Extreme Switch Multi SSID
Hello everyone
I have a single stack of Extreme switch.
I have connected a DLINK-3200AP access point to it.
I have created two SSID (Dlink --VLAN 3 & G_V_7 --VLAN 7)
I have following VLANS on the Switch
VLAN 3 DATA
VLAN 2 Voice
VLAN 7 Wifi
I m using the Extreme Switch to give the Access Points clients IP Addresses
Which is working fine. VLAN 3 DATA gets its allotted ip address along with it's gateway and DNS Server and the same for VLAN 7 Wifi
On VLAN 3 --SSID DLINK -- it works properly, as i m able to surf the internet along with accessing all the servers on the wired LAN
The Problem is with VLAN 7-- SSID G_V_7 -- (i simply need internet access as this SSID is only for Guests use)
When i connect to SSID G_V_7 i get a proper ip address eg 172.16.172.50/24 Gateway 172.16.172.1
i can ping the gateway (172.16.172.1) i can ping the interface on VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) These are all on the Extreme Switch
The DLINK-3200AP is connected on Port 1:29
Port 1:29 is currently setup as follows
VLAN3 Data = UNTAG
VLAN7 Wifi = TAGGED
VLAN2 Voice = TAGGED
IP FOrwarding is set on all VLAN hence i can ping the interfaces of different VLAN
192.168.18.3 is the CISCO router which is connected on Port 4:25
* Slot-1 Stack.1 # sh iproute
Ori Destination Gateway Mtr Flags VLAN Duration
#s Default Route 192.168.18.3 1 UG---S-um--f data 0d:5h:22m:33s
#d 192.168.16.0/21 192.168.18.1 1 U------um--f data 323d:8h:14m:2s
#d 192.168.200.0/24 192.168.200.1 1 U------um--f voice 323d:8h:14m:2s
#d 172.16.172.0/24 172.16.172.1 1 U------um--f wifi 1d:4h:8m:0s
**************************
VLAN Interface with name wifi created by user
Admin State: Enabled Tagging: 802.1Q Tag 7
Virtual router: VR-Default
Primary IP : 172.16.172.1/24
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 2. (Number of active ports=2)
Tag: *1:29, *4:25
##########################
VLAN Interface with name DATA created by user
Admin State: Enabled Tagging: 802.1Q Tag 3
Virtual router: VR-Default
Primary IP : 192.168.18.1/21
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 136. (Number of active ports=88)
Untag: *1:1, 1:2, 1:3, *1:4, *1:5, *1:6, *1:7,
1:8, *1:9, *1:10, *1:11, *1:12, 1:13, *1:14,
*1:15, *1:16, *1:17, *1:18, 1:19, *1:20, 1:21,
1:22, 1:23, 1:24, *1:25, *1:26, *1:27, 1:28,
*1:29, 1:30, 1:31, *1:32, *1:33, *1:34, 1:35,
*1:36, *1:37, *1:38, *1:39, *1:40, *1:41, *1:42,
*1:43, *1:44, 1:45, *1:46, 1:47, *1:48, 1:49,
2:1, *2:2, *2:3, 2:4, 2:5, *2:6, *2:7,
2:8, 2:9, *2:10, *2:11, *2:12, *2:13, *2:14,
*2:15, *2:16, *2:17, *2:18, *2:19, *2:20, *2:21,
2:22, *2:23, *2:24, *2:25, 2:26, 2:27, *2:28,
2:29, *2:30, 2:31, *2:32, *2:33, *2:34, 2:35,
*2:36, *2:37, *2:38, *2:39, 2:40, *2:41, 2:42,
*2:43, *2:44, 2:45, 2:46, *2:47, *2:48, 2:49,
3:1, *3:2, 3:3, 3:4, *3:5, *3:6, 3:7,
*3:8, *3:9, *3:10, *3:11, *3:12, *3:13, *3:14,
*3:15, 3:16, *3:17, 3:18, 3:19, 3:20, 3:21,
*3:22, 3:23, *3:24, 3:25, *4:13, *4:14, 4:15,
4:16, *4:17, 4:18, *4:19, 4:20, *4:21, *4:22,
