Feature Notes : When a new VLAN (which does not exist in the entire network) is created in the controller, it needs to be advertised in the entire network so that the clients getting associated to the VLAN can be routable. An alternate way is to enable ip nat inside for the new VLAN. However, any VIA client associated to the VLAN will not be routable until an ACL is added to the role in which the VIA clients fall.
Environment : This article applies to all controllers running OS versions 5.x or later running VIA.
Configuration Steps : Check the role in which the users fall using the following command.
Using CLI:
(controller) (config) #show user-table
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
10.100.107.12 00:00:00:00:00:00 irfaan via-role 00:00:00 VIA-VPN 10.0.0.253 N/A tunnel
10.0.0.253 00:00:00:00:00:00 logon 00:00:01 N/A tunnel
User Entries: 2/2
Create an ACL add it to the respective user-role.
(controller) (config) # ip access-list session snat
(controller) (config-sess-snat)#any any any src-nat
(controller) (config-sess-snat)#exit
(controller) (config) #user-role via-role
(controller) (config-role) #access-list session snat
Verification :
The same can be verified using the following command.
(controller) (config) #show rights via-role
Derived Role = 'via-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 61/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 snat
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
2 any any any permit Low 6
snat
----
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any src-nat Low 4
Expired Policies (due to time constraints) = 0