Change config of RFS6000

  • 0
  • 1
  • Question
  • Updated 2 weeks ago
  • Answered
I need to change the DNS IP address in my config.  I can access the RFS6000 via IP address, web interface and see the running config.  How can I edit this?  Please advise.  Thank you!
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb

Posted 2 weeks ago

  • 0
  • 1
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
You can enter the name server addresses either in the controller profile itself or as a controller override.  In either case though, the actual CLI syntax you would use is:  ip name-server X.X.X.X

Example, to enter an address as an override:
1) Login
2) enable
3) self
4) ip name-server 8.8.8.8
5) commit write

You can enter multiple DNS entries this way.

From the UI:

1) Configuration Tab
2) Devices
3) Select the RFS6000 
4) In center column, expand "Profile Overrides"
5) Expand "Network"
6) Select DNS
7) Over to the right, you should see where you can enter DNS server entries
8) Remember to "Commit and Save" in the top right corner when done
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Thank you Chris--however when I browse to the network settings via UI, there are no existing DNS entries shown.  Does that make sense?  Tried accessing the device via CLI using Putty/SSH but the password I use to access via UI does not work there.  Not real familiar with this device as it was set up by a vendor.  Trying to avoid having to buy a 4 hour block of time for a 2 min change.  Any thoughts?  If I change in the UI, will it override the existing running config?
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
Is it possible that there currently are no DNS entries that have been setup?

Another possibility is that if there *are* DNS entries, they've been entered at the controller's Profile level.  In case you're not aware, the Profile settings are where you want to keep as many settings as possible.  The override section will *override* a setting that exist in the main Profile.  Normal use of the override section is for things like static IP addresses, hostnames, etc.  Things that are unique to a device...and therefore not appropriate to enter into a common Profile.

In the UI, to get to the controller's Profile:
1) Configuration
2) Profiles
3) Double-Click on the Profile that is assigned to your RFS6000
4) Center column, expand Network and choose DNS.

If you don't see any DNS entries there either, then it would seem that the controller does not have any DNS entries.  Does the controller need one?  Or....are you really looking to assign DNS entries for the adopted APs?

Not sure why the password isn't working to access the CLI but works for the GUI.  Maybe the management profile is configured to disallow CLI access?
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Hi,

I've managed to make an SSH connection.  The following CLI shows the DNS entry:

dhcp-server-policy default
 dhcp-pool EmployeeGuest
  network 192.168.0.0/24
  address range 192.168.0.2 192.168.0.254 
  default-router 192.168.0.1
  dns-server  10.0.70.2

Can you explain how I change this?  Will it require a restart or anything?  Thank you.


Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
Okay...so this is showing that you have a DHCP service created on the RFS6000.  But, it doesn't necessarily show that it's *used* (It is simply a policy that is created and *can* be used).

If we assume though that this DHCP service Policy is used by the controller, then you can change the DNS entry this way.

1) Log in
2) enable
3) config
4) dhcp-server-policy default
5) dhcp-pool EmployeeGuest
6) no dns-server  (This gets rid of the existing entry)
7) dns-server <enter your new DNS server IP>
8) commit wr

You can then verify things at the level you're at now (you are currently in the dhcp-pool settings).  Issue the command:  show context

This will show you all of the settings that currently exist at the dhcp-pool level of the config.
You can use that same command at any level so that you can see the current config settings for a section that you are in.  Very handy command.
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Thank you!  I will make these changes after hours this afternoon.  One other question, while examining the config, I notice this entry:  

 use radius-server-policy default
 interface me1
  ip address 10.1.1.100/24

Not sure what this is as we have no IP scheme in our network that is 10.1.1.x.  Any thoughts?
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
The me1 interface is normally used for an out of band management port.  If you don't have any network cables plugged into it, then it's not accessible on the network, so no concerns there.  
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Hi again,
An opportunity presented itself so I made the changes.  I'm able to verify that the DNS server IP has been changed for both startup and running configs--however wifi clients are not able to browse by URL, but the settings on my phone show the new DNS IP address.  Any thoughts--did I miss something?  I see this still exists in the config and it should be changed to the new IP.  Can you send syntax to change this:  

