• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

Extreme Switch Multi SSID

Hello everyone

I have a single stack of Extreme switch.

I have connected a DLINK-3200AP access point to it.
I have created two SSID  (Dlink  --VLAN 3   & G_V_7  --VLAN 7)

I have following VLANS on the Switch
VLAN 3 DATA
VLAN 2 Voice
VLAN 7 Wifi

I m using the Extreme Switch to give the Access Points clients IP Addresses
Which is working fine. VLAN 3 DATA gets its allotted ip address along with it's gateway and DNS Server and the same for VLAN 7 Wifi

On VLAN 3 --SSID DLINK -- it works properly, as  i m able to surf the internet along with accessing all the servers on the wired LAN
The Problem is with VLAN 7-- SSID G_V_7 -- (i simply need internet access as this SSID is only for Guests use)
When i connect to SSID G_V_7 i get  a proper ip address eg 172.16.172.50/24 Gateway 172.16.172.1
i can ping the gateway (172.16.172.1) i can ping the interface on VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) These are all on the Extreme Switch
The DLINK-3200AP is connected on Port 1:29
Port 1:29 is currently setup as follows
VLAN3 Data = UNTAG
VLAN7 Wifi =  TAGGED
VLAN2 Voice = TAGGED
IP FOrwarding is set on all VLAN hence i can ping the interfaces of different VLAN

192.168.18.3 is the CISCO router which is connected on Port 4:25


* Slot-1 Stack.1 # sh iproute
Ori  Destination        Gateway         Mtr  Flags        VLAN       Duration
#s   Default Route      192.168.18.3      1    UG---S-um--f data       0d:5h:22m:33s
#d   192.168.16.0/21      192.168.18.1      1    U------um--f data       323d:8h:14m:2s
#d   192.168.200.0/24     192.168.200.1     1    U------um--f voice      323d:8h:14m:2s
#d   172.16.172.0/24    172.16.172.1    1    U------um--f wifi       1d:4h:8m:0s

****************************************************************************************************

VLAN Interface with name wifi created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 7
        Virtual router: VR-Default
        Primary IP    : 172.16.172.1/24
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   2.       (Number of active ports=2)
         
 Tag:     *1:29,  *4:25

########################################################################
VLAN Interface with name DATA created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 3
        Virtual router: VR-Default
        Primary IP    : 192.168.18.1/21
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   136.     (Number of active ports=88)
           Untag:    *1:1,    1:2,    1:3,   *1:4,   *1:5,   *1:6,   *1:7,
                      1:8,   *1:9,  *1:10,  *1:11,  *1:12,   1:13,  *1:14,
                    *1:15,  *1:16,  *1:17,  *1:18,   1:19,  *1:20,   1:21,
                     1:22,   1:23,   1:24,  *1:25,  *1:26,  *1:27,   1:28,
                    *1:29,   1:30,   1:31,  *1:32,  *1:33,  *1:34,   1:35,
                    *1:36,  *1:37,  *1:38,  *1:39,  *1:40,  *1:41,  *1:42,
                    *1:43,  *1:44,   1:45,  *1:46,   1:47,  *1:48,   1:49,
                      2:1,   *2:2,   *2:3,    2:4,    2:5,   *2:6,   *2:7,
                      2:8,    2:9,  *2:10,  *2:11,  *2:12,  *2:13,  *2:14,
                    *2:15,  *2:16,  *2:17,  *2:18,  *2:19,  *2:20,  *2:21,
                     2:22,  *2:23,  *2:24,  *2:25,   2:26,   2:27,  *2:28,
                     2:29,  *2:30,   2:31,  *2:32,  *2:33,  *2:34,   2:35,
                    *2:36,  *2:37,  *2:38,  *2:39,   2:40,  *2:41,   2:42,
                    *2:43,  *2:44,   2:45,   2:46,  *2:47,  *2:48,   2:49,
                      3:1,   *3:2,    3:3,    3:4,   *3:5,   *3:6,    3:7,
                     *3:8,   *3:9,  *3:10,  *3:11,  *3:12,  *3:13,  *3:14,
                    *3:15,   3:16,  *3:17,   3:18,   3:19,   3:20,   3:21,
                    *3:22,   3:23,  *3:24,   3:25,  *4:13,  *4:14,   4:15,
                     4:16,  *4:17,   4:18,  *4:19,   4:20,  *4:21,  *4:22,
                     4:23,  *4:24,  *4:25
        Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
########################################################################
VLAN Interface with name voice created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 2
        Virtual router: VR-Default
        Primary IP    : 192.168.200.1/24
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   136.     (Number of active ports=89)
           Untag:   *1:50,   2:50,   3:26,  *4:26
           Tag:      *1:1,    1:2,    1:3,   *1:4,   *1:5,   *1:6,   *1:7,
                      1:8,   *1:9,  *1:10,  *1:11,  *1:12,   1:13,  *1:14,
                    *1:15,  *1:16,  *1:17,  *1:18,   1:19,  *1:20,   1:21,
                     1:22,   1:23,   1:24,  *1:25,  *1:26,  *1:27,   1:28,
                    *1:29,   1:30,   1:31,  *1:32,  *1:33,  *1:34,   1:35,
                    *1:36,  *1:37,  *1:38,  *1:39,  *1:40,  *1:41,  *1:42,
                    *1:43,  *1:44,   1:45,  *1:46,   1:47,  *1:48,    2:1,
                     *2:2,   *2:3,    2:4,    2:5,   *2:6,   *2:7,    2:8,
                      2:9,  *2:10,  *2:11,  *2:12,  *2:13,  *2:14,  *2:15,
                    *2:16,  *2:17,  *2:18,  *2:19,  *2:20,  *2:21,   2:22,
                    *2:23,  *2:24,  *2:25,   2:26,   2:27,  *2:28,   2:29,
                    *2:30,   2:31,  *2:32,  *2:33,  *2:34,   2:35,  *2:36,
                    *2:37,  *2:38,  *2:39,   2:40,  *2:41,   2:42,  *2:43,
                    *2:44,   2:45,   2:46,  *2:47,  *2:48,    3:1,   *3:2,
                      3:3,    3:4,   *3:5,   *3:6,    3:7,   *3:8,   *3:9,
                    *3:10,  *3:11,  *3:12,  *3:13,  *3:14,  *3:15,   3:16,
                    *3:17,   3:18,   3:19,   3:20,   3:21,  *3:22,   3:23,
                    *3:24,  *4:13,  *4:14,   4:15,   4:16,  *4:17,   4:18,
                    *4:19,   4:20,  *4:21,  *4:22,   4:23,  *4:24
        Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
#####################################################################

