internet, Switchport 1 is VLAN1 (LAN), Switchport 2 is VLAN2 (point to point). 

       

      VLAN1 on Router 1 is set with an IP of 10.0.0.254.  VLAN1 on Router 2 is set with an IP of 10.1.0.254.

      VLAN2 on Router 1 is set with an IP of 192.168.0.1.  VLAN2 on Router 2 is set with an IP of 192.168.0.2.

       

      Router 1 can ping from VLAN1 (10.0.0.254) to VLAN2 (192.168.0.1).  Router 2 can ping from VLAN1 (10.1.0.254) to VLAN2 (192.168.0.2).

       

      Router 1 can ping from VLAN2 (192.168.0.1) to Router 2 VLAN2 (192.168.0.2).  Router 2 can ping from VLAN2 (192.168.0.2) to Router 1 VLAN2 (192.168.0.1).

       

      However, Router 1 VLAN1 (10.0.0.254) ping fails to Router 2 VLAN1 (10.1.0.254).

       

      I have static route entries for 10.1.0.0/16 and 10.0.0.0/16

       

      Both VLAN1 and VLAN2 are in the same Private access policy with extended access lists that should allow traffic to flow.  I've read the Quick Start Guide on Intervlan routing and am not sure what I am missing.  Any insight is appreciated.

       

      Here are my configs:

       

      Router 1:

      ! ADTRAN OS version R11.4.1.E

      ! Boot ROM version 17.01.01.00

      ! Platform: NetVanta 3120, part number 1700601G2

      ! Serial number LBADTN1320AM847

      !

      hostname "Westbrook"

      enable password password

      !

      clock timezone -5-Eastern-Time

      !

      ip subnet-zero

      ip classless

      ip routing

      domain-name "mainenet.local"

      domain-proxy

      name-server 69.49.138.3 72.55.232.3 

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "password"

      username "root" password "password"

      !

      ip policy-timeout tcp 1723 14400

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      no ip firewall alg sip

      !

      no dot11ap access-point-control

      !

      qos map "DSCP 46" 1

        match any

      !

      vlan 1

        name "Default" 

      !

      vlan 2

        name "Westbrook - Brewer" 

      !

      interface eth 0/1

        description Oxford Networks

        ip address  69.49.134.204  255.255.255.248 

        ip access-policy Public

        qos-policy in "DSCP 46"

        qos-policy out "DSCP 46"

        no awcp

        no shutdown

        no lldp send-and-receive

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      interface vlan 1

        ip address  10.0.0.254  255.255.0.0 

        ip access-policy Private

        no shutdown

      !

      interface vlan 2

        ip address  192.168.0.1  255.255.255.0 

        ip mtu 1500

        ip access-policy Private

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      ip access-list standard ics

        remark NAT list ics

        permit any

        remark Internet Connection Sharing

      !

      ip access-list extended Data

        permit ip any  any    

        remark allow Non Voice

      !

      ip access-list extended gre-allow

        remark GRE-allow

        permit gre any  host 69.49.134.204     log

      !

      ip access-list extended http-allow

        remark vmail

        permit tcp any  host 69.49.134.204 eq www   log

      !

      ip access-list extended https-allow

        remark https-allow

        permit tcp any  host 69.49.134.204 eq https   log

      !

      ip access-list extended phone-allow

        remark phone port 5001

        permit tcp any  host 69.49.134.204 eq 5001   log

      !

      ip access-list extended phone1-allow

        remark non-vpnphone-allow

        permit udp any  host 69.49.134.204 range 6004 6999    log

      !

      ip access-list extended phone2-allow

        remark non-vpnphone-allow

        permit tcp any  host 69.49.134.204 eq 50000   log

      !

      ip access-list extended pptp-allow

        remark PPTP

        permit tcp any  host 69.49.134.204 eq 1723   log

      !

      ip access-list extended rdp-allow

        remark RDP-allow

        permit tcp 69.49.134.200 0.0.0.7  host 69.49.134.204 eq 3389   log

      !

      ip access-list extended self

        remark Traffic to UNIT

        permit ip any  any     log

      !

      ip access-list extended smtp-allow

        remark smtp-allow

        permit tcp any  host 69.49.134.204 eq smtp   log

      !

      ip access-list extended smtp-block

        remark block all except server

        permit tcp host 10.0.0.1  any eq smtp   log

        deny   tcp any  any eq smtp   log

      !

      ip access-list extended vmail-allow

        remark vmail-allow

        permit tcp any  host 24.39.42.18 eq 13777   log

      !

      ip access-list extended VLAN1-to-VLAN2

        remark Allow VLAN1 to VLAN2

        permit ip 10.0.0.0 0.255.255.255  192.168.0.0 0.0.0.255    

      !

      ip access-list extended VLAN2-toVLAN1

        remark Allow VLAN2 to VLAN1

        permit ip 192.168.0.0 0.0.0.255  10.0.0.0 0.255.255.255    

      !

      ip policy-class Private

        allow list self self

        allow list VLAN1-to-VLAN2 stateless

        allow list VLAN1-to-VLAN2 stateless

        nat source list ics interface eth 0/1 overload

        allow list smtp-block

      !

      ip policy-class Public

        nat destination list smtp-allow address 10.0.0.1

        nat destination list gre-allow address 10.0.0.1

        nat destination list pptp-allow address 10.0.0.1

        nat destination list https-allow address 10.0.0.1

        nat destination list http-allow address 10.0.0.162

        nat destination list vmail-allow address 10.0.0.162

        nat destination list phone-allow address 10.0.0.160

        nat destination list phone2-allow address 10.0.0.160

        nat destination list phone1-allow address 10.0.0.161

      !