4:23, *4:24, *4:25
Flags: (*) Active, (!) Disabled, (g) Load Sharing port
##########################
VLAN Interface with name voice created by user
Admin State: Enabled Tagging: 802.1Q Tag 2
Virtual router: VR-Default
Primary IP : 192.168.200.1/24
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 136. (Number of active ports=89)
Untag: *1:50, 2:50, 3:26, *4:26
Tag: *1:1, 1:2, 1:3, *1:4, *1:5, *1:6, *1:7,
1:8, *1:9, *1:10, *1:11, *1:12, 1:13, *1:14,
*1:15, *1:16, *1:17, *1:18, 1:19, *1:20, 1:21,
1:22, 1:23, 1:24, *1:25, *1:26, *1:27, 1:28,
*1:29, 1:30, 1:31, *1:32, *1:33, *1:34, 1:35,
*1:36, *1:37, *1:38, *1:39, *1:40, *1:41, *1:42,
*1:43, *1:44, 1:45, *1:46, 1:47, *1:48, 2:1,
*2:2, *2:3, 2:4, 2:5, *2:6, *2:7, 2:8,
2:9, *2:10, *2:11, *2:12, *2:13, *2:14, *2:15,
*2:16, *2:17, *2:18, *2:19, *2:20, *2:21, 2:22,
*2:23, *2:24, *2:25, 2:26, 2:27, *2:28, 2:29,
*2:30, 2:31, *2:32, *2:33, *2:34, 2:35, *2:36,
*2:37, *2:38, *2:39, 2:40, *2:41, 2:42, *2:43,
*2:44, 2:45, 2:46, *2:47, *2:48, 3:1, *3:2,
3:3, 3:4, *3:5, *3:6, 3:7, *3:8, *3:9,
*3:10, *3:11, *3:12, *3:13, *3:14, *3:15, 3:16,
*3:17, 3:18, 3:19, 3:20, 3:21, *3:22, 3:23,
*3:24, *4:13, *4:14, 4:15, 4:16, *4:17, 4:18,
*4:19, 4:20, *4:21, *4:22, 4:23, *4:24
Flags: (*) Active, (!) Disabled, (g) Load Sharing port
##########################
Please assist
I have a single stack of Extreme switch.
I have connected a DLINK-3200AP access point to it.
I have created two SSID (Dlink --VLAN 3 & G_V_7 --VLAN 7)
I have following VLANS on the Switch
VLAN 3 DATA
VLAN 2 Voice
VLAN 7 Wifi
I m using the Extreme Switch to give the Access Points clients IP Addresses
Which is working fine. VLAN 3 DATA gets its allotted ip address along with it's gateway and DNS Server and the same for VLAN 7 Wifi
On VLAN 3 --SSID DLINK -- it works properly, as i m able to surf the internet along with accessing all the servers on the wired LAN
The Problem is with VLAN 7-- SSID G_V_7 -- (i simply need internet access as this SSID is only for Guests use)
When i connect to SSID G_V_7 i get a proper ip address eg 172.16.172.50/24 Gateway 172.16.172.1
i can ping the gateway (172.16.172.1) i can ping the interface on VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) These are all on the Extreme Switch
The DLINK-3200AP is connected on Port 1:29
Port 1:29 is currently setup as follows
VLAN3 Data = UNTAG
VLAN7 Wifi = TAGGED
VLAN2 Voice = TAGGED
IP FOrwarding is set on all VLAN hence i can ping the interfaces of different VLAN
192.168.18.3 is the CISCO router which is connected on Port 4:25
* Slot-1 Stack.1 # sh iproute
Ori Destination Gateway Mtr Flags VLAN Duration
#s Default Route 192.168.18.3 1 UG---S-um--f data 0d:5h:22m:33s
#d 192.168.16.0/21 192.168.18.1 1 U------um--f data 323d:8h:14m:2s
#d 192.168.200.0/24 192.168.200.1 1 U------um--f voice 323d:8h:14m:2s
#d 172.16.172.0/24 172.16.172.1 1 U------um--f wifi 1d:4h:8m:0s
**************************
VLAN Interface with name wifi created by user
Admin State: Enabled Tagging: 802.1Q Tag 7
Virtual router: VR-Default
