?
Solved

Extreme Switch Multi SSID

Posted on 2011-09-20
16
Medium Priority
?
751 Views
Last Modified: 2012-05-12
Hello everyone

I have a single stack of Extreme switch.

I have connected a DLINK-3200AP access point to it.
I have created two SSID  (Dlink  --VLAN 3   & G_V_7  --VLAN 7)

I have following VLANS on the Switch
VLAN 3 DATA
VLAN 2 Voice
VLAN 7 Wifi

I m using the Extreme Switch to give the Access Points clients IP Addresses
Which is working fine. VLAN 3 DATA gets its allotted ip address along with it's gateway and DNS Server and the same for VLAN 7 Wifi

On VLAN 3 --SSID DLINK -- it works properly, as  i m able to surf the internet along with accessing all the servers on the wired LAN
The Problem is with VLAN 7-- SSID G_V_7 -- (i simply need internet access as this SSID is only for Guests use)
When i connect to SSID G_V_7 i get  a proper ip address eg 172.16.172.50/24 Gateway 172.16.172.1
i can ping the gateway (172.16.172.1) i can ping the interface on VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) These are all on the Extreme Switch
The DLINK-3200AP is connected on Port 1:29
Port 1:29 is currently setup as follows
VLAN3 Data = UNTAG
VLAN7 Wifi =  TAGGED
VLAN2 Voice = TAGGED
IP FOrwarding is set on all VLAN hence i can ping the interfaces of different VLAN

192.168.18.3 is the CISCO router which is connected on Port 4:25


* Slot-1 Stack.1 # sh iproute
Ori  Destination        Gateway         Mtr  Flags        VLAN       Duration
#s   Default Route      192.168.18.3      1    UG---S-um--f data       0d:5h:22m:33s
#d   192.168.16.0/21      192.168.18.1      1    U------um--f data       323d:8h:14m:2s
#d   192.168.200.0/24     192.168.200.1     1    U------um--f voice      323d:8h:14m:2s
#d   172.16.172.0/24    172.16.172.1    1    U------um--f wifi       1d:4h:8m:0s

****************************************************************************************************

VLAN Interface with name wifi created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 7
        Virtual router: VR-Default
        Primary IP    : 172.16.172.1/24
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   2.       (Number of active ports=2)
         
 Tag:     *1:29,  *4:25

########################################################################
VLAN Interface with name DATA created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 3
        Virtual router: VR-Default
        Primary IP    : 192.168.18.1/21
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   136.     (Number of active ports=88)
           Untag:    *1:1,    1:2,    1:3,   *1:4,   *1:5,   *1:6,   *1:7,
                      1:8,   *1:9,  *1:10,  *1:11,  *1:12,   1:13,  *1:14,
                    *1:15,  *1:16,  *1:17,  *1:18,   1:19,  *1:20,   1:21,
                     1:22,   1:23,   1:24,  *1:25,  *1:26,  *1:27,   1:28,
                    *1:29,   1:30,   1:31,  *1:32,  *1:33,  *1:34,   1:35,
                    *1:36,  *1:37,  *1:38,  *1:39,  *1:40,  *1:41,  *1:42,
                    *1:43,  *1:44,   1:45,  *1:46,   1:47,  *1:48,   1:49,
                      2:1,   *2:2,   *2:3,    2:4,    2:5,   *2:6,   *2:7,
                      2:8,    2:9,  *2:10,  *2:11,  *2:12,  *2:13,  *2:14,
                    *2:15,  *2:16,  *2:17,  *2:18,  *2:19,  *2:20,  *2:21,
                     2:22,  *2:23,  *2:24,  *2:25,   2:26,   2:27,  *2:28,
                     2:29,  *2:30,   2:31,  *2:32,  *2:33,  *2:34,   2:35,
                    *2:36,  *2:37,  *2:38,  *2:39,   2:40,  *2:41,   2:42,
                    *2:43,  *2:44,   2:45,   2:46,  *2:47,  *2:48,   2:49,
                      3:1,   *3:2,    3:3,    3:4,   *3:5,   *3:6,    3:7,
                     *3:8,   *3:9,  *3:10,  *3:11,  *3:12,  *3:13,  *3:14,
                    *3:15,   3:16,  *3:17,   3:18,   3:19,   3:20,   3:21,
                    *3:22,   3:23,  *3:24,   3:25,  *4:13,  *4:14,   4:15,
                     4:16,  *4:17,   4:18,  *4:19,   4:20,  *4:21,  *4:22,
                     4:23,  *4:24,  *4:25
        Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
########################################################################
VLAN Interface with name voice created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 2
        Virtual router: VR-Default
        Primary IP    : 192.168.200.1/24
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   136.     (Number of active ports=89)
           Untag:   *1:50,   2:50,   3:26,  *4:26
           Tag:      *1:1,    1:2,    1:3,   *1:4,   *1:5,   *1:6,   *1:7,
                      1:8,   *1:9,  *1:10,  *1:11,  *1:12,   1:13,  *1:14,
                    *1:15,  *1:16,  *1:17,  *1:18,   1:19,  *1:20,   1:21,
                     1:22,   1:23,   1:24,  *1:25,  *1:26,  *1:27,   1:28,
                    *1:29,   1:30,   1:31,  *1:32,  *1:33,  *1:34,   1:35,
                    *1:36,  *1:37,  *1:38,  *1:39,  *1:40,  *1:41,  *1:42,
                    *1:43,  *1:44,   1:45,  *1:46,   1:47,  *1:48,    2:1,
                     *2:2,   *2:3,    2:4,    2:5,   *2:6,   *2:7,    2:8,
                      2:9,  *2:10,  *2:11,  *2:12,  *2:13,  *2:14,  *2:15,
                    *2:16,  *2:17,  *2:18,  *2:19,  *2:20,  *2:21,   2:22,
                    *2:23,  *2:24,  *2:25,   2:26,   2:27,  *2:28,   2:29,
                    *2:30,   2:31,  *2:32,  *2:33,  *2:34,   2:35,  *2:36,
                    *2:37,  *2:38,  *2:39,   2:40,  *2:41,   2:42,  *2:43,
                    *2:44,   2:45,   2:46,  *2:47,  *2:48,    3:1,   *3:2,
                      3:3,    3:4,   *3:5,   *3:6,    3:7,   *3:8,   *3:9,
                    *3:10,  *3:11,  *3:12,  *3:13,  *3:14,  *3:15,   3:16,
                    *3:17,   3:18,   3:19,   3:20,   3:21,  *3:22,   3:23,
                    *3:24,  *4:13,  *4:14,   4:15,   4:16,  *4:17,   4:18,
                    *4:19,   4:20,  *4:21,  *4:22,   4:23,  *4:24
        Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
#####################################################################

