Header Only - DO NOT REMOVE - Extreme Networks
Question

How to create SSID only LAN

  • 26 July 2019
  • 9 replies
  • 520 views

Hi you

I used Controller RFS 4000. How to create SSID only LAN, not connect to internet.

Thank you

9 replies

Userlevel 6
Try supplying no default gateway or a non-existent default gateway in the DHCP lease?
Try supplying no default gateway or a non-existent default gateway in the DHCP lease?

Hi you

If no default gateway, I pinged AP time out.
Userlevel 6
In that case, you'll need to create an IP ACL with the appropriate rules and then apply the ACL to the WLAN's inbound firewall.
You'll need to allow things like DHCP server traffic, DNS, DGW, and whatever else might be needed, but then disallow all other traffic (which will prevent the user from accessing anything else on that LAN.
Userlevel 2
Hello Chris,

Just created the rule:
permit ip x.x.x.x/24 x.x.x.x/24 rule-precedence 1
deny ip any any rule-precedence 100

and applied to IN wlan and filtering is working well, but I have something like roaming issues now.
DHCP server is inside the subnet, don't need DNS.

I need to allow something else?

Thanks
Userlevel 6
What are you seeing that looks like a roaming issue?
Userlevel 2
Hello Chris,

After applying this policy when mu is roamed to other ap, there is no ip connection with the client.
Seems the ethernet side is not synchronized.
Any ideas?

Thanks
Aviv
Userlevel 6
So saying that after the client roams, the client loses it's IP address?
By chance, in the WLAN profile, do you have the option "Enforce DHCP Client Only" enabled? (It's under the WLAN Profile Client Settings section in the GUI)
Userlevel 2
Hello Chris,

After roaming MUs are stay with the IPs, but I can't ping them, until the mu is coming back to the previous AP OR disconnecting+connecting to any AP.

Seems ARPs/MACs are not synced when MUs roamed.

ip access-list 111
permit ip x.x.x.x/24 x.x.x.x/24 rule-precedence 1
deny ip any any rule-precedence 100

wlan xxx
ssid xxx
bridging-mode local
encryption-type ccmp
wpa-wpa2 psk 0 xxxxxxxx
use ip-access-list in 111
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4

profile ap7532 test-ap7532
no mint mlcp vlan
ip default-gateway x.x.x.x
interface radio1
wlan xxx bss 1 primary
interface radio2
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
logging on
controller host x.x.x.x pool 1 level 1

Thanks

Aviv
Userlevel 6
Okay, totally different issue then. Client roams to another AP and maintains an IP address (Assuming that you are somehow verifying that the client still has an IP address - Is it the SAME IP address?). And if the client roams back to original AP, the PING replies resume. Interesting.

So after the roam, client no longer responds to PING requests at a known IP address....or what you believe to be its IP address.

Log into the AP that the client roams to (and the client is no longer PING'able) and from the CLI run:
#show wireless client

Do you see the client listed?
You should...and you should see the device MAC and an IP address.
Is the IP address what you expect it to be?
If so, try running another PING against it while running the command on the CLI:

#service pktcap on bridge filter icmp

The AP should be proxy ARP'ing for the client. But, if the AP isn't showing the client and the WLAN's Proxy ARP mode is set to strict, then I guess that's a scenario when there might not be a reply.

Reply