permit ip 192.168.0.0/24 host 10.0.70.2 rule-precedence 140 

As always, thanks again!
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
Can you also include the parent level of this entry?  I can't tell exactly where this rule originates
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
ip access-list ABCEmployee2018
 permit udp any range 67 68 any range 67 68 rule-precedence 1 
 permit udp any any eq dns rule-precedence 2 
 deny ip any 10.0.70.0/23 rule-precedence 3 
 permit ip 192.168.0.1/24 any rule-precedence 4 

ip access-list ABCEmployees
 permit udp any eq 68 any eq dhcps rule-precedence 10 
 permit udp any any eq dns rule-precedence 20 
 permit tcp any any eq www rule-precedence 30 
 permit tcp any any eq https rule-precedence 40 
 permit tcp any any eq smtp rule-precedence 50 
 permit tcp any any eq imaps rule-precedence 60 
 permit tcp any any eq 587 rule-precedence 70 
 permit tcp any any eq pop3 rule-precedence 80 
 permit tcp any eq 443 any eq https rule-precedence 90 
 permit tcp any any eq 1723 rule-precedence 100 
 permit udp any any eq 500 rule-precedence 110 
 permit udp any any eq 4500 rule-precedence 115 
 permit ip 192.168.0.0/24 host 10.0.70.2 rule-precedence 140    ***(IP address needs to change)
 deny ip 192.168.0.0/24 host 192.168.0.1 rule-precedence 145 
 deny ip any host 10.0.70.20 rule-precedence 150
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
Okay...an IP access list rule.
To get to the section to change it:

1) Login
2) enable
3) config
4) ip access-list ABCEmployees
5) permit ip 192.168.0.0/24 host 10.0.70.2 rule-precedence 140   (change the IP address to what you want in this command.  Since the rule-precedence level remains the same, the new entry will simply overwrite what is already there.  If you want to actually add NEW entries, just make sure that they don't duplicate the rule-precedence values of any of the existing entries)
6) commit write

Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Ok, was able to change that too, however wifi clients are still not getting online.  Any ideas... not seeing any other references in the config for the old IP address.
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
So is this client able to PING an Internet IP address?  Is this just a resolution issue?
You say that the client does show that it has a DNS server as part of its DHCP lease info?
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Chris-My apologies, I am out of the office now.  I will test this again and report back tomorrow.  The config on phones does show the new DNS IP.  I am attaching the full config if that helps at all.

!
! Configuration of RFS6000 version 5.8.6.7-002R
!
!
version 2.5
!
!
ip access-list ABCEmployeeGuest
 permit ip 192.168.0.0/24 any rule-precedence 10 
!
ip access-list Hotspot
 permit udp any eq 68 any eq dhcps rule-precedence 10 
 permit udp any any eq dns rule-precedence 20 
 permit tcp any any eq www rule-precedence 30 
 permit tcp any any eq https rule-precedence 40 
 permit tcp any any eq snpp rule-precedence 50 
 deny ip any host 10.0.70.20 rule-precedence 60 
!
ip access-list ABCEmployee2018
 permit udp any range 67 68 any range 67 68 rule-precedence 1 
 permit udp any any eq dns rule-precedence 2 
 deny ip any 10.0.70.0/23 rule-precedence 3 

