ExtremeWireless (WiNG)

Expand all | Collapse all

Different Vlan not Communicate

  • 1.  Different Vlan not Communicate

    Posted 06-27-2018 08:24
    Hi,
    I am using AP 7532, firmware is 5.9.2. I created two vlan (vlan1 & vlan2) & two SSID (Employee & Guest) in this AP. IP address are vlan1 & vlan2 as 192.168.10.10 & 192.168.2.10. SSID Employee is mapped to vlan1 and Guest is mapped to vlan2. after configuring i connected two client with different SSID. I reached guest to employee. but i cant employee to guest.

    Below Client connected to SSID Employee. This Client ip address is 192.168.10.105.



    Another Client connected to SSID Guest. that IP address is 192.168.2.20. so Client from 192.168.2.10 to 192.168.10.105 is pinging. but from 192.168.10.105 to 192.168.2.20 is not pinging.



  • 2.  RE: Different Vlan not Communicate

    Posted 06-27-2018 09:30
    What is responsible for routing between networks in your environment? It sounds like you possibly reversed your routing and policy logic (meaning employee might be trusted more than guest and only ping in that direction). Regardless, those routes, rules and polocies are up to you.


  • 3.  RE: Different Vlan not Communicate

    Posted 06-27-2018 09:36
    Or the client in the guest network has a personal firewall installed that don't allow to ping the device.


  • 4.  RE: Different Vlan not Communicate

    Posted 06-27-2018 10:31
    Can you show us the 'ip access-list nat-rule' you configured on AP



  • 5.  RE: Different Vlan not Communicate

    Posted 06-28-2018 04:17
    Now i share all my configuration details.
    LAN:



    WAN:


    Wireless:


    Services:



    Access Point:





  • 6.  RE: Different Vlan not Communicate

    Posted 06-28-2018 04:19
    ap7532-18A21C#sh running-config

    !

    ! Configuration of AP7532 version 5.9.2.0-032R

    !

    !

    version 2.5

    !

    !

    client-identity-group default

    load default-fingerprints

    !

    ip access-list BROADCAST-MULTICAST-CONTROL

    permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"

    permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"

    deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"

    deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"

    deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"

    permit ip any any rule-precedence 100 rule-description "permit all IP traffic"

    !

    ip access-list default-B8500118A21C-nat

    permit ip any any rule-precedence 1

    !

    mac access-list PERMIT-ARP-AND-IPv4

    permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"

    permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"

    !

    ip snmp-access-list default

    permit any

    !

    firewall-policy default

    no ip dos tcp-sequence-past-window

    no stateful-packet-inspection-l2

    ip tcp adjust-mss 1400

    !

    !

    mint-policy global-default

    !

    meshpoint-qos-policy default

    !

    wlan-qos-policy Employee

    rate-limit client to-air rate 5000

    rate-limit client from-air rate 5000

    qos trust dscp

    qos trust wmm

    !

    wlan-qos-policy Guest

    --More—

    rate-limit client to-air rate 5000

    rate-limit client from-air rate 5000

    qos trust dscp

    qos trust wmm

    !

    wlan-qos-policy default

    qos trust dscp

    qos trust wmm

    !

    radio-qos-policy default

    !

    wlan Employee

    description Employee

    ssid Employee

    vlan 1

    bridging-mode local

    encryption-type ccmp

    authentication-type none

    no fast-bss-transition over-ds

    wpa-wpa2 psk 0 Employee@123

    use wlan-qos-policy Employee

    !

    wlan Guest

    description Guest

    ssid Guest

    vlan 2

    bridging-mode local

    encryption-type ccmp

    authentication-type none

    no fast-bss-transition over-ds

    wpa-wpa2 psk 0 Guest@123

    use wlan-qos-policy Guest

    !

    dhcp-server-policy WiNGExpressDhcpSvrPolicy

    dhcp-pool default-vlan2-pool

    network 192.168.2.0/24

    address range 192.168.2.11 192.168.2.20

    default-router 192.168.2.10

    dns-server 192.168.2.10 8.8.8.8

    !

    !

    management-policy default

    telnet

    no http server

    https server

    ip address zeroconf secondary

    ip dhcp client request options all

    interface vlan2

    description Guest

    ip address dhcp

    interface pppoe1

    use firewall-policy default

    use client-identity-group default

    logging on

    service pm sys-restart

    router ospf

    adoption-mode controller

    !

    rf-domain default

    timezone Asia/Calcutta

    country-code in

    use nsight-policy default

    !

    ap7532 B8-50-01-18-A2-1C

    use profile default-ap7532

    use rf-domain default

    hostname ap7532-18A21C

    location default

    ip name-server 8.8.8.8

    ip name-server 4.2.2.2

    ip default-gateway 192.168.10.1

    interface vlan1

    description "WAN Interface"

    ip address 192.168.10.10/24

    no ip dhcp client request options all

    ip nat inside

    no shutdown

    interface vlan2

    description Guest

    ip address 192.168.2.10/24

    ip nat inside

    use dhcp-server-policy WiNGExpressDhcpSvrPolicy

    virtual-controller

    rf-domain-manager capable

    ip dns-server-forward

    ip nat inside source list default-B8500118A21C-nat precedence 1 interface vlan1 overload

    no adoption-mode

    !

    !



    end


  • 7.  RE: Different Vlan not Communicate

    Posted 07-04-2018 03:57
    awaiting for the reply


  • 8.  RE: Different Vlan not Communicate

    Posted 07-05-2018 02:01
    let us start with configuring the firewall for best practice

    How To: How to apply the best practices firewall policy to WiNG APs