Primary IP : 172.16.172.1/24
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 2. (Number of active ports=2)
Tag: *1:29, *4:25
##########################
VLAN Interface with name DATA created by user
Admin State: Enabled Tagging: 802.1Q Tag 3
Virtual router: VR-Default
Primary IP : 192.168.18.1/21
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 136. (Number of active ports=88)
Untag: *1:1, 1:2, 1:3, *1:4, *1:5, *1:6, *1:7,
1:8, *1:9, *1:10, *1:11, *1:12, 1:13, *1:14,
*1:15, *1:16, *1:17, *1:18, 1:19, *1:20, 1:21,
1:22, 1:23, 1:24, *1:25, *1:26, *1:27, 1:28,
*1:29, 1:30, 1:31, *1:32, *1:33, *1:34, 1:35,
*1:36, *1:37, *1:38, *1:39, *1:40, *1:41, *1:42,
*1:43, *1:44, 1:45, *1:46, 1:47, *1:48, 1:49,
2:1, *2:2, *2:3, 2:4, 2:5, *2:6, *2:7,
2:8, 2:9, *2:10, *2:11, *2:12, *2:13, *2:14,
*2:15, *2:16, *2:17, *2:18, *2:19, *2:20, *2:21,
2:22, *2:23, *2:24, *2:25, 2:26, 2:27, *2:28,
2:29, *2:30, 2:31, *2:32, *2:33, *2:34, 2:35,
*2:36, *2:37, *2:38, *2:39, 2:40, *2:41, 2:42,
*2:43, *2:44, 2:45, 2:46, *2:47, *2:48, 2:49,
3:1, *3:2, 3:3, 3:4, *3:5, *3:6, 3:7,
*3:8, *3:9, *3:10, *3:11, *3:12, *3:13, *3:14,
*3:15, 3:16, *3:17, 3:18, 3:19, 3:20, 3:21,
*3:22, 3:23, *3:24, 3:25, *4:13, *4:14, 4:15,
4:16, *4:17, 4:18, *4:19, 4:20, *4:21, *4:22,
4:23, *4:24, *4:25
Flags: (*) Active, (!) Disabled, (g) Load Sharing port
##########################
VLAN Interface with name voice created by user
Admin State: Enabled Tagging: 802.1Q Tag 2
Virtual router: VR-Default
Primary IP : 192.168.200.1/24
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 136. (Number of active ports=89)
Untag: *1:50, 2:50, 3:26, *4:26
Tag: *1:1, 1:2, 1:3, *1:4, *1:5, *1:6, *1:7,
1:8, *1:9, *1:10, *1:11, *1:12, 1:13, *1:14,
*1:15, *1:16, *1:17, *1:18, 1:19, *1:20, 1:21,
1:22, 1:23, 1:24, *1:25, *1:26, *1:27, 1:28,
*1:29, 1:30, 1:31, *1:32, *1:33, *1:34, 1:35,
*1:36, *1:37, *1:38, *1:39, *1:40, *1:41, *1:42,
*1:43, *1:44, 1:45, *1:46, 1:47, *1:48, 2:1,
*2:2, *2:3, 2:4, 2:5, *2:6, *2:7, 2:8,
2:9, *2:10, *2:11, *2:12, *2:13, *2:14, *2:15,
*2:16, *2:17, *2:18, *2:19, *2:20, *2:21, 2:22,
*2:23, *2:24, *2:25, 2:26, 2:27, *2:28, 2:29,
*2:30, 2:31, *2:32, *2:33, *2:34, 2:35, *2:36,
*2:37, *2:38, *2:39, 2:40, *2:41, 2:42, *2:43,
*2:44, 2:45, 2:46, *2:47, *2:48, 3:1, *3:2,
3:3, 3:4, *3:5, *3:6, 3:7, *3:8, *3:9,
*3:10, *3:11, *3:12, *3:13, *3:14, *3:15, 3:16,
*3:17, 3:18, 3:19, 3:20, 3:21, *3:22, 3:23,
*3:24, *4:13, *4:14, 4:15, 4:16, *4:17, 4:18,
*4:19, 4:20, *4:21, *4:22, 4:23, *4:24
Flags: (*) Active, (!) Disabled, (g) Load Sharing port
##########################
Please assist
ASKER
Otto_N what you have mentioned is a secondary issue which as you mention i can co ntrol with an access list.
The main problem is that i am not able to reach the internet. so my pings bascially terminate at the VLAN interfaces.
I need to be able to surf the net.
The main problem is that i am not able to reach the internet. so my pings bascially terminate at the VLAN interfaces.
I need to be able to surf the net.