 permit ip 192.168.0.1/24 any rule-precedence 4 

ip access-list ABCEmployees
 permit udp any eq 68 any eq dhcps rule-precedence 10 
 permit udp any any eq dns rule-precedence 20 
 permit tcp any any eq www rule-precedence 30 
 permit tcp any any eq https rule-precedence 40 
 permit tcp any any eq smtp rule-precedence 50 
 permit tcp any any eq imaps rule-precedence 60 
 permit tcp any any eq 587 rule-precedence 70 
 permit tcp any any eq pop3 rule-precedence 80 
 permit tcp any eq 443 any eq https rule-precedence 90 
 permit tcp any any eq 1723 rule-precedence 100 
 permit udp any any eq 500 rule-precedence 110 
 permit udp any any eq 4500 rule-precedence 115 
 permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140 
 deny ip 192.168.0.0/24 host 192.168.0.1 rule-precedence 145 
 deny ip any host 10.0.70.20 rule-precedence 150 
!
firewall-policy default
 no ip dos smurf
 no ip dos twinge
 no ip dos invalid-protocol
 no ip dos router-advt
no ip dos router-solicit
 no ip dos option-route
 no ip dos ascend
 no ip dos chargen
 no ip dos fraggle
 no ip dos snork
 no ip dos ftp-bounce
 no ip dos tcp-intercept
 no ip dos broadcast-multicast-icmp
 no ip dos land
 no ip dos tcp-xmas-scan
 no ip dos tcp-null-scan
 no ip dos winnuke
 no ip dos tcp-fin-scan
 no ip dos udp-short-hdr
 no ip dos tcp-post-syn
 no ip dos tcphdrfrag
 no ip dos ip-ttl-zero
 no ip dos ipspoof
 no ip dos tcp-bad-sequence
 no ip dos tcp-sequence-past-window
 no ip-mac conflict
 no ip-mac routing conflict
 dhcp-offer-convert
 no ipv6 strict-ext-hdr-check 
 no ipv6 unknown-options 
 no ipv6 duplicate-options 
 no ipv6 option strict-hao-opt-check
 no ipv6 option strict-padding
 no stateful-packet-inspection-l2
 alg sip
 no ipv6-mac conflict
 no ipv6-mac routing conflict
!
!
mint-policy global-default
!
wlan-qos-policy CBTest
 qos trust dscp
 qos trust wmm
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
aaa-policy AAA_POLICY_wlan_2
 authentication server 1 onboard controller
!
captive-portal CaptivePortal2
 server host CaptivePortal2.com
 server mode centralized-controller
 simultaneous-users 200
 webpage internal login footer Please contact reception or I.T. if you do not have a User Name and Password
 webpage internal login header ABC Guest Network Login
 webpage internal welcome description You now have network access. <BR>Please have this window open to display your remaining session time.<BR><BR>Click the disconnect link below to end this session.
 webpage internal fail description Either the username and password are invalid, or service is unavailable at this time.
 webpage internal agreement description Guest users agree to ABC web use policies.
 webpage internal agreement header Terms of Use
 use aaa-policy AAA_POLICY_wlan_2
 webpage internal registration field city type text enable label "City" placeholder "Enter City"
 webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
 webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
 webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
 webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
 webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
 webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
 webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
 webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan 1
 description Corporate Wireless
 ssid ABC_Wireless
 vlan 1
 bridging-mode tunnel
 encryption-type ccmp
 authentication-type none
 wpa-wpa2 psk 0 xxxxx
!
wlan 2
 description Hot Spot
 shutdown
 ssid ABC_Guest
 vlan 1
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 use aaa-policy AAA_POLICY_wlan_2
 use captive-portal CaptivePortal2
 captive-portal-enforcement
