cancel
Showing results for 
Search instead for 
Did you mean: 

Change config of RFS6000

Change config of RFS6000

DW76
New Contributor
I need to change the DNS IP address in my config. I can access the RFS6000 via IP address, web interface and see the running config. How can I edit this? Please advise. Thank you!
21 REPLIES 21

ckelly
Extreme Employee
*** It appears that when I searched your config listing, I fat-fingered the search term and that's why I wasn't seeing that you have in fact used the ACLs...but since you ask, I'll describe this anyway***

It begins with WHERE you want to apply the ACL. (note: this is a common theme when using WiNG-5. You create things like ACL policies, DHCP server policies, WLANs, etc - but then you have to select where you want them to be used - Example, you create WLANs...but then you have to indicated that you want to use one in the AP's Profile. Same thing with the ACL's you create)

With ACLs, where you indicate that it should be used depends on how you constructed the ACL. In your case, it appears that you have ACLs created to control traffic originating at the wireless clients when attempting to reach somewhere after the AP, right?
In this case, the best way to do this is to create an ACL based on the understanding that you want to control that traffic when it comes in to the AP radio - from the wireless user. So you create your rules. Once you have that ACL, you then want to apply it to the applicable WLAN (so this is applied in the actual WLAN configuration). Here's what one of yours looks like:

wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 Visitor@xxx
use ip-access-list in ABCEmployee2018

Notice the last line there. The 'use' syntax is how you will normally specify that a device (controller, AP) should actually use something that you created. In this case, you've specified that the WLAN setup should 'use' the ip-access-list name "ABCEmployee2018" and apply those rules to traffic coming from wireless users and entering the AP. That's where the rules will then be processed.
You can also create ACLs and then apply them to Ethernet interfaces on APs or controllers. Just FYI.

DW76
New Contributor
Chris, I didn't realize that I have to "apply" an access list. How do I do that?

ckelly
Extreme Employee
Side note: I don't see anywhere in the config that any of the ip-access-list you have created have been applied. The access-list exist, but they're not 'used' anywhere.

Regarding the DNS issue though, test a wireless client and see if it can PING something on the Internet like 8.8.8.8. If this is some sort of a resolution problem then this will work. But if you then try to PING a FQDN on the Internet like www.google.com, it won't work. But in the off chance that a client is not able to even PING an IP address on the Internet, then we're dealing with a completely different issue...not simply a DNS problem.

DW76
New Contributor
Chris-My apologies, I am out of the office now. I will test this again and report back tomorrow. The config on phones does show the new DNS IP. I am attaching the full config if that helps at all.

!
! Configuration of RFS6000 version 5.8.6.7-002R
!
!
version 2.5
!
!
ip access-list ABCEmployeeGuest
permit ip 192.168.0.0/24 any rule-precedence 10
!
ip access-list Hotspot
permit udp any eq 68 any eq dhcps rule-precedence 10
permit udp any any eq dns rule-precedence 20
permit tcp any any eq www rule-precedence 30
permit tcp any any eq https rule-precedence 40
permit tcp any any eq snpp rule-precedence 50
deny ip any host 10.0.70.20 rule-precedence 60
!
ip access-list ABCEmployee2018
permit udp any range 67 68 any range 67 68 rule-precedence 1
permit udp any any eq dns rule-precedence 2
deny ip any 10.0.70.0/23 rule-precedence 3

permit ip 192.168.0.1/24 any rule-precedence 4

ip access-list ABCEmployees
permit udp any eq 68 any eq dhcps rule-precedence 10
permit udp any any eq dns rule-precedence 20
permit tcp any any eq www rule-precedence 30
permit tcp any any eq https rule-precedence 40
permit tcp any any eq smtp rule-precedence 50
permit tcp any any eq imaps rule-precedence 60
permit tcp any any eq 587 rule-precedence 70
permit tcp any any eq pop3 rule-precedence 80
permit tcp any eq 443 any eq https rule-precedence 90
permit tcp any any eq 1723 rule-precedence 100
permit udp any any eq 500 rule-precedence 110
permit udp any any eq 4500 rule-precedence 115
permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140
deny ip 192.168.0.0/24 host 192.168.0.1 rule-precedence 145
deny ip any host 10.0.70.20 rule-precedence 150
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no ipv6 strict-ext-hdr-check
no ipv6 unknown-options
no ipv6 duplicate-options
no ipv6 option strict-hao-opt-check
no ipv6 option strict-padding
no stateful-packet-inspection-l2
alg sip
no ipv6-mac conflict
no ipv6-mac routing conflict
!
!
mint-policy global-default
!
wlan-qos-policy CBTest
qos trust dscp
qos trust wmm
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
aaa-policy AAA_POLICY_wlan_2
authentication server 1 onboard controller
!
captive-portal CaptivePortal2
server host CaptivePortal2.com
server mode centralized-controller
simultaneous-users 200
webpage internal login footer Please contact reception or I.T. if you do not have a User Name and Password
webpage internal login header ABC Guest Network Login
webpage internal welcome description You now have network access.
Please have this window open to display your remaining session time.