Please assist
 DLINK 3200 Multi SSID
0
Comment
Question by:icdl101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
  • +1
16 Comments
 
LVL 14

Expert Comment

by:Otto_N
ID: 36572608
I assume that the problem is that you don't want to be able to ping  VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) from a device in VLAN 7 (the Guest VLAN)?

To fix this, you'll have to limit any communication between any of your internal IP ranges and the guest subnet (172.16.172.0/24).  You can do this by implementing access lists on all routers between this subnet (on the extreme switch) and your gateway to the Internet.  Or, a simpler (and somewhat more secure) method would be to extend the guest subnet into your firewall.

But let us know if this is your problem.
0
 

Author Comment

by:icdl101
ID: 36573178
Otto_N what you have mentioned is a secondary issue which as you mention i can co ntrol with an access list.

The main problem is that i am not able to reach the internet. so my pings bascially terminate at the VLAN interfaces.
I need to be able to surf the net.
0
 

Author Comment

by:icdl101
ID: 36574187
i think it could be be routing issue as router (192.168.18.3) is unable to see (172.16.172.1 VLAN7 Interface on Extreme Switch)

i have added the folowing route on the cisco router: 172.16.172.0 [1/0] via 192.168.18.1
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 26

Expert Comment

by:Soulja
ID: 36575024
Why are you not tagging vlan 3 on the port connected to the Wireless AP. I would tag that traffic.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36575611
@Soulja - VLAN3 is untagged on port 1:29 as it's the native VLAN (I'm guessing).  If it was a tagging issue there would be no connectivity to the switch also?!

Can you post the config from the Cisco router?  Maybe it's a NAT or ACL issue.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36575729
@craigbeck

Yeah, that makes sense!  ;-)

I say to rule out it being a routing issue. Assign one of the ports on the switch to vlan 7, plug into it and try to access the internet. If you can't then it's not a wireless issue, but a routing config issue. As craigbeck said, post your entire config.
0
 

Author Comment

by:icdl101
ID: 36576421
attached is the running config from the cisco router
Running-Config.txt
0
 

Author Comment

by:icdl101
ID: 36576771
i Assigned one of the ports on the switch to vlan 7, plug into it and tried to access the internet.(No Results)
I should also mention that from the router (192.168.18.3) i cannot ping 172.16.172.1 (VLAN7 Interface on Extreme Switch)
From the Router i can ping
 192.168.18.1 VLAN3 Interface on Extreme Switch and
192.168.200.1 VLAN2 Interface on Extreme Switch

so it must be an access list on the router.
0
 
LVL 26

Accepted Solution

by:
Soulja earned 1200 total points
ID: 36577040
I don't see

Ip route 172.16.172.0 255.255.255.0 192.168.18.1

Can you add that?
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 800 total points
ID: 36577233
Also add the IP range on VLAN7 to access-list 101
0
 

Author Comment

by:icdl101
ID: 36580612
ok success
i added the following:
1) ip route 172.16.172.0 255.255.255.0 192.168.18.1 permanent
2) access-list 101 permit ip 172.16.172.0 0.0.0.255 any  ( USED for NAT )

3) I had to add this to get it to work
   ip access-list extended sdm_fastethernet0/1_in
    permit ip 172.16.172.0 0.0.0.255 any          ( USED in ACCESS-LIST )

When i checked the SDM i realised access-list 101 for NAT
so put the No.3 entry in Access-List and VOILA!
0
 

Author Comment

by:icdl101
ID: 36580698
ok so how do i prevent trafficfrom 172.16.172.0 /24 going on the
192.168.18.0 /21  network since i  still need access to 192.168.18.1 & 192.168.18.3
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36580792
Are you saying you need to access 192.168.18.0 from wifi, but you also want to restrict it from 192.168.18.0?

If that is the case, then you will still need to allow wifi vlan to access it, but you can lock it down to a specific host or specific ports.
0
 

Author Comment

by:icdl101
ID: 36581737
yes that is correct i just need to allow access to 192.168.18.1 & 192.168.18.3 and prevent the rest of the address on the 192.168.18.0 /24 subnet.
so im not sure on how ot achieve that

 
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 1200 total points
ID: 36581792
You need to create an inbound ACL on the VLAN 7 interface on your switch. I am not familiar with Extreme switch syntax, but it would look something like

ip access-list extended Wireless
permit ip any host 192.168.18.1
permit ip any host 192.168.189.3
permit ip any 192.168.16.0 0.0.0.255
permit ip any 192.168.200.0 0.0.0.255
deny ip any any  

interface vlan 7
ip access-group Wireless in
0
 

Author Closing Comment

by:icdl101
ID: 36904053
Thank you Guys for all your help
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month14 days, 5 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question