4 Replies Latest reply on Sep 15, 2017 12:08 PM by curtc

    VLAN routing with permit ip any any

    curtc New Member

      I need to allow all traffic to and from two different VLAN's with the 3430 doing the routing.  This is an Adtran switch as well and the switchport mode is trunk that connects to the router.

      -------------------------------------------------------------------

      interface eth 0/2

        description LAN

        encapsulation 802.1q

        no shutdown

       

      interface eth 0/2.1

        vlan-id 1 native

        ip address  192.168.254.1  255.255.255.0

        ip access-policy Private

        no shutdown

       

      interface eth 0/2.200

        vlan-id 200

        ip address  192.168.200.1  255.255.255.0

        ip access-policy Private

        no shutdown

       

      ip policy-class Private

        allow list self self

      nat source list Internet address 207.xxx.xxx.xxx overload

       

      ip access-list extended self

        permit ip any  any

      -------------------------------------------------------------------

      Do I need another line in the "ip policy-class Private" for the VLAN routing to work?  I almost think I would need to add "allow list self" along with "allow list self self".  Does this only allow "any" to talk to the 3430 itself?

       

      Thanks!

        • Re: VLAN routing with permit ip any any
          jayh Hall_of_Fame

          It's kind of confusing that Adtran by default uses the word "self" to name the ACL used to allow traffic to the Adtran itself. What "allow list self self" does is to allow the acl named "self" (first "self") to reach the Adtran itself (second "self"). It works, but it's difficult to grasp what it does. So that part of the configuration allows interfaces in policy Private to reach the Adtran for management, etc.

           

          I would add the following to allow the interfaces to pass traffic to each other:

           

          ip access-list extended permit-all-list

          permit ip any any

           

          ip policy-class Private

            allow list self self

            allow list permit-all-list policy Private

            nat source list Internet address 207.xxx.xxx.xxx overload

           

          This says:

           

          Allow interfaces in Private to reach the router

          Allow interfaces in Private to reach other interfaces in Private

          NAT matching list Internet to address 207.x.x.x

            • Re: VLAN routing with permit ip any any
              curtc New Member

              Thank you for the reply.  I don't have the unit in front of me to test at the moment.

              Couldn't I then not create "permit-all-list" and just do this:

              ip policy-class Private

                allow list self self

                allow list self policy Private

                nat source list Internet address 207.xxx.xxx.xxx overload

               

              Thanks!

                • Re: VLAN routing with permit ip any any
                  jayh Hall_of_Fame

                  You can, and it will work fine, but this adds to the confusion of a named variable matching a keyword.

                   

                  I've gotten into the habit of naming things after what they actually do. ACLs end in -list, route-maps end in -map, tracks in -track, etc.

                   

                  Another problem with reusing the ACL, suppose some months later you want to modify which subnets are able to access the management interface. You look at the configuration and see that it's ACL "self" so you edit it. It isn't immediately obvious that the same ACL is used for the Private policy, so when you change the ACL you wind up breaking the routing.

                   

                  It takes a few extra keystrokes but makes later troubleshooting and modification a lot less painful.

                   

                  If you really want to obfuscate things, try naming your variables "no", "interface", "ip", "reload", "shutdown", "route-map", "ipv6", etc.

                  EDIT: Please don't actually do this. Your co-workers and should you ever need them, Adtran tech support, will hate you. It was fun in the lab on April 1.