Click the disconnect link below to end this session.
webpage internal fail description Either the username and password are invalid, or service is unavailable at this time.
webpage internal agreement description Guest users agree to ABC web use policies.
webpage internal agreement header Terms of Use
use aaa-policy AAA_POLICY_wlan_2
webpage internal registration field city type text enable label "City" placeholder "Enter City"
webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan 1
description Corporate Wireless
ssid ABC_Wireless
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 xxxxx
!
wlan 2
description Hot Spot
shutdown
ssid ABC_Guest
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
use aaa-policy AAA_POLICY_wlan_2
use captive-portal CaptivePortal2
captive-portal-enforcement
ip arp trust
ip dhcp trust
acl exceed-rate wireless-client-denied-traffic 1000000 disassociate
use ip-access-list in Hotspot
!
wlan 3
description Employee Wireless
ssid ABC_Employee
vlan 100
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 xxxxx
use ip-access-list in ABCEmployee2018
!
wlan 4
description IT Dept Test Network
shutdown
ssid ABC_ITDept
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
wpa-wpa2 psk 0 xxxxx
wep64 key 1 hex 0 1273c26cbe
wep64 key 2 hex 0 5944e563a3
wep64 key 3 hex 0 e848578b45
wep64 key 4 hex 0 a23a40a20c
!
wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 Visitor@xxx
use ip-access-list in ABCEmployee2018
!
wlan test2
shutdown
ssid test2
vlan 100
bridging-mode tunnel
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 testtest
use ip-access-list in ABCEmployee2018
!
smart-rf-policy default
!
radius-group ABCGuestGroup
guest
policy vlan 1
policy ssid ABC_Guest
!
radius-user-pool-policy Guest
user Guest password 0 guest@ABC group ABCGuestGroup guest expiry-time 16:15 expiry-date 12/21/2019 start-time 16:15 start-date 12/20/2010
!
radius-server-policy default
use radius-user-pool-policy Guest
!
dhcp-server-policy default
dhcp-pool EmployeeGuest
network 192.168.0.0/24
address range 192.168.0.2 192.168.0.254
default-router 192.168.0.1
dns-server 10.0.70.9
!
!
management-policy default
no telnet
http server
no https server
no ftp
ssh
user admin password 1 871c077c9bc6d6eb7396e2056a1b0ff36a0ca882cc1e73f1089b1864746b47d2 role superuser access all
user cB password 1 cd93f6b1ec3aae6ae9a29d3138a90bf92b90e2d4 role superuser access all
user webadmin password 1 8893186442be830c7a8bea38184e4189239c55af role web-user-admin
snmp-server user snmpoperator v3 encrypted des auth md5 0 0xdd7f8e6f3a8f541942acb4158d31bbf5
snmp-server user snmptrap v3 encrypted des auth md5 0 0xcadb481610695a440a262f01636b317f
snmp-server user snmpmanager v3 encrypted des auth md5 0 0xcadb481610695a440a262f01636b317f
!
ex3500-management-policy default
snmp-server community public ro
snmp-server community private rw
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server view defaultview 1 included
!
profile rfs6000 default-rfs6000
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
-- isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface me1
interface up1
interface ge1
interface ge2
interface ge3
interface ge4
interface ge5
interface ge6
interface ge7
interface ge8
interface wwan1
interface pppoe1
use firewall-policy default
service pm sys-restart
router ospf
router bgp
!
profile ap650 default-ap650
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface ge1
interface pppoe1
use firewall-policy default
service pm sys-restart
!
rf-domain default
country-code us
use smart-rf-policy default
!
rfs6000 5C-0E-8B-18-36-71
use profile default-rfs6000
use rf-domain default
hostname rfs6000-183671
license AP 1c4dc8ec8275e6c0d4914bb989c9f0da93bef016f88782847ede9b04e8f141e270a146ddbb479b59
location ABC
contact CB
timezone America/Chicago
country-code us
mac-name BC-85-56-34-D9-25 LCONF-WIN7
mac-name 00-23-68-AF-7B-9E ABCScan5
mac-name 60-D8-19-42-14-69 TSCREEN-win7
mac-name 24-77-03-D7-DD-E0 FS-win7lap
mac-name 00-23-68-AF-7C-EA ABCScan3
mac-name 00-23-68-AF-7C-76 ABCScan6
mac-name 00-23-68-AF-7A-B0 ABCScan4
mac-name BC-85-56-34-D8-CD UCONF-WIN7
mac-name 00-23-68-AF-7B-9F ABCScan2
mac-name 00-23-68-AF-7B-97 ABCScan1
spanning-tree mst cisco-interoperability enable
area "Server Room"
ip default-gateway 10.0.70.1
use radius-server-policy default
interface me1
ip address 10.1.1.100/24
interface up1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1
ip dhcp trust
interface ge1
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge2
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge3
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge4
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge5
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge6
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge7
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge8
switchport mode acce

ckelly
Extreme Employee
So is this client able to PING an Internet IP address? Is this just a resolution issue?
You say that the client does show that it has a DNS server as part of its DHCP lease info?
GTM-P2G8KFN