cancel
Showing results for 
Search instead for 
Did you mean: 

Change config of RFS6000

Change config of RFS6000

DW76
New Contributor
I need to change the DNS IP address in my config. I can access the RFS6000 via IP address, web interface and see the running config. How can I edit this? Please advise. Thank you!
21 REPLIES 21

ckelly
Extreme Employee
Glad to hear you got it resolved! Happy to help do a little educating in the process too.

DW76
New Contributor
Chris
First off, let me thank you for explaining all of this stuff to me. I'm happy to say I have a much better understanding of how this device works and the configuration now. Also, I have figured out the issue with our system and as it turned out, was an internal problem after all. My apologies for taking up so much of your time but as I said--learned a lot which will come in handy down the road I'm sure. Thanks again!

ckelly
Extreme Employee
The ABCEmployees ACL has the entry:
permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140

This specifies that traffic is permitted if: It's ANY type protocol, originating from a device on the 192.168.0.0/24 subnet, and is destined for the single host address 10.0.70.9.

Than again...the ABCEmployees ACL also has several other 'permit' statements that are not contained in the 2018 version ACL. The 2018 ACL is structured such that the only traffic allowed is:
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port range 67-68. So this is so clients can get their DHCP lease.

- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port equals "dns" (in this case, dns is a built in alias that equals port 53

- DENY traffic from ANY IP address that is destined to the 10.0.70.0/23 subnet

So I'm assuming that the WLANs that have the 2018 ACL applied to it (These below) are correct - that wireless users on those ESSIDs should NOT be able to communicate with the 10.0.70.0/23 subnet.

wlan 3
description Employee Wireless
ssid ABC_Employee
vlan 100



wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100





wlan test2
shutdown
ssid test2
vlan 100


If you also want this sort of restriction applied to the Corporate Wireless, you can simply make the configuration change.
- Go into wlan1 and issue the statement to 'use ip-access-list in ABCEmployee2018'
(Can also be done in the GUI, in the WLAN, look in the center column for the "Firewall" section. Use the drop-down selector for the "Inbound Firewall Rules" option and choose the ABCEmployee2018 ACL)

To allow DNS traffic in an ACL, you just need to have that same single statement in any ACL you 'use', which is:
permit udp any any eq dns rule-precedence (appropriate precedence number)

(TIP) name your WLANs the same as the SSID they use. This makes it much easier when you are mapping them in the radio interfaces. In that section, it only shows you the WLAN 'name' and not the actual SSID contained within that WLAN name...so you might find yourself asking...what SSID is wlan3 using? ...and you have to jump back over to the WLANs section to check and see. If the WLAN name is the same as the SSID, this won't happen.

DW76
New Contributor
Thank you for explaining that. As I'm reviewing this config, something that doesn't make sense to me: ACL "ABCEmployees" specifies permit for the host IP of 10.0.70.9, while ACL "ABCEmployee2018" does not reference a host IP at all. I see where the ACL ABCEmployee2018 is "used" for WLAN EmployeeWireless but not defined for Corporate Wireless. Oddly, this does not seem to be an issue when using the old host IP, but could it be a problem with the new? DNS for wired clients is fine so I'm hesitant to think this is a DNS issue, but is there something needed in DNS to allow Wifi traffic? This is a new DNS server but was AD Integrated so should be a carbon copy of the old server config...
GTM-P2G8KFN