 ip arp trust
 ip dhcp trust
 acl exceed-rate wireless-client-denied-traffic 1000000 disassociate
 use ip-access-list in Hotspot
!
wlan 3
 description Employee Wireless
 ssid ABC_Employee
 vlan 100
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 wpa-wpa2 psk 0 xxxxx
 use ip-access-list in ABCEmployee2018
!
wlan 4
 description IT Dept Test Network
 shutdown
 ssid ABC_ITDept
 vlan 1
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 wpa-wpa2 psk 0 xxxxx
 wep64 key 1 hex 0 1273c26cbe
 wep64 key 2 hex 0 5944e563a3
 wep64 key 3 hex 0 e848578b45
 wep64 key 4 hex 0 a23a40a20c
!
wlan 5
 description Guest Network
 ssid ABC_Visitor
 vlan 100
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 wpa-wpa2 psk 0 Visitor@xxx
 use ip-access-list in ABCEmployee2018
!
wlan test2
 shutdown
 ssid test2
 vlan 100
 bridging-mode tunnel
 encryption-type ccmp
 authentication-type none
 wpa-wpa2 psk 0 testtest
 use ip-access-list in ABCEmployee2018
!
smart-rf-policy default
!
radius-group ABCGuestGroup
 guest
 policy vlan 1
 policy ssid ABC_Guest
!
 radius-user-pool-policy Guest
 user Guest password 0 guest@ABC group ABCGuestGroup guest expiry-time 16:15 expiry-date 12/21/2019 start-time 16:15 start-date 12/20/2010
!
radius-server-policy default
 use radius-user-pool-policy Guest
!
dhcp-server-policy default
 dhcp-pool EmployeeGuest
  network 192.168.0.0/24
  address range 192.168.0.2 192.168.0.254 
  default-router 192.168.0.1
  dns-server  10.0.70.9
!
!
management-policy default
 no telnet
 http server
 no https server
 no ftp
 ssh
 user admin password 1 871c077c9bc6d6eb7396e2056a1b0ff36a0ca882cc1e73f1089b1864746b47d2 role superuser access all
user cB password 1 cd93f6b1ec3aae6ae9a29d3138a90bf92b90e2d4 role superuser access all
 user webadmin password 1 8893186442be830c7a8bea38184e4189239c55af role web-user-admin 
 snmp-server user snmpoperator v3 encrypted des auth md5 0 0xdd7f8e6f3a8f541942acb4158d31bbf5
 snmp-server user snmptrap v3 encrypted des auth md5 0 0xcadb481610695a440a262f01636b317f
 snmp-server user snmpmanager v3 encrypted des auth md5 0 0xcadb481610695a440a262f01636b317f
!
ex3500-management-policy default
 snmp-server community public ro
 snmp-server community private rw
 snmp-server notify-filter 1 remote 127.0.0.1
 snmp-server view defaultview 1 included
!
profile rfs6000 default-rfs6000
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
-- isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface me1
 interface up1
 interface ge1
 interface ge2
 interface ge3
 interface ge4
 interface ge5
 interface ge6
 interface ge7
 interface ge8
 interface wwan1
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
 router ospf
 router bgp
!
profile ap650 default-ap650
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
!
rf-domain default
 country-code us
 use smart-rf-policy default
!
rfs6000 5C-0E-8B-18-36-71
 use profile default-rfs6000
 use rf-domain default
 hostname rfs6000-183671
 license AP 1c4dc8ec8275e6c0d4914bb989c9f0da93bef016f88782847ede9b04e8f141e270a146ddbb479b59
 location ABC
 contact CB
 timezone America/Chicago
 country-code us
 mac-name BC-85-56-34-D9-25 LCONF-WIN7
 mac-name 00-23-68-AF-7B-9E ABCScan5
 mac-name 60-D8-19-42-14-69 TSCREEN-win7
 mac-name 24-77-03-D7-DD-E0 FS-win7lap
 mac-name 00-23-68-AF-7C-EA ABCScan3
 mac-name 00-23-68-AF-7C-76 ABCScan6
 mac-name 00-23-68-AF-7A-B0 ABCScan4
 mac-name BC-85-56-34-D8-CD UCONF-WIN7
 mac-name 00-23-68-AF-7B-9F ABCScan2
 mac-name 00-23-68-AF-7B-97 ABCScan1
 spanning-tree mst cisco-interoperability enable
 area "Server Room"
 ip default-gateway 10.0.70.1
 use radius-server-policy default
 interface me1
  ip address 10.1.1.100/24
