Support
Community

What am I missing?

VLAN 10 - 10.0.10.1

VLAN 1 - 10.0.0.1

ClientA - 10.0.0.2

ClientB - 10.0.10.11

DHCP Scopes for both the 10.0.0.0/24 and the 10.0.10.0/24 networks.

When on 3448 I can ping all devices

When on network 10.0.10.0/24 with port set to VLAN 10 (or trunk port with native 10) I'm not able to ping the client at 10.0.0.2. I can ping the other gateways such as 10.0.10.1 and 10.0.0.1

Wjhen on network 10.0.0.0/24 with port set to VLAN 1 (or trunk port with native 1) Im not  able ot ping the client at 10.0.10.11 I can ping all other gateways such as 10.0.0.1, and 10.0.10.1

Because your DHCP scopes are local, remove the helper addresses from the VLAN interfaces.

It may be just cosmetic, but your description of the DHCP pool for 10.0.0.0 says /29 and both the scope and interface are configured for /24.

You should also allow subnets in the Private policy class to reach other subnets within the Private class.

ip access-list extended allow-private

  permit ip any 10.0.0.0 0.255.255.255

ip policy-class Private

  allow list self self

  allow list allow-private policy Private

  nat source list wizard-ics interface eth 0/1 overload

!

Jayh -

Thank you for replying! I've been banging my head against the wall. I have updated the config with your suggestions with no luck. I am still unable to ping across VLANs.

To clarify from the 3448 I can ping all the clients within any subnet.

From the 10.0.0.0/24 network I am unable to ping clients in the 10.0.10.0/24 network

From the 10.0.10.0/24 network I am unable to ping clients in the 10.0.0.0/24 network

Updated Config Here

Any other ideas?

Thanks

Your web-acl-6 is wrong. All of your private subnets are within 10.0.0.0/8 so the mask should be /8 or in wildcard form 0.255.255.255. You have it as a /24. or 0.0.0.255.

You've made VLAN 1 a /21 but your description still says /29. This is cosmetic assuming that you really want a /21 mask. If you're really going to have in excess of about 500 hosts on a subnet, you may run into some issues with excessive broadcasts.

Hi Jayh -

This makes sense - I have adjusted the config - thank you very much.

Everything appears to be working aside from a single host on the 10.0.0.0 network. An access point 10.0.0.2 is only reachable from the 10.0.0.0 network. Granted the AP does pass DHCP for each VLAN from the NV3448. In other words clients get IP's and are placed in the correct VLAN. For some reason the management ip 10.0.0.2 is not reachable from other networks such as 10.0.10.0 however the clients on the AP are.

Thanks again for the help!

Is the access point on 10.0.0.2 configured by DHCP or manually? Check its default gateway and netmask for accuracy.

Jayh -

The Ruckus AP is configured with a static - 10.0.0.2/24 with a 10.0.0.1 default gateway.  The netmask here should work no?

I thought you set the netmask on that subnet to /21. If so, all devices on the subnet should have a /21 mask. However, it should still work for that circumstance.

That is correct - I will test with a /21 on the 10.0.0.2 device. I assumed it would work with a 255.255.255.0 - I do not see a reason it would not.

Because it is just that one device, it's unlikely that the problem is related to the 3448 configuration. Most of the time this problem is a wrong or missing default route on the host. Maybe an ACL?