Solved

Extreme Switch Multi SSID

Posted on 2011-09-20
16
738 Views
Last Modified: 2012-05-12
Hello everyone

I have a single stack of Extreme switch.

I have connected a DLINK-3200AP access point to it.
I have created two SSID  (Dlink  --VLAN 3   & G_V_7  --VLAN 7)

I have following VLANS on the Switch
VLAN 3 DATA
VLAN 2 Voice
VLAN 7 Wifi

I m using the Extreme Switch to give the Access Points clients IP Addresses
Which is working fine. VLAN 3 DATA gets its allotted ip address along with it's gateway and DNS Server and the same for VLAN 7 Wifi

On VLAN 3 --SSID DLINK -- it works properly, as  i m able to surf the internet along with accessing all the servers on the wired LAN
The Problem is with VLAN 7-- SSID G_V_7 -- (i simply need internet access as this SSID is only for Guests use)
When i connect to SSID G_V_7 i get  a proper ip address eg 172.16.172.50/24 Gateway 172.16.172.1
i can ping the gateway (172.16.172.1) i can ping the interface on VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) These are all on the Extreme Switch
The DLINK-3200AP is connected on Port 1:29
Port 1:29 is currently setup as follows
VLAN3 Data = UNTAG
VLAN7 Wifi =  TAGGED
VLAN2 Voice = TAGGED
IP FOrwarding is set on all VLAN hence i can ping the interfaces of different VLAN

192.168.18.3 is the CISCO router which is connected on Port 4:25


* Slot-1 Stack.1 # sh iproute
Ori  Destination        Gateway         Mtr  Flags        VLAN       Duration
#s   Default Route      192.168.18.3      1    UG---S-um--f data       0d:5h:22m:33s
#d   192.168.16.0/21      192.168.18.1      1    U------um--f data       323d:8h:14m:2s
#d   192.168.200.0/24     192.168.200.1     1    U------um--f voice      323d:8h:14m:2s
#d   172.16.172.0/24    172.16.172.1    1    U------um--f wifi       1d:4h:8m:0s

****************************************************************************************************

VLAN Interface with name wifi created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 7
        Virtual router: VR-Default
        Primary IP    : 172.16.172.1/24
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   2.       (Number of active ports=2)
         
