Hello, I am have trouble configuring an Adtran 908e and Vlans. Below is a sample of the config I have so far. From my laptop (192.168.1.120) I can ping the VLan 1 interface (192.168.1.1) but I can not ping the WAN (x.x.185.36) or the internet (8.8.8.8). From the 908e console I can ping the internet (8.8.8.8). Any info you can provide? Thanks.
Config:
ip routing
!
!
interface eth 0/1
ip address x.x.185.36 255.255.255.248
no shutdown
!
!
interface eth 0/2
encapsulation 802.1q
no shutdown
!
interface eth 0/2.1
vlan-id 1 native
ip address 192.168.1.1 255.255.255.0
no shutdown
interface eth 0/2.200
vlan-id 200
ip address 192.168.2.1 255.255.255.0
no shutdown
interface eth 0/2.201
vlan-id 201
ip address 10.10.1.1 255.255.255.0
no shutdown
!
!
ip route 0.0.0.0 0.0.0.0 50.76.185.38
The problem doesn't seem to be in the VLANs, but in the service policies or lack thereof. 192.168.x.x/16 isn't routeable on the Internet so you'll need to assign access-policies on the eth 0/1 interface and the eth 0/2.x subinterfaces. Typical usage is "Public" for the outside and "Private" for the inside, but you may want private1, private200, private201 or similar. Then build policy classes to allow NAT outbound from the inside. The Firewall wizard can do this for at least the first subnet but you may have to build the others manually. You will also need to set up firewall policies for the inside subnets to reach each other (or not, if that's your goal). These won't need NAT to each other, just allow or deny.
Got it thanks for the help.
On Sat, Jan 12, 2013 at 11:04 PM, jayh <adtran@sgaur.hosted.jivesoftware.com
OK, I managed to get everything setup. Internet is working. I am having a problem with connection between the VLANs. Ping from my laptop VLAN 1 (192.168.1.120) to VLAN 201 interface (192.168.2.1) of the 908e works. Ping from my laptop VLAN 1 (192.168.1.120) to a PBX (192.168.2.254) plugged into Netvanta switch with port-23 configured as, switchport access vlan 200, ping works. Ping from my laptop VLAN 1 (192.168.1.120) to a phone (192.168.2.100) manually configured as VLAN 200 plugged into the same Netvanta switch on port-15 unconfigured ping fails. I can ping directly from the 908e to the phone (192.168.2.100). I can ping from PBX (192.168.2.254) to the phone (192.168.2.100). The phone's gate way is set to 192.168.2.254. On the PBX I have a static route 192.168.1.0/24 use 192.168.2.1. Is this problem on my 908e or is my switch not configured correctly?
Set the gateway of devices on each subnet to the address of the TA900. In other words, the devices on the 192.168.2.x network (phones and PBX) should all have their gateway set to 192.168.2.1. The phones will find the PBX without a route or gateway, they're on the same subnet. All devices on the data subnet on 192.168.1.x should have their gateway set to 192.168.1.1.
You don't specify what is on the 10.10.1.x subnet but its hosts should have the gateway set to 10.10.1.1.
On the TA900, you will need a static route for 0.0.0.0/0 to your ISP's gateway, something on x.x.185.32/29 (probably x.x.185.33 but ask your ISP).
You don't need the static route on the PBX. Both networks are directly connected to the TA900 so it will route them once you point the PBX's gateway to 192.168.2.1 .
Southfork21,
Were you able to get everything working as you would expect? I agree with all the recommendations given from Jayh, particularly configuring all devices to have a default gateway set to the Adtran unit. This simplifies the setup and rules out any problems with routing on the PBX or server. I do have one other suggestion for your particular configuration. It is often a good idea to make sure you have an "allow" rule for inter-VLAN traffic. This should be higher in your access-policy that your general NAT rule. Below is a short example.
ip access-list extended VLANS
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
ip policy-class Private
allow list self self
allow list VLANS stateless
nat source list ...
Please respond to this post if you have any further questions. I would be glad to work with you on this.
Thanks!
David
The basic answer is YES. I configured the phones to use the gateway 192.168.2.1 and was successful in pinging from the 192.168.1.0 network.
But (my setup of phones and PBX) the PBX is the DHCP server. The situation is that the PBX will then provide all the necessary info to the phones for registration (ie sip server ip). But the PBX DHCP is limited to only sending it's LAN IP as the gateway to the phones. I know I can 1.) configure a different DHCP server to send this info or 2.) I can manually configure all the settings on the phones. Both of these two options are less then desirable. I was hoping there was just a setting I was missing that would allow VLAN 1 to ping VLAN 200. I think it is failing because the ping from VLAN 1 is making it to the phone through the gateway of 192.168.2.1 but the ping reply from the phone on VLAN 200 is using gateway 192.168.2.254 (if I understand correctly?). I thought by adding a static route to the PBX this would solve the problem.
