cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


440
Views
0
Helpful
0
Replies
Highlighted
Beginner

SG 200-08 not reachable outside of management subnet in very specific conditions

Hi,

 

I have an SG 200-08 updated to the latest 1.0.8.3 firmware.

 

The device is configured like so:

 

  • Interface g1 configured as Trunk mode with PVID 61. There's also a tagged VLAN (50) configured on this interface.
  • Interface g2 configured as Access mode with PVID 61.
  • VLAN 61 is assigned for our 172.16.18.0/24 subnet, which we use for managing network equipment. The SG 200 is configured with a management IP of 172.16.18.70.

What I observed when troubleshooting management access issues:

 

  • When plugged in to g1 OR g2 and accessing from a computer within 172.16.18.0/24, I can ping and access the web GUI without any issue.

  •  

    However, when plugged in to g1 or g2 and accessing from a computer outside 172.16.18.0/24 (i.e. making use of the SG 200's configured default GW) then it only works when plugged in interface g2.

Based on these observations I initially thought that the issue was solely related to using the default GW setting on the SG 200 when connecting using the plugged in Trunk port. But upon further testing things got weirder...

 

I noticed that when the default GW setting points to an IP whose MAC is just some arbitrary interface MAC, it actually works fine on both g1 and g2. It's when the default GW IP is actually a VRRP MAC (or in my case, a pfSense cluster CARP VIP MAC such as 00:00:5E:00:01:01) that connecting to the management interface doesn't work.

 

So to summarize: when trying to access an SG 200 management IP:

 

  1. through a Trunk port where the management VLAN is the PVID and

  2. when the management default GW IP on the SG 200 points to a VRRP MAC and

  3. the connecting computer is on a subnet other than the SG 200 management subnet

then it doesn't seem to work. Remove any one of these three conditions and it seems to work fine.

 

Has anybody encountered this issue or anything similar to it before?

 

Regards,

-Martin

Everyone's tags (5)