cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
0
Helpful
4
Replies

Guest VLAN problem on one of several SG350X switches

Radim Smehlik
Level 1
Level 1

Hello. Our network consists of several SG350X switches, that are 802.1x with DVA (NPS) enabled. All switches are runnning 2.5.8.12 firmware. We are also using Guest VLAN feature. This feature works well except one switch. That switch acts as a root switch with L3 support. Of course, we applied some ACL for security reasons, that are for testing purposes unbinded.

 

What is the behavior?

 

If a guest device connects to the root swich, switch port will change its state to Unauthorized and the guest device gets IP configuration from a DHCP server. Until now, it's the right behavior. Unfortunately, after that, guest device can not not reach (ping) the switch gateway (Guest VLAN interface) or routers behind (no internet access). Only thing that works is that a guest device can reach (ping) another guest devices.

 

On other switches, that are configured in the same way as the root switch (except L3 feature), a guest device can reach root switch Guest Vlan interface and routers behind.

 

I can not find problem in a configuration. Last step what i am thinging about is to make factory reset and restore a configuration.

 

Do you have any experience with this problem? Thank you.

 

1 Accepted Solution

Accepted Solutions

Radim Smehlik
Level 1
Level 1

As I am still trying to figure out my problem, I found a similar topic with a Cisco support response. Looks like disabling ip routing does not disable L3 mode. So probably my only option is to remove the ip configuration for the guest vlan (located on the switch) and physically connect the guest vlan from the switch to my router by another ethernet cable and manage the guest vlan routing on this router.

 

Although I don't like this solution, I am marking this topic as accepted.

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

as you mentioned rest all switches are Layer 2, this one isLayer 3, this looks like you need some routing ? ip routing (high level i am guessing as per the information, may be wrong) can you post both the configs ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Radim Smehlik
Level 1
Level 1

Thank you for your interest. I don't think it is a routing problem, because the l2 switch is connected by the Lag to the l3 switch. Ping from the Guest VLAN to the Guest VLAN interface works from the l2 switch, but not from the l3 switch. Any other VLANS except the Guest VLAN work without problem on all switches (pinging VLAN interfaces and routers, internet access).

 

If I manually force a port to Authorized state and assign access vlan as guest VLAN,  then i can reach the Guest VLAN interface. If it is managed by 802.1x, then i can not. And as i said before, this only happens on the l3 switch.

 

Configurations attached.

 

Thank you.

Radim Smehlik
Level 1
Level 1

I made another investigation and it looks like this problem is not L3 related. I have a spare SG350X-24 switch, so i made a factory reset and made this very simple configuration:

  • Disabled IPv4 routing
  • Vlan 1 - 192.168.1.1/24
  • Vlan 50 (guest) - 192.168.50.1/24
  • Enabled DHCP server with pool for 192.168.50.0 network
  • Enabled RADIUS client
  • Enabled 802.1x port-based authentication with Guest Vlan ID 50
  • Port GE1/0/2 is configured for 802.1x authentication with Guest Vlan feature enabled

When a guest device is connected to port 2, port changes its state to Unauthorized, is assigned to Vlan 50 and a guest device obtains IP address from the pool. Everything works as expected. But when you ping 192.168.50.1 from guest device, there is no reply. In the same way, you can not ping guest device from the switch.

Looks like a bug, that is associated with a 802.1x and if a guest Vlan interface is configured on that switch. Could you somebody confirm that?

Thank you.

 

 

 

Radim Smehlik
Level 1
Level 1

As I am still trying to figure out my problem, I found a similar topic with a Cisco support response. Looks like disabling ip routing does not disable L3 mode. So probably my only option is to remove the ip configuration for the guest vlan (located on the switch) and physically connect the guest vlan from the switch to my router by another ethernet cable and manage the guest vlan routing on this router.

 

Although I don't like this solution, I am marking this topic as accepted.