Solved: DHCP server on SG500X responsible for guest vlan

smstoyanov · ‎02-22-2018

Hello,

i met some issue with this example.Because i dont want to expand this guest_vlan i tried this config:

interface vlan 124
name LANGUEST-VLAN
ip address 192.168.124.1 255.255.255.248
dot1x guest-vlan

ip dhcp server
ip dhcp pool network LANGUEST-POOL
address low 192.168.124.2 high 192.168.124.3 255.255.255.248
lease 0 0 20
domain-name guest-lan
default-router 192.168.124.1
dns-server 8.8.8.8

interface gigabitethernet1/1/19
description PP19

dot1x port-control force-authorized
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x reauthentication
dot1x port-control auto
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 128
switchport forbidden default-vlan
!

The dhcp works perfect but cant access gw IP 192.168.124.1.

When change port to access 124 everything works fine but our domain authentication not.

When the VLAN is expanded to another DHCP server the example work perfectly.

Could you advice me what is wrong on this config.

smstoyanov · ‎02-22-2018

Restrictions for IEEE 802.1X Guest VLAN The IEEE 802.1X Guest VLAN feature is available only on a switch port. You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1X guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports. After you configure a guest VLAN for an IEEE 802.1X port to which a DHCP client is connected, you might have to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1X authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1X authentication process (using the dot1x max-reauth-req and dot1x timeout tx-period interface configuration commands). The amount of decrease depends on the connected IEEE 802.1X client type. When IEEE 802.1X authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. This feature does not support standard ACLs on the switch port.

I think that just the switch doesn`t support it

View solution in original post

Richard Burts · ‎02-22-2018

I do not understand several parts of your description of what you have done and what does and does not work. But it does seem pretty clear that you are saying that the configuration posted does allow many hosts to get IP addresses in the network 192.168.124.0 but that most of them are not able to access their gateway at 192.168.124.1. I believe that the explanation for that is clear. You have defined a DHCP pool that has 247 addresses. But the vlan interface has only 6 usable addresses. Any host with an address higher than 192.168.124.7 will be considered as a remote device and not one connected to the local subnet.

It seems to me that the solution is easy - just change the subnet mask of the vlan interface from 255.255.255.248 to 255.255.255.0. Is there some reason you do not want to do this?

HTH

Rick

HTH

Rick

smstoyanov · ‎02-22-2018

Hello Richard

The pool is for test and on this port is connected only me.

I said that when I remove all dot1x parameters and configure my port 1/1/19 with access 124 the ping works but in this situation with dot1x authentication not.

I prefer this solution because don't want to expand whole domain over my switches but if it could be done on SG500X switch will expand it.

As you see the pool and gw are on the same subnet.

smstoyanov · ‎02-22-2018

Restrictions for IEEE 802.1X Guest VLAN The IEEE 802.1X Guest VLAN feature is available only on a switch port. You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1X guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports. After you configure a guest VLAN for an IEEE 802.1X port to which a DHCP client is connected, you might have to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1X authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1X authentication process (using the dot1x max-reauth-req and dot1x timeout tx-period interface configuration commands). The amount of decrease depends on the connected IEEE 802.1X client type. When IEEE 802.1X authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. This feature does not support standard ACLs on the switch port.

I think that just the switch doesn`t support it