 Tag:     *1:29,  *4:25

########################################################################
VLAN Interface with name DATA created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 3
        Virtual router: VR-Default
        Primary IP    : 192.168.18.1/21
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   136.     (Number of active ports=88)
           Untag:    *1:1,    1:2,    1:3,   *1:4,   *1:5,   *1:6,   *1:7,
                      1:8,   *1:9,  *1:10,  *1:11,  *1:12,   1:13,  *1:14,
                    *1:15,  *1:16,  *1:17,  *1:18,   1:19,  *1:20,   1:21,
                     1:22,   1:23,   1:24,  *1:25,  *1:26,  *1:27,   1:28,
                    *1:29,   1:30,   1:31,  *1:32,  *1:33,  *1:34,   1:35,
                    *1:36,  *1:37,  *1:38,  *1:39,  *1:40,  *1:41,  *1:42,
                    *1:43,  *1:44,   1:45,  *1:46,   1:47,  *1:48,   1:49,
                      2:1,   *2:2,   *2:3,    2:4,    2:5,   *2:6,   *2:7,
                      2:8,    2:9,  *2:10,  *2:11,  *2:12,  *2:13,  *2:14,
                    *2:15,  *2:16,  *2:17,  *2:18,  *2:19,  *2:20,  *2:21,
                     2:22,  *2:23,  *2:24,  *2:25,   2:26,   2:27,  *2:28,
                     2:29,  *2:30,   2:31,  *2:32,  *2:33,  *2:34,   2:35,
                    *2:36,  *2:37,  *2:38,  *2:39,   2:40,  *2:41,   2:42,
                    *2:43,  *2:44,   2:45,   2:46,  *2:47,  *2:48,   2:49,
                      3:1,   *3:2,    3:3,    3:4,   *3:5,   *3:6,    3:7,
                     *3:8,   *3:9,  *3:10,  *3:11,  *3:12,  *3:13,  *3:14,
                    *3:15,   3:16,  *3:17,   3:18,   3:19,   3:20,   3:21,
                    *3:22,   3:23,  *3:24,   3:25,  *4:13,  *4:14,   4:15,
                     4:16,  *4:17,   4:18,  *4:19,   4:20,  *4:21,  *4:22,
                     4:23,  *4:24,  *4:25
        Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
########################################################################
VLAN Interface with name voice created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 2
        Virtual router: VR-Default
        Primary IP    : 192.168.200.1/24
        IPv6:           None
        STPD:           None
        Protocol:       Match all unfiltered protocols
        Loopback:       Disabled
        NetLogin:       Disabled
        QosProfile:     None configured
        Egress Rate Limit Designated Port: None configured
        Flood Rate Limit QosProfile:       None configured
        Ports:   136.     (Number of active ports=89)
           Untag:   *1:50,   2:50,   3:26,  *4:26
           Tag:      *1:1,    1:2,    1:3,   *1:4,   *1:5,   *1:6,   *1:7,
                      1:8,   *1:9,  *1:10,  *1:11,  *1:12,   1:13,  *1:14,
                    *1:15,  *1:16,  *1:17,  *1:18,   1:19,  *1:20,   1:21,
                     1:22,   1:23,   1:24,  *1:25,  *1:26,  *1:27,   1:28,
                    *1:29,   1:30,   1:31,  *1:32,  *1:33,  *1:34,   1:35,
                    *1:36,  *1:37,  *1:38,  *1:39,  *1:40,  *1:41,  *1:42,
                    *1:43,  *1:44,   1:45,  *1:46,   1:47,  *1:48,    2:1,
                     *2:2,   *2:3,    2:4,    2:5,   *2:6,   *2:7,    2:8,
                      2:9,  *2:10,  *2:11,  *2:12,  *2:13,  *2:14,  *2:15,
                    *2:16,  *2:17,  *2:18,  *2:19,  *2:20,  *2:21,   2:22,
                    *2:23,  *2:24,  *2:25,   2:26,   2:27,  *2:28,   2:29,
                    *2:30,   2:31,  *2:32,  *2:33,  *2:34,   2:35,  *2:36,
                    *2:37,  *2:38,  *2:39,   2:40,  *2:41,   2:42,  *2:43,
                    *2:44,   2:45,   2:46,  *2:47,  *2:48,    3:1,   *3:2,
                      3:3,    3:4,   *3:5,   *3:6,    3:7,   *3:8,   *3:9,
                    *3:10,  *3:11,  *3:12,  *3:13,  *3:14,  *3:15,   3:16,
                    *3:17,   3:18,   3:19,   3:20,   3:21,  *3:22,   3:23,
                    *3:24,  *4:13,  *4:14,   4:15,   4:16,  *4:17,   4:18,
                    *4:19,   4:20,  *4:21,  *4:22,   4:23,  *4:24
        Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
#####################################################################

Please assist
 DLINK 3200 Multi SSID
0
Comment
Question by:icdl101
  • 8
  • 5
  • 2
  • +1
16 Comments
 
LVL 14

Expert Comment

by:Otto_N
Comment Utility
I assume that the problem is that you don't want to be able to ping  VLAN 3 (192.168.18.1) and VLAN 2 (192.168.200.1) from a device in VLAN 7 (the Guest VLAN)?

To fix this, you'll have to limit any communication between any of your internal IP ranges and the guest subnet (172.16.172.0/24).  You can do this by implementing access lists on all routers between this subnet (on the extreme switch) and your gateway to the Internet.  Or, a simpler (and somewhat more secure) method would be to extend the guest subnet into your firewall.

