I've been testing a WLC config in my lab and ran into a strange issue regarding VLANs. I have eth1 configured with 10.1.1.1/24 and created VLAN100 on eth2 (VLAN id:100 IP: 10.0.1.1/24 GW: 10.0.1.254).
The problem is that I can't ping VLAN100's GW (10.0.1.254) from the WLC. When I ping 10.0.1.254 I can see that the packets are exiting out of eth1 instead of VLAN100.
If I ping VLAN100's interface from the gateway, I can see the ICMP request packets hitting VLAN100, but the reply packets are all going out of eth1.
Has anyone run into this problem before?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
neonbit wrote:If what you wrote is correct, the gateway for VLAN 100 is not in the same subnet range as the IP on that interface. The network from the gateway perspective is 10.0.1 but the interface has 10.0.0. Check these and get back to us.I've been testing a WLC config in my lab and ran into a strange issue regarding VLANs. I have eth1 configured with 10.1.1.1/24 and created VLAN100 on eth2 (VLAN id:100 IP: 10.0.0.1/24 GW: 10.0.1.254).
The problem is that I can't ping VLAN100's GW (10.0.1.254) from the WLC. When I ping 10.0.1.254 I can see that the packets are exiting out of eth1 instead of VLAN100.
If I ping VLAN100's interface from the gateway, I can see the ICMP request packets hitting VLAN100, but the reply packets are all going out of eth1.
Has anyone run into this problem before?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I wish my problems were that simple :) Thanks Bob but unfortunately that was just a typo. Can confirm the IP/Subnet/GW are in the correct ranges.
Another thing I've noticed is that if I do a packet capture on the gateway (a FGT), I can see the ARP requests come out from the WLC for 10.0.1.254 and it gets the response (arp lookup on the WLC can see the GW IP and MAC).
All fingers point towards the gateway/subnet being incorrect but they are. I've tried to change the IP around just incase but still no go.
I've been looking for a way to bring up the routing table on the WLC but it's CLI is very simplistic, can't see anyway of displaying this. :(
Below is a quick capture from the WLC. I've changed the VLAN interface here to be 10.0.7.1/24 and the GW is 10.0.7.254.
I pinged from the GW (.254) to the WLC (.1). The first capture shows the ICMP packets hitting the VLAN interface (INT 6). It also shows the WLC responding to an ARP request to the GW.
The second capture shows the ICMP replies going out of INT1.
The VLAN interface configuration looks like this:
VLAN Name : TEST-VLAN Tag : 100 Ethernet Interface Index : 2 IP Address : 10.0.7.1 Netmask : 255.255.255.0 IP Address of the Default Gateway : 10.0.7.254 Override Default DHCP Server Flag : off DHCP Server IP Address : 0.0.0.0 DHCP Relay Pass-Through : on Owner : controller Maximum number of clients : 253
Not sure if it matters, but this WLC is unlicensed. From my understanding this is fine as long as you have only 2 APs to manage (I'm only testing 1 AP), but not sure if it would also screw around with the routing.
What does the routing table on the FGT look like? The default gateway should have the highest number (of hops), and all else should be lower. If any other route has an equal number, that could be your issue. The default gateway is the interface of last resort, so it's distance should be the highest of all.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The FGT has the correct routing table and is sending the packets over the correct interface. I believe the problem is only with the WLC. If it tries to ping 10.0.7.254, instead of sending the packet through the VLAN interface (which should be the directly connected interface as far as the routing is concerned) it's sending it out of eth1 which is on a totally separate subnet.
Not sure if I'm missing a step in my VLAN interface configuration on the WLC, looks pretty simple. Create the VLAN, assign it to eth2 and apply it to an ESS profile. Just doesn't seem to want to register the IP/SUBNET configured on the VLAN :(
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.