Re: Connecting a Cisco C1000L to an Adtran VPN

jayu · ‎07-15-2022

I started here a couple weeks ago and the networking leaves much to be desired...the previous network admin had a "Management" VLAN used to run all the servers and a "Data" VLAN used for pretty much everything else...actually, on the L3 switch (Adtran...don't ask) there's four VLAN's active but only two are in use that I have found so far (though one might be for the Wireless AP's but I'm not digging into that just yet...

So, my question is this. How do I get one of the switches (Cisco C1000L) down the line to connect to the Management VLAN on the L3 Adtran?

Steps so far:
I've used the web interface to create the VLAN on the Cisco device but it doesn't have any meaningful settings to associate the VLAN ports to an existing VLAN (at least none I'm seeing). The port comes up when a test device is plugged in but it does not reach the network I'm attempting to contact. DHCP is disabled on this network so all devices will be using static IP's.

What I think I'm missing:
I think I need to assign a static IP in the Management network range to the VLAN I'm creating on the C1000L but can't find an option and none of my searching has turned up any meaningful CLI commands. As the VLAN already exists in the network, I should just have to setup the connection on the Cisco switches and add the ports.

My wife likes to say I'm really good at overcomplicating things, so instead of taking that route on a Friday I think I'll stop and wait for answers.

Many thanks in advance!

jayu · ‎07-15-2022

I just noticed that auto-corrected the title from VLAN to VPN...

Georg Pauwen · ‎07-15-2022

Hello,

basically, this is what you need to configure using the command line:

C1000L#conf t
C1000L(config)#vlan 10
C1000L(config-vlan)#name management
C1000L(config-vlan)#exit
C1000L(config)#interface Vlan 20
C1000L(config-if)#ip address x.x.x.x y.y.y.y <-- this needs to be an IP address in the same range as the Adtran
C1000L(config-if)#no shut
C1000L(config-if)#exit
C1000L(config)#ip default-gateway z.z.z.z <-- where z.z.z.z is the IP address of the Adtran

Just make sure the link between the Cisco and the Adtran is a trunk. If you have doubts, post the running configuration (sh run) of the C1000, so we can fill in the bits and pieces...

jayu · ‎07-15-2022

Thank you Georg! I'll play with this in the test environment over the weekend and get back to you on Monday!

jayu · ‎07-18-2022

Update: Right before 5 Friday night this switch shot some errors and shut down the tunnel, causing the Adtran to lock for about a minute. I disconnected my test lab and went through the code via terminal session. Still fixing the errors before trying this again.

Georg Pauwen · ‎07-18-2022

Hello,

can you post the configs once you get access ?

jayu · ‎07-18-2022

Not just yet, gotta clean up a bit more on the previous admin's config...he was also using it for a test. To be honest, would have been easier if I had just wiped his config but really tried to understand what he was doing/thinking as this will likely be the condition I find the rest of the network gear going forward...much easier to understand now than to try and wipe/rebuild a production environment later...or so my thinking goes.

jayu · ‎07-18-2022

Of course, numbers are changed and all other possible domain identification removed.

interface GigabitEthernet1/0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/5
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/6
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/7
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/8
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/9
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/10
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/11
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/12
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport trunk native vlan 20
switchport mode access
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
switchport trunk allowed vlan 10,20
switchport trunk native vlan 20
switchport mode trunk
switchport port-security violation shutdown vlan
ip arp inspection trust
spanning-tree portfast network
spanning-tree guard loop
!
interface GigabitEthernet1/0/49
switchport access vlan 20
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface TenGigabitEthernet1/0/1
switchport access vlan 20
switchport mode access
!
interface TenGigabitEthernet1/0/2
!
interface TenGigabitEthernet1/0/3
!
interface TenGigabitEthernet1/0/4
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.XXX.20 255.255.255.0
!
interface Vlan10 description Management VLAN
ip address 10.20.30.40 255.255.255.0
!
ip default-gateway 192.168.XXX.1
no ip http server
ip http banner
ip http authentication local
ip http secure-server
ip http tls-version TLSv1.2
!
!
!
!
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end

Georg Pauwen · ‎07-19-2022

Hello,

the config does not look right. If you have multiple SVI (Vlan) interfaces, you need to enable 'ip routing', and the 'ip default-gateway' command does not work anymore. Instead, you need a default route ('ip route 0.0.0.0 0.0.0.0). Also, why is Vlan 20 the native (untagged) Vlan ? Is it configured in the same way on the Adtran ?

Post the full running configuration (sh run)...

jayu · ‎07-19-2022

Thanks for the response Georg. The iOS web-GUI is what I'm working in so some of the settings aren't really...great/easy to work with and the CLI leaves much to be desired. Again, I'm currently modifying what was already there for the most part. The Default Route statements all should be coming from the L3 Adtran device. Do I also need to add commands on the end switch? VLAN 20 is the 'production' network where all the end user traffic is coming from so I'm guessing that was the reasoning? As this is just a test environment it shouldn't hurt to flip those...makes sense too, since the server/appliance traffic is generally more trusted.

The parts of the config I did NOT post already contained identifying statements including the domain name and crypto PKI cert. However, I did find the spanning tree statement I cut out (didn't meant to) and pasted it below.

I'm super grateful for your assistance, I stepped into the middle of this mess and I'm doing my best to clean it up without any notes or explanation of why things were setup this way. I'm hoping to replace both the Adtran devices in the near future with something that actually works. I'm currently working on the IP Routing statement(s) you mentioned above, replacing the default gateway command(s) and switching the Native VLAN.

spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
interface Bluetooth0
no ip address
shutdown

jayu · ‎07-19-2022

Quick update: I flipped the Native VLAN and looked into IP Route vs IP Default Gateway. IP Route doesn't exist as an option here because it's only an L2 switch, no routing functions. The Adtran/L3 device has the IP Route set properly.

Georg Pauwen · ‎07-19-2022

Hello,

since the Cisco is a layer 2 switch only, make sure you only have one Vlan (SVI) interface up (the one that connects to the Adtran), and delete the other, as it would not work anyway. The Adtran, being a layer 3 switch, needs to take care of the routing, so all layer 3 (Vlan/SVI) interfaces need to be configured there. What is the Adtran model you have ?

jayu · ‎07-19-2022

Once I'm confident in the config, I'll remove the VLAN statement on Port 49 (Port 48 is currently not connected). The AdTran is a NetVanta 1544P. The VLAN interfaces are configured there, I'm attempting to get a bank of ports on the Cisco C1000L to run on a different VLAN than the rest. Once that works in the test box, I'll copy that config to switches in two other racks. The end goal being to run a device on the Management network in each rack as if it were in the Management VLAN.