Different Vlan not Communicate

  • 0
  • 1
  • Problem
  • Updated 4 months ago
  • Not a Problem
Hi,
I am using AP 7532, firmware is 5.9.2. I created two vlan (vlan1 & vlan2) & two SSID (Employee & Guest) in this AP. IP address are vlan1 & vlan2 as 192.168.10.10 & 192.168.2.10. SSID Employee is mapped to vlan1 and Guest is mapped to vlan2. after configuring i connected two client with different SSID. I reached guest to employee. but i cant employee to guest.

Below Client connected to SSID Employee. This Client ip address is 192.168.10.105.


Another Client connected to SSID Guest. that IP address is 192.168.2.20. so Client from 192.168.2.10 to 192.168.10.105 is pinging. but from 192.168.10.105 to 192.168.2.20 is not pinging.
Photo of Saravanamurthy K

Saravanamurthy K

  • 966 Points 500 badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of Eric Burke

Eric Burke

  • 3,438 Points 3k badge 2x thumb
What is responsible for routing between networks in your environment? It sounds like you possibly reversed your routing and policy logic (meaning employee might be trusted more than guest and only ping in that direction). Regardless, those routes, rules and polocies are up to you.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,164 Points 50k badge 2x thumb
Or the client in the guest network has a personal firewall installed that don't allow to ping the device.
Photo of Robert Zarzycki

Robert Zarzycki, Employee

  • 5,234 Points 5k badge 2x thumb
Can you show us the 'ip access-list nat-rule' you configured on AP
Photo of Saravanamurthy K

Saravanamurthy K

  • 966 Points 500 badge 2x thumb
Now i share all my configuration details.
LAN:


WAN:

Wireless:

Services:


Access Point:


Photo of Saravanamurthy K

Saravanamurthy K

  • 966 Points 500 badge 2x thumb

ap7532-18A21C#sh running-config

!

! Configuration of AP7532 version 5.9.2.0-032R

!

!

version 2.5

!

!

client-identity-group default

 load default-fingerprints

!

ip access-list BROADCAST-MULTICAST-CONTROL

 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"

 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"

 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"

 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"

 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"

 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"

!

ip access-list default-B8500118A21C-nat

 permit ip any any rule-precedence 1

!

mac access-list PERMIT-ARP-AND-IPv4

 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"

 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"

!

ip snmp-access-list default

 permit any

!

firewall-policy default

 no ip dos tcp-sequence-past-window

 no stateful-packet-inspection-l2

 ip tcp adjust-mss 1400

!

!

mint-policy global-default

!

meshpoint-qos-policy default

!

wlan-qos-policy Employee

 rate-limit client to-air rate 5000

 rate-limit client from-air rate 5000

 qos trust dscp

 qos trust wmm

!

wlan-qos-policy Guest

--More—

rate-limit client to-air rate 5000

 rate-limit client from-air rate 5000

 qos trust dscp

 qos trust wmm

!

wlan-qos-policy default

 qos trust dscp

 qos trust wmm

!

radio-qos-policy default

!

wlan Employee

 description Employee

 ssid Employee

 vlan 1

 bridging-mode local

 encryption-type ccmp

 authentication-type none

 no fast-bss-transition over-ds

 wpa-wpa2 psk 0 Employee@123

 use wlan-qos-policy Employee

!

wlan Guest

 description Guest

 ssid Guest

 vlan 2

 bridging-mode local

 encryption-type ccmp

 authentication-type none

 no fast-bss-transition over-ds

 wpa-wpa2 psk 0 Guest@123

 use wlan-qos-policy Guest

!

dhcp-server-policy WiNGExpressDhcpSvrPolicy

 dhcp-pool default-vlan2-pool

  network 192.168.2.0/24

  address range 192.168.2.11 192.168.2.20

  default-router 192.168.2.10

  dns-server  192.168.2.10 8.8.8.8

!

!

management-policy default

 telnet

 no http server

 https server

ip address zeroconf secondary

  ip dhcp client request options all

 interface vlan2

  description Guest

  ip address dhcp

 interface pppoe1

 use firewall-policy default

 use client-identity-group default

 logging on

 service pm sys-restart

 router ospf

 adoption-mode controller

!

rf-domain default

 timezone Asia/Calcutta

 country-code in

 use nsight-policy default

!

ap7532 B8-50-01-18-A2-1C

 use profile default-ap7532

 use rf-domain default

 hostname ap7532-18A21C

 location default

 ip name-server 8.8.8.8

 ip name-server 4.2.2.2

 ip default-gateway 192.168.10.1

 interface vlan1

  description "WAN Interface"

  ip address 192.168.10.10/24

  no ip dhcp client request options all

  ip nat inside

  no shutdown

 interface vlan2

  description Guest

  ip address 192.168.2.10/24

  ip nat inside

 use dhcp-server-policy WiNGExpressDhcpSvrPolicy

 virtual-controller

 rf-domain-manager capable

 ip dns-server-forward

 ip nat inside source list default-B8500118A21C-nat precedence 1 interface vlan1 overload

 no adoption-mode

 !

 !

 end
Photo of Saravanamurthy K

Saravanamurthy K

  • 966 Points 500 badge 2x thumb
awaiting for the reply
Photo of Robert Zarzycki

Robert Zarzycki, Employee

  • 5,234 Points 5k badge 2x thumb
let us start with configuring the firewall for best practice


How To: How to apply the best practices firewall policy to WiNG APs