Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mrchrisosburn
New Contributor II
‎05-03-2014 06:08 PM

Private Vlan to Private Vlan shows public vlan IP as source address

Jump to solution

Hi all,

Not sure where to start with this but when i have inter-vlan communication the source address for the receiving vlan is the address for the public vlan interface.

I just built out the config on this router yesterday and im sure im just missing a small thing.

Thanks in advance

-Christopher

Tags (1)
Config.txt.zip
0 Kudos
Reply
1 Solution

Accepted Solutions
mrchrisosburn
New Contributor II
‎05-05-2014 10:18 AM

Re: Private Vlan to Private Vlan shows public vlan IP as source address

Jump to solution

Hi ,

Thanks for getting back to me so quickly.

The issue is there are a few PC's on the voice side of the network and when they connect to something on the data side the source ip address is that of the default vlan.

So when 192.168.200.50 connects to 10.0.0.253, the source address on 10.0.0.253 is 67.50.xx.xx. Its like its preforming NAT internally, which is something i would like to avoid.

I saw route cache was disabled after i posted, it was a default configuration and i over looked it. Its enabled now

VPN configuration was removed from the uploaded document.   

Thanks

-Christopher

P.S. I saw you were the featured member on the home page, congratulations

View solution in original post

0 Kudos
Reply
4 Replies
jayh
Honored Contributor
Honored Contributor
‎05-04-2014 08:39 PM

Re: Private Vlan to Private Vlan shows public vlan IP as source address

Jump to solution

I'm having difficulty understanding what the problem is.  By design the source IP of the connection traverses the network by default. This is the way that return traffic can be forwarded to the source.

Could you give a specific example of from what source IP and interface and to what destination IP and interface you are testing as well as what you are seeing and what you are expecting. 

It also seems as if you have disabled route-cache on all of your interfaces, why?

VPN configuration also seems incomplete. 

Accept as Solution Reply
mrchrisosburn
New Contributor II
‎05-05-2014 10:18 AM

Re: Private Vlan to Private Vlan shows public vlan IP as source address

Jump to solution

Hi ,

Thanks for getting back to me so quickly.

The issue is there are a few PC's on the voice side of the network and when they connect to something on the data side the source ip address is that of the default vlan.

So when 192.168.200.50 connects to 10.0.0.253, the source address on 10.0.0.253 is 67.50.xx.xx. Its like its preforming NAT internally, which is something i would like to avoid.

I saw route cache was disabled after i posted, it was a default configuration and i over looked it. Its enabled now

VPN configuration was removed from the uploaded document.   

Thanks

-Christopher

P.S. I saw you were the featured member on the home page, congratulations

0 Kudos
Reply
mrchrisosburn
New Contributor II
‎05-05-2014 12:18 PM

Re: Private Vlan to Private Vlan shows public vlan IP as source address

Jump to solution

I figured it out

There was an auto-generated NAT policy "NAT list wizard-ics" which had the destination security zone to "<Any Security Zone>". I changed it to "Public", added allow policies for the two vlans and now everything is working as it should.

Thanks for your help . If you wouldnt of replied it would of never dawned on me it was preforming NAT internally

-Christopher

0 Kudos
Accept as Solution Reply
jayh
Honored Contributor
Honored Contributor
‎05-05-2014 12:38 PM

Re: Private Vlan to Private Vlan shows public vlan IP as source address

Jump to solution

One thing to do if you have several interfaces in the same zone that you want to communicate:

Create an ACL to allow any

ip access-list extended pvt-all-list

  remark allow pvt-to-pvt

  permit ip any  any     log

Then apply that first in the security zone with policy of the same zone:

ip policy-class Private

  allow list pvt-all-list policy Private

  nat source list web-acl-5 address XXXXXXXXXX overload policy Public

  nat source list web-acl-6 address XXXXXXXXXX overload policy Public

  nat source list web-acl-7 address XXXXXXXXXX overload policy Public

[...]


Because the policy-classes are evaluated top-down this will ensure that your inter-VLAN same-policy traffic gets processed before any other rules

Accept as Solution Reply