ASKER
i think it could be be routing issue as router (192.168.18.3) is unable to see (172.16.172.1 VLAN7 Interface on Extreme Switch)
i have added the folowing route on the cisco router: 172.16.172.0 [1/0] via 192.168.18.1
i have added the folowing route on the cisco router: 172.16.172.0 [1/0] via 192.168.18.1
Why are you not tagging vlan 3 on the port connected to the Wireless AP. I would tag that traffic.
@Soulja - VLAN3 is untagged on port 1:29 as it's the native VLAN (I'm guessing). If it was a tagging issue there would be no connectivity to the switch also?!
Can you post the config from the Cisco router? Maybe it's a NAT or ACL issue.
Can you post the config from the Cisco router? Maybe it's a NAT or ACL issue.
@craigbeck
Yeah, that makes sense! ;-)
I say to rule out it being a routing issue. Assign one of the ports on the switch to vlan 7, plug into it and try to access the internet. If you can't then it's not a wireless issue, but a routing config issue. As craigbeck said, post your entire config.
Yeah, that makes sense! ;-)
I say to rule out it being a routing issue. Assign one of the ports on the switch to vlan 7, plug into it and try to access the internet. If you can't then it's not a wireless issue, but a routing config issue. As craigbeck said, post your entire config.
ASKER
attached is the running config from the cisco router
Running-Config.txt
Running-Config.txt
ASKER
i Assigned one of the ports on the switch to vlan 7, plug into it and tried to access the internet.(No Results)
I should also mention that from the router (192.168.18.3) i cannot ping 172.16.172.1 (VLAN7 Interface on Extreme Switch)
From the Router i can ping
192.168.18.1 VLAN3 Interface on Extreme Switch and
192.168.200.1 VLAN2 Interface on Extreme Switch
so it must be an access list on the router.
I should also mention that from the router (192.168.18.3) i cannot ping 172.16.172.1 (VLAN7 Interface on Extreme Switch)
From the Router i can ping
192.168.18.1 VLAN3 Interface on Extreme Switch and
192.168.200.1 VLAN2 Interface on Extreme Switch
so it must be an access list on the router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok success
i added the following:
1) ip route 172.16.172.0 255.255.255.0 192.168.18.1 permanent
2) access-list 101 permit ip 172.16.172.0 0.0.0.255 any ( USED for NAT )
3) I had to add this to get it to work
ip access-list extended sdm_fastethernet0/1_in
permit ip 172.16.172.0 0.0.0.255 any ( USED in ACCESS-LIST )
When i checked the SDM i realised access-list 101 for NAT
so put the No.3 entry in Access-List and VOILA!
i added the following:
1) ip route 172.16.172.0 255.255.255.0 192.168.18.1 permanent
2) access-list 101 permit ip 172.16.172.0 0.0.0.255 any ( USED for NAT )
3) I had to add this to get it to work
ip access-list extended sdm_fastethernet0/1_in
permit ip 172.16.172.0 0.0.0.255 any ( USED in ACCESS-LIST )
When i checked the SDM i realised access-list 101 for NAT
so put the No.3 entry in Access-List and VOILA!
ASKER
ok so how do i prevent trafficfrom 172.16.172.0 /24 going on the
192.168.18.0 /21 network since i still need access to 192.168.18.1 & 192.168.18.3
192.168.18.0 /21 network since i still need access to 192.168.18.1 & 192.168.18.3
Are you saying you need to access 192.168.18.0 from wifi, but you also want to restrict it from 192.168.18.0?
If that is the case, then you will still need to allow wifi vlan to access it, but you can lock it down to a specific host or specific ports.
If that is the case, then you will still need to allow wifi vlan to access it, but you can lock it down to a specific host or specific ports.
ASKER
yes that is correct i just need to allow access to 192.168.18.1 & 192.168.18.3 and prevent the rest of the address on the 192.168.18.0 /24 subnet.
so im not sure on how ot achieve that
so im not sure on how ot achieve that
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Guys for all your help
To fix this, you'll have to limit any communication between any of your internal IP ranges and the guest subnet (172.16.172.0/24). You can do this by implementing access lists on all routers between this subnet (on the extreme switch) and your gateway to the Internet. Or, a simpler (and somewhat more secure) method would be to extend the guest subnet into your firewall.
But let us know if this is your problem.