It is 

192.168.1.2

As I wrote, that IP is the SG350 switch VLAN interface dedicated only to internet traffic (Next Hop Router through a Transit route) without any hosts on that VLAN. If I ping a www address, the request from any VLAN will be routed to 192.168.1.2 on the switch and then to the firewall

I thought the Switch was sending some requests to an akamai.com domain from that interface and I am seeing a return traffic. Else, the firewall would have blocked it !

Can you post running config to confirm what is wrong.

also please confirm if this is only you Ping  destination you getting this reply back ? what IP address you pinging ? or any domain ?

@balaji.bandi 
In my further tests, It happens as soon as I add a DNS server ip (I set it to my local DNS server 172.16.10.1). No ping or any action was done except enabling the DNS server

I tried it again right now. Immeadiately after enabling the DNS server, I get this return traffic:

Warning	%MNGINF-W-ACL: Management ACL drop packet received on interface Vlan 950 port gi9 from 23.205.178.37 to 192.168.1.2 protocol 6 service Http 

I tried to disable Bonjour service, no change

Here's the running config, with the DNS server disabled now. It was enabled with IP 172.16.10.1

config-file-header
SG350-10P
v2.5.7.85 / RCBS3.1_930_871_059
CLI v1.0
file SSD indicator excluded
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 10,20,30-31,40,50,100,950,777 
exit
voice vlan state auto-triggered 
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
green-ethernet energy-detect
green-ethernet short-reach
no boot host auto-config 
no boot host auto-update 
no bonjour enable
bonjour interface range vlan 1

hostname SG350-10P
management access-list ManageFrom_AnyGE1
permit GigabitEthernet1 
deny 
exit
management access-class ManageFrom_AnyGE1
passwords complexity min-length 12 
passwords aging 0 
username admin password encrypted xxxxx privilege 15 
ip ssh server
ip ssh pubkey-auth auto-login 
crypto key pubkey-chain ssh
user-key admin rsa
key-string row xxxxx
exit
exit
ip https certificate 2
clock timezone J +1
clock summer-time web recurring eu 
sntp server 172.16.10.1 poll 
no sntp server pool.ntp.org 
no sntp server time-a.timefreq.bldrdoc.gov 
no sntp server time-b.timefreq.bldrdoc.gov 
no sntp server time-c.timefreq.bldrdoc.gov 
no sntp server time-pnp.cisco.com 
clock dhcp timezone
sntp source-interface vlan 10 
no ip domain lookup
no service cpu-utilization 
!
interface vlan 1
 no ip address dhcp 
 shutdown
!
interface vlan 10
 name "VLAN 10" 
 ip address 172.16.10.2 255.255.255.0 
!
interface vlan 20
 name "VLAN 20" 
 ip address 172.16.20.2 255.255.255.0 
!
interface vlan 30
 name "VLAN 30" 
 ip address 172.16.30.2 255.255.255.0 
!
interface vlan 31
 name "VLAN 31" 
 ip address 172.16.31.2 255.255.255.0 
!
interface vlan 40
 name "VLAN 40" 
 ip address 172.16.40.2 255.255.255.0 
!
interface vlan 50
 name "VLAN 50" 
 ip address 172.16.50.2 255.255.255.0 
!
interface vlan 100
 name "VLAN 100 (Internet Only)" 
 ip address 172.16.100.2 255.255.255.0 
!
interface vlan 950
 name "VLAN 950 (Transit)" 
 ip address 192.168.1.2 255.255.255.252 
!
interface vlan 777
 name "VLAN 777 Native" 
 ip address 172.16.0.2 255.255.255.0 
!
interface GigabitEthernet1
 switchport access vlan 777 
 green-ethernet energy-detect 
!
interface GigabitEthernet2
 switchport access vlan 50 
 switchport general pvid 50 
 switchport trunk native vlan 50 
 green-ethernet energy-detect 
!
interface GigabitEthernet3
 switchport access vlan 50 
 switchport general pvid 50 
 switchport trunk native vlan 50 
 green-ethernet energy-detect 
!
interface GigabitEthernet4
 switchport mode trunk 
 switchport access vlan 30 
 switchport general pvid 30 
 switchport trunk native vlan none 
 switchport trunk allowed vlan 20,30-31,40,50,100,777 
 green-ethernet energy-detect 
!
interface GigabitEthernet5
 switchport access vlan 20 
 switchport general pvid 20 
 switchport trunk native vlan 20 
 green-ethernet energy-detect 
!
interface GigabitEthernet6
 switchport access vlan 40 
 switchport general pvid 40 
 switchport trunk native vlan 40 
 green-ethernet energy-detect 
!
interface GigabitEthernet7
 switchport mode trunk 
 switchport access vlan 777 
 switchport general pvid 777 
 switchport trunk native vlan none 
 switchport trunk allowed vlan 10,50,777 
 green-ethernet energy-detect 
!
interface GigabitEthernet8
 ip dhcp snooping trust 
 switchport mode trunk 
 switchport trunk native vlan none 
 switchport trunk allowed vlan 10,20,30-31,40,50,100 
 green-ethernet energy-detect 
!
interface GigabitEthernet9
 switchport access vlan 950 
 switchport general pvid 950 
 switchport trunk native vlan 950 
 green-ethernet energy-detect 
!
interface GigabitEthernet10
 ip dhcp snooping trust 
 switchport access vlan 777 
 switchport general pvid 777 
 switchport trunk native vlan 777 
 green-ethernet energy-detect 
!
interface Port-Channel3
 switchport access vlan 10 
!
exit
ip dhcp snooping 
ip dhcp snooping vlan 10 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 30 
ip dhcp snooping vlan 31 
ip dhcp snooping vlan 40 
ip dhcp snooping vlan 50 
ip dhcp snooping vlan 100 
ip dhcp snooping vlan 777 
ip default-gateway 192.168.1.1 

Thank you for your help

@balaji.bandi 

I edited the running config with my new setup, no ACLs

Still it is the running config without the DNS server causing the offending incoming requests on transit interface of the switch

By the way, it is an isolated lab setup, no hosts running except some isolated VM for debugging purposes before moving to a real environement.

Hope you can provide a feedback on what kind of calls are implemented in the Cisco Switches with this akamai.com traffic

To be honestly its dark for me as never seen before. worth raise SMB tac case to investigate for you.

@balaji.bandi 

Thank you

How can I do this "raise SMB tac case" ?

Really getting surprised as I do not understand what service in the switch would trigger this kind of requests

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

What a pain

Only phone support, I guess some uncompetent persone will answer without understanding the issue (tired of these free non tech support centers)

No way to open an online case without buying an additional contract, despite my system is under warranty

Guess I will just cut internet access to the switch interfaces to avoid any built in scum home call software

I agree some time it happends., wait for some moderate to address your issue, or you can make ACL in the switch or put the switch behind FW until some addressed here.

Hello Filomena,

When did you buy the switch? Support is free for products under service contract or warranty. Please use one of the phone numbers and open up a ticket with the STAC so one of the available engineers will further help you in solving this issue.

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html 

Regards,

Martin

Switch is still under warranty

I enabled again the DNS server on the switch and ticked the firewall to check the outgoing traffic:

Denied outgoing from 192.68.1.2:49153 --> 23.205.178.37:80

There are no devices on that interface since it is only a transit route

Some service on the switch is sending these TCP requests to akamai.com !!

49153 port is some media / UnPnP port to advertise the device. There is clearly something wrong fishy in the firmware advertising the switch online !

I will try the free toll service