In answer to what is on my 10.10.1.x network. That is the network and VLAN 201 that I am using for the SIP trunk registration.
Yes I have a static route ip route 0.0.0.0 0.0.0.0 x.x.185.33. The ip route above is incorrect.
The PBX DHCP server is only capable of specifying its own address as the default IP gateway? Really? Are you sure? If such is the case, its DHCP functionality is, to put it politely, less than ideal.
If this is true, turn off the DHCP functionality in the PBX and configure DHCP on the TA900 for that subnet. You can use numbered options on the TA900 to specify the PBX IP (or hostname if using internal DNS) for TFTP and the like.
The phones don't learn their SIP server and registrar via DHCP. This information is either statically configured on each phone or extracted from a configuration file loaded at bootup. Where they get the file *may* be learned by DHCP. The file server IP can and almost certainly will be different than the default IP gateway.
Sequence:
Phone boots.
Phone gets IP, subnet, gateway, DNS, and the like via DHCP.
Phone gets IP address of a TFTP, FTP, HTTP, or HTTPS server either by DHCP (option 66 usually) or via manual setting stored on phone.
Phone contacts file server and downloads one or more files with configuration info such as SIP server, username, password, display info, etc. unique to phone, perhaps also generic file for all phones. Filename is usually based on phone MAC address.
Phone uses the content of these files to contact SIP server and register.
In summary, all DHCP needs to do is to provide the IP address of the file server (which is most likely the PBX) to the phone as a numbered option.
Let your IP router handle IP routing and IP services.
Let your PBX handle call processing and voice services.
Your network will be happier.
Your phones will be happier.
Jay, thanks again for all your help.
Yes to everything you stated. I agree DHCP would be best off another device (ie Adtran router). And Yes phones get their info from TFTP and so on. All I am asking is it possible (maybe not the best practice) for the following: Laptop VLAN1 connected to 908e router with VLAN1 and VLAN200 connected to Netvanta switch connected to PBX VLAN200 and phone VLAN200 with the phones gateway set to the PBX and a static route on the PBX to VLAN1. Is this at all possible or am I trying to setup something that is completely impossible with the equipment or routing limits I have? Once again understanding not the correct or best implantation more of a lab based setup for testing.
Consider the case where the phones need to communicate outside of their subnet (such as for RTP to a SIP trunk).
With the PBX as the phones' gateway, these packets won't make it to the Adtran router, so they won't leave the subnet unless the PBX is doing routing (not likely and an ugly hack) or proxy-arp is enabled (also not likely and another ugly hack).
What is the problem with setting up the TA908e as the DHCP server and specifying the PBX as the configuration file server via a numbered option? What make/model of PBX?
If the PBX is also acting as a SIP/RTP proxy and the phones NEVER need to communicate outside of their subnet, it could possibly be made to work, but I certainly wouldn't recommend it.
Southfork21,
Routing should allow your setup to work, but the added complexity of another router/PBX will make troubleshooting a little more difficult. If for whatever reason you must set the router/PBX as the default gateway for the phones, it might be a good idea to setup another laptop on a VLAN 200 access port on the switch. Test with the laptop on VLAN 200 having either default gateway. This will allow you to easily issue things like ping and traceroute, from the phone's perspective. Also, you can get packet captures on the laptop to find out how the router/PBX is responding. Often the router/PBX in this scenario will just respond with ICMP messages such as a Destination Unreachable (routing isn't working) or a Redirect. The redirect would tell the sender, "There is a better router (TA900) for this traffic on the directly connected subnet. Send your traffic to that device." One concern is that the phone may not properly handle this type of ICMP message.
Regardless, the second laptop, or setting up monitor ports on the switch to get packet captures, will give you more information about what is actually happening. If you have further questions, you may want to consider opening a ticket with ADTRAN Technical Support. You can open a ticket by calling 888-423-8726 or sending an email to support@adtran.com.
Thanks!
David
Solved!
Yes, the routing was setup correctly.
The problem was with the Security Zone "Private". The policy for "Traffic to Total Access", "Destination Security Zone" was set to "Self Bound". I changed the "Destination Security Zone" to "Private" and everything is working.
Thanks for the help Jayh and David.
Southfork21,
I'm glad you resolved the issue. You will definitely want some policy that allows traffic between the two VLANs. The "allow list VLANS stateless" shown above would be an even better option since there will be no filtering or sessions expiring between the two VLANs. I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily.
Thanks!
David