Please assist
 DLINK 3200 Multi SSID
0
icdl101
Asked:
icdl101
  • 8
  • 5
  • 2
  • +1
3 Solutions
 
Otto_NCommented:
I assume that the problem is that you don't want to be able to ping  VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) from a device in VLAN 7 (the Guest VLAN)?

To fix this, you'll have to limit any communication between any of your internal IP ranges and the guest subnet (172.16.172.0/24).  You can do this by implementing access lists on all routers between this subnet (on the extreme switch) and your gateway to the Internet.  Or, a simpler (and somewhat more secure) method would be to extend the guest subnet into your firewall.

But let us know if this is your problem.
0
 
icdl101Author Commented:
Otto_N what you have mentioned is a secondary issue which as you mention i can co ntrol with an access list.

The main problem is that i am not able to reach the internet. so my pings bascially terminate at the VLAN interfaces.
I need to be able to surf the net.
0
 
icdl101Author Commented:
i think it could be be routing issue as router (192.168.18.3) is unable to see (172.16.172.1 VLAN7 Interface on Extreme Switch)

i have added the folowing route on the cisco router: 172.16.172.0 [1/0] via 192.168.18.1
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
SouljaCommented:
Why are you not tagging vlan 3 on the port connected to the Wireless AP. I would tag that traffic.
0
 
Craig BeckCommented:
@Soulja - VLAN3 is untagged on port 1:29 as it's the native VLAN (I'm guessing).  If it was a tagging issue there would be no connectivity to the switch also?!

Can you post the config from the Cisco router?  Maybe it's a NAT or ACL issue.
0
 
SouljaCommented:
@craigbeck

Yeah, that makes sense!  ;-)

I say to rule out it being a routing issue. Assign one of the ports on the switch to vlan 7, plug into it and try to access the internet. If you can't then it's not a wireless issue, but a routing config issue. As craigbeck said, post your entire config.
0
 
icdl101Author Commented:
attached is the running config from the cisco router
Running-Config.txt
0
 
icdl101Author Commented:
i Assigned one of the ports on the switch to vlan 7, plug into it and tried to access the internet.(No Results)
I should also mention that from the router (192.168.18.3) i cannot ping 172.16.172.1 (VLAN7 Interface on Extreme Switch)
From the Router i can ping
 192.168.18.1 VLAN3 Interface on Extreme Switch and
192.168.200.1 VLAN2 Interface on Extreme Switch

so it must be an access list on the router.
0
 
SouljaCommented:
I don't see

Ip route 172.16.172.0 255.255.255.0 192.168.18.1

Can you add that?
0
 
Craig BeckCommented:
Also add the IP range on VLAN7 to access-list 101
0
 
icdl101Author Commented:
ok success
i added the following:
1) ip route 172.16.172.0 255.255.255.0 192.168.18.1 permanent
2) access-list 101 permit ip 172.16.172.0 0.0.0.255 any  ( USED for NAT )

3) I had to add this to get it to work
   ip access-list extended sdm_fastethernet0/1_in
    permit ip 172.16.172.0 0.0.0.255 any          ( USED in ACCESS-LIST )

When i checked the SDM i realised access-list 101 for NAT
so put the No.3 entry in Access-List and VOILA!
0
 
icdl101Author Commented:
ok so how do i prevent trafficfrom 172.16.172.0 /24 going on the
192.168.18.0 /21  network since i  still need access to 192.168.18.1 & 192.168.18.3
0
 
SouljaCommented:
Are you saying you need to access 192.168.18.0 from wifi, but you also want to restrict it from 192.168.18.0?

If that is the case, then you will still need to allow wifi vlan to access it, but you can lock it down to a specific host or specific ports.
0
 
icdl101Author Commented:
yes that is correct i just need to allow access to 192.168.18.1 & 192.168.18.3 and prevent the rest of the address on the 192.168.18.0 /24 subnet.
so im not sure on how ot achieve that

 
0
 
SouljaCommented:
You need to create an inbound ACL on the VLAN 7 interface on your switch. I am not familiar with Extreme switch syntax, but it would look something like

ip access-list extended Wireless
permit ip any host 192.168.18.1
permit ip any host 192.168.189.3
permit ip any 192.168.16.0 0.0.0.255
permit ip any 192.168.200.0 0.0.0.255
deny ip any any  

interface vlan 7
ip access-group Wireless in
0
 
icdl101Author Commented:
Thank you Guys for all your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 8
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now