Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
4
Replies

Guest VLAN problem on one of several SG350X switches

Go to solution
Radim Smehlik
Level 1
Level 1

‎10-13-2021 02:36 AM

Hello. Our network consists of several SG350X switches, that are 802.1x with DVA (NPS) enabled. All switches are runnning 2.5.8.12 firmware. We are also using Guest VLAN feature. This feature works well except one switch. That switch acts as a root switch with L3 support. Of course, we applied some ACL for security reasons, that are for testing purposes unbinded.

 

What is the behavior?

 

If a guest device connects to the root swich, switch port will change its state to Unauthorized and the guest device gets IP configuration from a DHCP server. Until now, it's the right behavior. Unfortunately, after that, guest device can not not reach (ping) the switch gateway (Guest VLAN interface) or routers behind (no internet access). Only thing that works is that a guest device can reach (ping) another guest devices.

 

On other switches, that are configured in the same way as the root switch (except L3 feature), a guest device can reach root switch Guest Vlan interface and routers behind.

 

I can not find problem in a configuration. Last step what i am thinging about is to make factory reset and restore a configuration.

 

Do you have any experience with this problem? Thank you.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Radim Smehlik
Level 1
Level 1

‎10-25-2021 03:50 AM

As I am still trying to figure out my problem, I found a similar topic with a Cisco support response. Looks like disabling ip routing does not disable L3 mode. So probably my only option is to remove the ip configuration for the guest vlan (located on the switch) and physically connect the guest vlan from the switch to my router by another ethernet cable and manage the guest vlan routing on this router.

 

Although I don't like this solution, I am marking this topic as accepted.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-13-2021 06:32 AM

as you mentioned rest all switches are Layer 2, this one isLayer 3, this looks like you need some routing ? ip routing (high level i am guessing as per the information, may be wrong) can you post both the configs ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Radim Smehlik
Level 1
Level 1

‎10-14-2021 12:59 AM - edited ‎10-14-2021 01:50 AM

Thank you for your interest. I don't think it is a routing problem, because the l2 switch is connected by the Lag to the l3 switch. Ping from the Guest VLAN to the Guest VLAN interface works from the l2 switch, but not from the l3 switch. Any other VLANS except the Guest VLAN work without problem on all switches (pinging VLAN interfaces and routers, internet access).

 

If I manually force a port to Authorized state and assign access vlan as guest VLAN,  then i can reach the Guest VLAN interface. If it is managed by 802.1x, then i can not. And as i said before, this only happens on the l3 switch.

 

Configurations attached.

 

Thank you.

Preview file
27 KB
Preview file
51 KB
0 Helpful

Go to solution
Radim Smehlik
Level 1
Level 1

‎10-20-2021 12:49 AM

I made another investigation and it looks like this problem is not L3 related. I have a spare SG350X-24 switch, so i made a factory reset and made this very simple configuration:

  • Disabled IPv4 routing
  • Vlan 1 - 192.168.1.1/24
  • Vlan 50 (guest) - 192.168.50.1/24
  • Enabled DHCP server with pool for 192.168.50.0 network
  • Enabled RADIUS client
  • Enabled 802.1x port-based authentication with Guest Vlan ID 50
  • Port GE1/0/2 is configured for 802.1x authentication with Guest Vlan feature enabled

When a guest device is connected to port 2, port changes its state to Unauthorized, is assigned to Vlan 50 and a guest device obtains IP address from the pool. Everything works as expected. But when you ping 192.168.50.1 from guest device, there is no reply. In the same way, you can not ping guest device from the switch.

Looks like a bug, that is associated with a 802.1x and if a guest Vlan interface is configured on that switch. Could you somebody confirm that?

Thank you.

 

 

 

Preview file
2 KB
0 Helpful

Go to solution
Radim Smehlik
Level 1
Level 1

‎10-25-2021 03:50 AM

As I am still trying to figure out my problem, I found a similar topic with a Cisco support response. Looks like disabling ip routing does not disable L3 mode. So probably my only option is to remove the ip configuration for the guest vlan (located on the switch) and physically connect the guest vlan from the switch to my router by another ethernet cable and manage the guest vlan routing on this router.

 

Although I don't like this solution, I am marking this topic as accepted.

0 Helpful
Customers Also Viewed These Support Documents