topic RE: Different Vlan not Communicate in ExtremeWireless (WiNG)

Different Vlan not Communicate

Saravanamurthy_ — Wed, 27 Jun 2018 15:24:00 GMT

Hi,
I am using AP 7532, firmware is 5.9.2. I created two vlan (vlan1 & vlan2) & two SSID (Employee & Guest) in this AP. IP address are vlan1 & vlan2 as 192.168.10.10 & 192.168.2.10. SSID Employee is mapped to vlan1 and Guest is mapped to vlan2. after configuring i connected two client with different SSID. I reached guest to employee. but i cant employee to guest.

Below Client connected to SSID Employee. This Client ip address is 192.168.10.105.

Another Client connected to SSID Guest. that IP address is 192.168.2.20. so Client from 192.168.2.10 to 192.168.10.105 is pinging. but from 192.168.10.105 to 192.168.2.20 is not pinging.

RE: Different Vlan not Communicate

Eric_Burke — Wed, 27 Jun 2018 16:30:00 GMT

What is responsible for routing between networks in your environment? It sounds like you possibly reversed your routing and policy logic (meaning employee might be trusted more than guest and only ping in that direction). Regardless, those routes, rules and polocies are up to you.

RE: Different Vlan not Communicate

Ronald_Dvorak — Wed, 27 Jun 2018 16:36:00 GMT

Or the client in the guest network has a personal firewall installed that don't allow to ping the device.

RE: Different Vlan not Communicate

RobertZ — Wed, 27 Jun 2018 17:31:00 GMT

Can you show us the 'ip access-list nat-rule' you configured on AP

RE: Different Vlan not Communicate

Saravanamurthy_ — Thu, 28 Jun 2018 11:17:00 GMT

Now i share all my configuration details.
LAN:

WAN:

Wireless:

Services:

Access Point:

RE: Different Vlan not Communicate

Saravanamurthy_ — Thu, 28 Jun 2018 11:19:00 GMT

ap7532-18A21C#sh running-config

!

! Configuration of AP7532 version 5.9.2.0-032R

!

!

version 2.5

!

!

client-identity-group default

load default-fingerprints

!

ip access-list BROADCAST-MULTICAST-CONTROL

permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"

permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"

deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"

deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"

deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"

permit ip any any rule-precedence 100 rule-description "permit all IP traffic"

!

ip access-list default-B8500118A21C-nat

permit ip any any rule-precedence 1

!

mac access-list PERMIT-ARP-AND-IPv4

permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"

permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"

!

ip snmp-access-list default

permit any

!

firewall-policy default

no ip dos tcp-sequence-past-window

no stateful-packet-inspection-l2

ip tcp adjust-mss 1400

!

!

mint-policy global-default

!

meshpoint-qos-policy default

!

wlan-qos-policy Employee

rate-limit client to-air rate 5000

rate-limit client from-air rate 5000

qos trust dscp

qos trust wmm

!

wlan-qos-policy Guest

--More—

rate-limit client to-air rate 5000

rate-limit client from-air rate 5000

qos trust dscp

qos trust wmm

!

wlan-qos-policy default

qos trust dscp

qos trust wmm

!

radio-qos-policy default

!

wlan Employee

description Employee

ssid Employee

vlan 1

bridging-mode local

encryption-type ccmp

authentication-type none

no fast-bss-transition over-ds

wpa-wpa2 psk 0 Employee@123

use wlan-qos-policy Employee

!

wlan Guest

description Guest

ssid Guest

vlan 2

bridging-mode local

encryption-type ccmp

authentication-type none

no fast-bss-transition over-ds

wpa-wpa2 psk 0 Guest@123

use wlan-qos-policy Guest

!

dhcp-server-policy WiNGExpressDhcpSvrPolicy

dhcp-pool default-vlan2-pool

network 192.168.2.0/24

address range 192.168.2.11 192.168.2.20

default-router 192.168.2.10

dns-server 192.168.2.10 8.8.8.8

!

!

management-policy default

telnet

no http server

https server

ip address zeroconf secondary

ip dhcp client request options all

interface vlan2

description Guest

ip address dhcp

interface pppoe1

use firewall-policy default

use client-identity-group default

logging on

service pm sys-restart

router ospf

adoption-mode controller

!

rf-domain default

timezone Asia/Calcutta

country-code in

use nsight-policy default

!

ap7532 B8-50-01-18-A2-1C

use profile default-ap7532

use rf-domain default

hostname ap7532-18A21C

location default

ip name-server 8.8.8.8

ip name-server 4.2.2.2

ip default-gateway 192.168.10.1

interface vlan1

description "WAN Interface"

ip address 192.168.10.10/24

no ip dhcp client request options all

ip nat inside

no shutdown

interface vlan2

description Guest

ip address 192.168.2.10/24

ip nat inside

use dhcp-server-policy WiNGExpressDhcpSvrPolicy

virtual-controller

rf-domain-manager capable

ip dns-server-forward

ip nat inside source list default-B8500118A21C-nat precedence 1 interface vlan1 overload

no adoption-mode

!

!

end

RE: Different Vlan not Communicate

Saravanamurthy_ — Wed, 04 Jul 2018 10:57:00 GMT

awaiting for the reply

RE: Different Vlan not Communicate

RobertZ — Thu, 05 Jul 2018 09:01:00 GMT

let us start with configuring the firewall for best practice

How To: How to apply the best practices firewall policy to WiNG APs