Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
curtc
New Contributor
‎09-14-2017 01:27 PM

VLAN routing with permit ip any any

Jump to solution

I need to allow all traffic to and from two different VLAN's with the 3430 doing the routing.  This is an Adtran switch as well and the switchport mode is trunk that connects to the router.

-------------------------------------------------------------------

interface eth 0/2

  description LAN

  encapsulation 802.1q

  no shutdown

interface eth 0/2.1

  vlan-id 1 native

  ip address  192.168.254.1  255.255.255.0

  ip access-policy Private

  no shutdown

interface eth 0/2.200

  vlan-id 200

  ip address  192.168.200.1  255.255.255.0

  ip access-policy Private

  no shutdown

ip policy-class Private

  allow list self self

nat source list Internet address 207.xxx.xxx.xxx overload

ip access-list extended self

  permit ip any  any

-------------------------------------------------------------------

Do I need another line in the "ip policy-class Private" for the VLAN routing to work?  I almost think I would need to add "allow list self" along with "allow list self self".  Does this only allow "any" to talk to the 3430 itself?

Thanks!

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor
‎09-14-2017 05:53 PM

Re: VLAN routing with permit ip any any

Jump to solution

It's kind of confusing that Adtran by default uses the word "self" to name the ACL used to allow traffic to the Adtran itself. What "allow list self self" does is to allow the acl named "self" (first "self") to reach the Adtran itself (second "self"). It works, but it's difficult to grasp what it does. So that part of the configuration allows interfaces in policy Private to reach the Adtran for management, etc.

I would add the following to allow the interfaces to pass traffic to each other:

ip access-list extended permit-all-list

permit ip any any

ip policy-class Private

  allow list self self

  allow list permit-all-list policy Private

  nat source list Internet address 207.xxx.xxx.xxx overload

This says:

Allow interfaces in Private to reach the router

Allow interfaces in Private to reach other interfaces in Private

NAT matching list Internet to address 207.x.x.x

View solution in original post

0 Kudos
Reply
4 Replies
jayh
Honored Contributor
Honored Contributor
‎09-14-2017 05:53 PM

Re: VLAN routing with permit ip any any

Jump to solution

It's kind of confusing that Adtran by default uses the word "self" to name the ACL used to allow traffic to the Adtran itself. What "allow list self self" does is to allow the acl named "self" (first "self") to reach the Adtran itself (second "self"). It works, but it's difficult to grasp what it does. So that part of the configuration allows interfaces in policy Private to reach the Adtran for management, etc.

I would add the following to allow the interfaces to pass traffic to each other:

ip access-list extended permit-all-list

permit ip any any

ip policy-class Private

  allow list self self

  allow list permit-all-list policy Private

  nat source list Internet address 207.xxx.xxx.xxx overload

This says:

Allow interfaces in Private to reach the router

Allow interfaces in Private to reach other interfaces in Private

NAT matching list Internet to address 207.x.x.x

0 Kudos
Reply
curtc
New Contributor
‎09-15-2017 07:10 AM

Re: VLAN routing with permit ip any any

Jump to solution

Thank you for the reply.  I don't have the unit in front of me to test at the moment.

Couldn't I then not create "permit-all-list" and just do this:

ip policy-class Private

  allow list self self

  allow list self policy Private

  nat source list Internet address 207.xxx.xxx.xxx overload

Thanks!

0 Kudos
Accept as Solution Reply
jayh
Honored Contributor
Honored Contributor
‎09-15-2017 11:49 AM

Re: VLAN routing with permit ip any any

Jump to solution

You can, and it will work fine, but this adds to the confusion of a named variable matching a keyword.

I've gotten into the habit of naming things after what they actually do. ACLs end in -list, route-maps end in -map, tracks in -track, etc.

Another problem with reusing the ACL, suppose some months later you want to modify which subnets are able to access the management interface. You look at the configuration and see that it's ACL "self" so you edit it. It isn't immediately obvious that the same ACL is used for the Private policy, so when you change the ACL you wind up breaking the routing.

It takes a few extra keystrokes but makes later troubleshooting and modification a lot less painful.

If you really want to obfuscate things, try naming your variables "no", "interface", "ip", "reload", "shutdown", "route-map", "ipv6", etc.

EDIT: Please don't actually do this. Your co-workers and should you ever need them, Adtran tech support, will hate you. It was fun in the lab on April 1.

0 Kudos
Accept as Solution Reply
curtc
New Contributor
‎09-15-2017 02:08 PM

Re: VLAN routing with permit ip any any

Jump to solution

HAHA!  That was great!  Thanks for the info and I'll be sure to stay away from those naming conventions.

0 Kudos
Accept as Solution Reply