Change config of RFS6000
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-13-2018 02:08 PM
I need to change the DNS IP address in my config. I can access the RFS6000 via IP address, web interface and see the running config. How can I edit this? Please advise. Thank you!
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-14-2018 07:49 PM
Glad to hear you got it resolved! Happy to help do a little educating in the process too.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-14-2018 07:36 PM
Chris
First off, let me thank you for explaining all of this stuff to me. I'm happy to say I have a much better understanding of how this device works and the configuration now. Also, I have figured out the issue with our system and as it turned out, was an internal problem after all. My apologies for taking up so much of your time but as I said--learned a lot which will come in handy down the road I'm sure. Thanks again!
First off, let me thank you for explaining all of this stuff to me. I'm happy to say I have a much better understanding of how this device works and the configuration now. Also, I have figured out the issue with our system and as it turned out, was an internal problem after all. My apologies for taking up so much of your time but as I said--learned a lot which will come in handy down the road I'm sure. Thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-14-2018 04:13 PM
The ABCEmployees ACL has the entry:
permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140
This specifies that traffic is permitted if: It's ANY type protocol, originating from a device on the 192.168.0.0/24 subnet, and is destined for the single host address 10.0.70.9.
Than again...the ABCEmployees ACL also has several other 'permit' statements that are not contained in the 2018 version ACL. The 2018 ACL is structured such that the only traffic allowed is:
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port range 67-68. So this is so clients can get their DHCP lease.
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port equals "dns" (in this case, dns is a built in alias that equals port 53
- DENY traffic from ANY IP address that is destined to the 10.0.70.0/23 subnet
So I'm assuming that the WLANs that have the 2018 ACL applied to it (These below) are correct - that wireless users on those ESSIDs should NOT be able to communicate with the 10.0.70.0/23 subnet.
wlan 3
description Employee Wireless
ssid ABC_Employee
vlan 100
wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100
wlan test2
shutdown
ssid test2
vlan 100
If you also want this sort of restriction applied to the Corporate Wireless, you can simply make the configuration change.
- Go into wlan1 and issue the statement to 'use ip-access-list in ABCEmployee2018'
(Can also be done in the GUI, in the WLAN, look in the center column for the "Firewall" section. Use the drop-down selector for the "Inbound Firewall Rules" option and choose the ABCEmployee2018 ACL)
To allow DNS traffic in an ACL, you just need to have that same single statement in any ACL you 'use', which is:
permit udp any any eq dns rule-precedence (appropriate precedence number)
(TIP) name your WLANs the same as the SSID they use. This makes it much easier when you are mapping them in the radio interfaces. In that section, it only shows you the WLAN 'name' and not the actual SSID contained within that WLAN name...so you might find yourself asking...what SSID is wlan3 using? ...and you have to jump back over to the WLANs section to check and see. If the WLAN name is the same as the SSID, this won't happen.
permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140
This specifies that traffic is permitted if: It's ANY type protocol, originating from a device on the 192.168.0.0/24 subnet, and is destined for the single host address 10.0.70.9.
Than again...the ABCEmployees ACL also has several other 'permit' statements that are not contained in the 2018 version ACL. The 2018 ACL is structured such that the only traffic allowed is:
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port range 67-68. So this is so clients can get their DHCP lease.
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port equals "dns" (in this case, dns is a built in alias that equals port 53
- DENY traffic from ANY IP address that is destined to the 10.0.70.0/23 subnet
So I'm assuming that the WLANs that have the 2018 ACL applied to it (These below) are correct - that wireless users on those ESSIDs should NOT be able to communicate with the 10.0.70.0/23 subnet.
wlan 3
description Employee Wireless
ssid ABC_Employee
vlan 100
wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100
wlan test2
shutdown
ssid test2
vlan 100
If you also want this sort of restriction applied to the Corporate Wireless, you can simply make the configuration change.
- Go into wlan1 and issue the statement to 'use ip-access-list in ABCEmployee2018'
(Can also be done in the GUI, in the WLAN, look in the center column for the "Firewall" section. Use the drop-down selector for the "Inbound Firewall Rules" option and choose the ABCEmployee2018 ACL)
To allow DNS traffic in an ACL, you just need to have that same single statement in any ACL you 'use', which is:
permit udp any any eq dns rule-precedence (appropriate precedence number)
(TIP) name your WLANs the same as the SSID they use. This makes it much easier when you are mapping them in the radio interfaces. In that section, it only shows you the WLAN 'name' and not the actual SSID contained within that WLAN name...so you might find yourself asking...what SSID is wlan3 using? ...and you have to jump back over to the WLANs section to check and see. If the WLAN name is the same as the SSID, this won't happen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-14-2018 02:15 PM
Thank you for explaining that. As I'm reviewing this config, something that doesn't make sense to me: ACL "ABCEmployees" specifies permit for the host IP of 10.0.70.9, while ACL "ABCEmployee2018" does not reference a host IP at all. I see where the ACL ABCEmployee2018 is "used" for WLAN EmployeeWireless but not defined for Corporate Wireless. Oddly, this does not seem to be an issue when using the old host IP, but could it be a problem with the new? DNS for wired clients is fine so I'm hesitant to think this is a DNS issue, but is there something needed in DNS to allow Wifi traffic? This is a new DNS server but was AD Integrated so should be a carbon copy of the old server config...