But let us know if this is your problem.
0
 

Author Comment

by:icdl101
Comment Utility
Otto_N what you have mentioned is a secondary issue which as you mention i can co ntrol with an access list.

The main problem is that i am not able to reach the internet. so my pings bascially terminate at the VLAN interfaces.
I need to be able to surf the net.
0
 

Author Comment

by:icdl101
Comment Utility
i think it could be be routing issue as router (192.168.18.3) is unable to see (172.16.172.1 VLAN7 Interface on Extreme Switch)

i have added the folowing route on the cisco router: 172.16.172.0 [1/0] via 192.168.18.1
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Why are you not tagging vlan 3 on the port connected to the Wireless AP. I would tag that traffic.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
@Soulja - VLAN3 is untagged on port 1:29 as it's the native VLAN (I'm guessing).  If it was a tagging issue there would be no connectivity to the switch also?!

Can you post the config from the Cisco router?  Maybe it's a NAT or ACL issue.
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
@craigbeck

Yeah, that makes sense!  ;-)

I say to rule out it being a routing issue. Assign one of the ports on the switch to vlan 7, plug into it and try to access the internet. If you can't then it's not a wireless issue, but a routing config issue. As craigbeck said, post your entire config.
0
 

Author Comment

by:icdl101
Comment Utility
attached is the running config from the cisco router
Running-Config.txt
0
 

Author Comment

by:icdl101
Comment Utility
i Assigned one of the ports on the switch to vlan 7, plug into it and tried to access the internet.(No Results)
I should also mention that from the router (192.168.18.3) i cannot ping 172.16.172.1 (VLAN7 Interface on Extreme Switch)
From the Router i can ping
 192.168.18.1 VLAN3 Interface on Extreme Switch and
192.168.200.1 VLAN2 Interface on Extreme Switch

so it must be an access list on the router.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 26

Accepted Solution

by:
Soulja earned 300 total points
Comment Utility
I don't see

Ip route 172.16.172.0 255.255.255.0 192.168.18.1

Can you add that?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 200 total points
Comment Utility
Also add the IP range on VLAN7 to access-list 101
0
 

Author Comment

by:icdl101
Comment Utility
ok success
i added the following:
1) ip route 172.16.172.0 255.255.255.0 192.168.18.1 permanent
2) access-list 101 permit ip 172.16.172.0 0.0.0.255 any  ( USED for NAT )

3) I had to add this to get it to work
   ip access-list extended sdm_fastethernet0/1_in
    permit ip 172.16.172.0 0.0.0.255 any          ( USED in ACCESS-LIST )

When i checked the SDM i realised access-list 101 for NAT
so put the No.3 entry in Access-List and VOILA!
0
 

Author Comment

by:icdl101
Comment Utility
ok so how do i prevent trafficfrom 172.16.172.0 /24 going on the
192.168.18.0 /21  network since i  still need access to 192.168.18.1 & 192.168.18.3
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Are you saying you need to access 192.168.18.0 from wifi, but you also want to restrict it from 192.168.18.0?

If that is the case, then you will still need to allow wifi vlan to access it, but you can lock it down to a specific host or specific ports.
0
 

Author Comment

by:icdl101
Comment Utility
yes that is correct i just need to allow access to 192.168.18.1 & 192.168.18.3 and prevent the rest of the address on the 192.168.18.0 /24 subnet.
so im not sure on how ot achieve that

 
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 300 total points
Comment Utility
You need to create an inbound ACL on the VLAN 7 interface on your switch. I am not familiar with Extreme switch syntax, but it would look something like

ip access-list extended Wireless
permit ip any host 192.168.18.1
permit ip any host 192.168.189.3
permit ip any 192.168.16.0 0.0.0.255
permit ip any 192.168.200.0 0.0.0.255
deny ip any any  

interface vlan 7
ip access-group Wireless in
0
 

Author Closing Comment

by:icdl101
Comment Utility
Thank you Guys for all your help
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now