      !

      ip route 0.0.0.0 0.0.0.0 69.49.134.201

      ip route 10.1.0.0 255.255.0.0 192.168.0.1

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      sip udp 5060

      sip tcp 5060

      !

      line con 0

        login

      !

      line telnet 0 4

        login local-userlist

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      ntp peer 10.0.0.1

      !

      end

      __________________________________________________________________

      Router 2:

       

      ! ADTRAN OS version R11.4.1.E

      ! Boot ROM version 17.01.01.00

      ! Platform: NetVanta 3120, part number 1700601G2

      ! Serial number LBADTN1413AM003

      !

      hostname "Brewer"

      enable password password

      !

      clock timezone -5-Eastern-Time

      !

      ip subnet-zero

      ip classless

      ip routing

      domain-name "mainenet.local"

      domain-proxy

      name-server 69.49.138.3 72.55.232.129 

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "password"

      username "root" password "password"

      !

      ip policy-timeout tcp 1723 14400

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      no ip firewall alg sip

      !

      no dot11ap access-point-control

      !

      ip dhcp excluded-address 10.1.0.1 10.1.0.254

      !

      ip dhcp pool "Private"

        network 10.1.0.0 255.255.0.0

        domain-name "colonialadj.local"

        dns-server 10.0.0.1 10.1.0.254 69.49.138.3 72.55.232.3

        netbios-name-server 10.0.0.1

        netbios-node-type h-node

        default-router 10.1.0.254

        ntp-server 10.0.0.1

      !

      qos map "DSCP 46" 1

        match any

      !

      vlan 1

        name "Default" 

      !

      vlan 2

        name "Westbrook-Brewer" 

      !

      interface eth 0/1

        description Oxford Networks

        ip address  69.49.134.205  255.255.255.248 

        ip access-policy Public

        no rtp quality-monitoring

        no awcp

        no shutdown

        no lldp send-and-receive

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      interface vlan 1

        ip address  10.1.0.254  255.255.0.0 

        ip access-policy Private

        no shutdown

      !

      interface vlan 2

        ip address  192.168.0.2  255.255.255.0 

        ip access-policy Private

        no awcp

        no shutdown

      !

      ip access-list standard ics

        remark NAT list ics

        permit any

        remark Internet Connection Sharing

      !

      !

      ip access-list extended Data

        permit ip any  any    

        remark allow Non Voice

      !

      ip access-list extended self

        remark Traffic to UNIT

        permit ip any  any     log

      !

      ip access-list extended smtp-block

        remark Block SMTP

        deny   tcp any  any eq smtp   log

      !

      ip access-list extended P2P1

        remark Allow VLAN1-to-VLAN2

        permit ip 10.0.0.0 0.255.255.255  192.168.0.0 0.0.0.255    

      !

      ip access-list extended P2P2

        remark Allow VLAN2-to-VLAN1

        permit ip 192.168.0.0 0.0.0.255  10.0.0.0 0.255.255.255      

      !

      ip policy-class Private

        allow list self self

        allow list P2P1 stateless

        allow list P2P2 stateless

        nat source list ics interface eth 0/1 overload

        allow list smtp-block

      !

      ip policy-class Public

        ! Implicit discard

      !

      !

      ip route 0.0.0.0 0.0.0.0 69.49.134.201

      ip route 10.0.0.0 255.255.0.0 192.168.0.2

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      sip udp 5060

      sip tcp 5060

      !

      line con 0

        login

      !

      line telnet 0 4

        login local-userlist

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      ntp peer 10.0.0.1

      ntp peer ntp.colby.edu

      !

      end

        • Re: Netvanta 3120 traffic not traversing between WANs
          jayh Hall_of_Fame

          Your next-hop on the static routes points to the local device instead of the remote. 

           

          On router 1:

          no ip route 10.1.0.0 255.255.0.0 192.168.0.1

          ip route 10.1.0.0 255.255.0.0 192.168.0.2


          On router 2:

          no ip route 10.0.0.0 255.255.0.0 192.168.0.2

          ip route 10.0.0.0 255.255.0.0 192.168.0.1

          1 of 1 people found this helpful
          • Re: Netvanta 3120 traffic not traversing between WANs
            mainenetworks New Member

            Gateways of the static routes were incorrect as jayh noted.

             

            In addition I had to add the following access-lists:

             

            ip access-list extended P2P

                permit ip 10.0.0.0 0.255.255.255  10.0.0.0 0.255.255.255

             

            assign the access list to Private:

              ip policy-class Private

                allow list P2P

             

            assign the Private policy to the interfaces:

              interface vlan 1

                ip address  10.0.0.254  255.255.0.0

                ip access-policy Private

             

              interface vlan 2

                ip address  192.168.0.1  255.255.255.0

                ip access-policy Private

            1 of 1 people found this helpful
            • Re: Netvanta 3120 traffic not traversing between WANs
              levi Employee

              mainenetworks:

               

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Thanks,

               

              Levi