 interface up1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1
  ip dhcp trust
 interface ge1
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge2
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge3
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge4
switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge5
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge6
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge7
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge8
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface vlan1
  description VLAN_1
  ip address 10.0.70.20/23
 interface vlan100
  description Guest_and_Employee
  ip address 192.168.0.1/24
  ip nat inside
 use dhcp-server-policy default
 use captive-portal server CaptivePortal2
 logging console warnings
 logging buffered warnings
 ip nat inside source list EmployeeGuest precedence 1 interface vlan1 overload
 no service pm sys-restart
 !
ap650 5C-0E-8B-34-CD-28
 use profile default-ap650
 use rf-domain default
 hostname OfficeFirstFloor
 country-code us
 area "Office"
 interface radio1
  description "AP 4 -  1st Floor"
  rf-mode 2.4GHz-wlan
  channel 6
  power 24
  placement indoor
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
 !
ap650 5C-0E-8B-34-CD-2C
 use profile default-ap650
 use rf-domain default
 hostname ShopFloor
 country-code us
 area "Shop Floor"
 interface radio1
  description "AP 1 - Shopfloor"
  rf-mode 2.4GHz-wlan
  channel 1
  power 28
  placement indoor
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
  max-clients 200
 !
ap650 5C-0E-8B-34-CD-3C
 use profile default-ap650
 use rf-domain default
 hostname 180OfficeSecondFloor
 country-code us
 area "Office"
 interface radio1
  description "AP 5 - 2nd Floor"
  rf-mode 2.4GHz-wlan
  channel smart
  power 26
  data-rates default
  placement indoor
  wlan 1 bss 1 primary
  wlan test2 bss 2 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
  no preamble-short
  guard-interval any
  max-clients 200
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 !
ap650 5C-0E-8B-34-CE-10
use profile default-ap650
 use rf-domain default
 hostname Woodshop
 country-code us
 area Woodshop
 interface radio1
  description "AP 3 - Woodshop"
  rf-mode 2.4GHz-wlan
  channel 11
  power 25
  placement indoor
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
 !
ap650 5C-0E-8B-34-CE-34
 use profile default-ap650
 use rf-domain default
 hostname Warehouse
 country-code us
 area Warehouse
 interface radio1
  description "AP 2 - Warehouse"
 rf-mode 2.4GHz-wlan
  channel 6
  power 25
  placement indoor
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
  max-clients 200
 !
ap650 5C-0E-8B-34-CE-3C
 use profile default-ap650
 use rf-domain default
 hostname Office
 country-code us
 area "Offices"
 interface radio1
  description "AP 6 -  Offices"
  rf-mode 2.4GHz-wlan
  channel 11
  power 17
  placement indoor
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
 !
ap650 5C-0E-8B-34-CE-70
 use profile default-ap650
 use rf-domain default
 hostname ShopFloor
 country-code us
 area "Shop Floor"
 interface radio1
  description "AP 7 -  Shopfloor"
  rf-mode 2.4GHz-wlan
  channel 6
  power 28
  placement indoor
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
 !
ap650 B4-C7-99-73-C6-F4
 use profile default-ap650
 use rf-domain default
 hostname Detail
 country-code us
 area "Detail Dept"
 interface radio1
  description "AP 8 -  New Bldg"
  rf-mode 2.4GHz-wlan
  channel smart
  power smart
  data-rates default
  placement indoor
  beacon dtim-period 2
  wlan 1 bss 1 primary
  wlan 3 bss 3 primary
  wlan 5 bss 4 primary
  no preamble-short
 !
 !
 end



Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
Side note: I don't see anywhere in the config that any of the ip-access-list you have created have been applied.  The access-list exist, but they're not 'used' anywhere.

Regarding the DNS issue though, test a wireless client and see if it can PING something on the Internet like 8.8.8.8.  If this is some sort of a resolution problem then this will work.  But if you then try to PING a FQDN on the Internet like www.google.com, it won't work.  But in the off chance that a client is not able to even PING an IP address on the Internet, then we're dealing with a completely different issue...not simply a DNS problem.
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Chris,  I didn't realize that I have to "apply" an access list.  How do I do that?
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
*** It appears that when I searched your config listing, I fat-fingered the search term and that's why I wasn't seeing that you have in fact used the ACLs...but since you ask, I'll describe this anyway***

It begins with WHERE you want to apply the ACL.  (note: this is a common theme when using WiNG-5.  You create things like ACL policies, DHCP server policies, WLANs, etc - but then you have to select where you want them to be used - Example, you create WLANs...but then you have to indicated that you want to use one in the AP's Profile.  Same thing with the ACL's you create)

With ACLs, where you indicate that it should be used depends on how you constructed the ACL.  In your case, it appears that you have ACLs created to control traffic originating at the wireless clients when attempting to reach somewhere after the AP, right?
In this case, the best way to do this is to create an ACL based on the understanding that you want to control that traffic when it comes in to the AP radio - from the wireless user.  So you create your rules.  Once you have that ACL, you then want to apply it to the applicable WLAN (so this is applied in the actual WLAN configuration).  Here's what one of yours looks like:

wlan 5
 description Guest Network
 ssid ABC_Visitor
 vlan 100
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 wpa-wpa2 psk 0 Visitor@xxx
 use ip-access-list in ABCEmployee2018

Notice the last line there.  The 'use' syntax is how you will normally specify that a device (controller, AP) should actually use something that you created.  In this case, you've specified that the WLAN setup should 'use' the ip-access-list name "ABCEmployee2018" and apply those rules to traffic coming from wireless users and entering the AP.  That's where the rules will then be processed.
You can also create ACLs and then apply them to Ethernet interfaces on APs or controllers.  Just FYI.



(Edited)
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Thank you for explaining that.  As I'm reviewing this config, something that doesn't make sense to me:  ACL "ABCEmployees" specifies permit for the host IP of 10.0.70.9, while ACL "ABCEmployee2018" does not reference a host IP at all.  I see where the ACL ABCEmployee2018 is "used" for WLAN EmployeeWireless but not defined for Corporate Wireless.  Oddly, this does not seem to be an issue when using the old host IP, but could it be a problem with the new?  DNS for wired clients is fine so I'm hesitant to think this is a DNS issue, but is there something needed in DNS to allow Wifi traffic?  This is a new DNS server but was AD Integrated so should be a carbon copy of the old server config...
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
The ABCEmployees ACL has the entry:
 permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140

This specifies that traffic is permitted if:  It's ANY type protocol, originating from a device on the 192.168.0.0/24 subnet, and is destined for the single host address 10.0.70.9.

Than again...the ABCEmployees ACL also has several other 'permit' statements that are not contained in the 2018 version ACL.  The 2018 ACL is structured such that the only traffic allowed is:
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port range 67-68.  So this is so clients can get their DHCP lease.
 
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port equals "dns"  (in this case, dns is a built in alias that equals port 53

- DENY traffic from ANY IP address that is destined to the 10.0.70.0/23 subnet



So I'm assuming that the WLANs that have the 2018 ACL applied to it (These below) are correct - that wireless users on those ESSIDs should NOT be able to communicate with the 10.0.70.0/23 subnet.

wlan 3
 description Employee Wireless
 ssid ABC_Employee
 vlan 100

 

wlan 5
 description Guest Network
 ssid ABC_Visitor
 vlan 100

 

 

wlan test2
 shutdown
 ssid test2
 vlan 100


If you also want this sort of restriction applied to the Corporate Wireless, you can simply make the configuration change.
 - Go into wlan1 and issue the statement to 'use ip-access-list in ABCEmployee2018'
(Can also be done in the GUI, in the WLAN, look in the center column for the "Firewall" section.  Use the drop-down selector for the "Inbound Firewall Rules" option and choose the ABCEmployee2018 ACL)

To allow DNS traffic in an ACL, you just need to have that same single statement in any ACL you 'use', which is: 
permit udp any any eq dns rule-precedence (appropriate precedence number)


(TIP) name your WLANs the same as the SSID they use.  This makes it much easier when you are mapping them in the radio interfaces.  In that section, it only shows you the WLAN 'name' and not the actual SSID contained within that WLAN name...so you might find yourself asking...what SSID is wlan3 using? ...and you have to jump back over to the WLANs section to check and see.  If the WLAN name is the same as the SSID, this won't happen.







(Edited)
Photo of DW76

DW76

  • 150 Points 100 badge 2x thumb
Chris
First off, let me thank you for explaining all of this stuff to me.  I'm happy to say I have a much better understanding of how this device works and the configuration now.  Also, I have figured out the issue with our system and as it turned out, was an internal problem after all.  My apologies for taking up so much of your time but as I said--learned a lot which will come in handy down the road I'm sure.  Thanks again!
Photo of Chris Kelly

Chris Kelly, Employee

  • 570 Points 500 badge 2x thumb
Glad to hear you got it resolved!  Happy to help do a little educating in the process too.