If you show the content of the mac address table on your switch do you find this mac address

4403.a73b.9a09

HTH

Rick

Here is something else that occurs to me. It looks like the only port on your switch that is in vlan 4 is the port that connects to the router. Is this correct? If so then there is a connection through another switch to the hosts in the guest network and we must consider the possibility that the issue may be in that switch. Would you configure one of the ports on your 2960 as an access port in vlan 4, connect a PC to that port, configure an IP address, mask, and gateway in vlan 4, and test access from that PC?

HTH

Rick

SW01#show mac address-table | include 9a09
4 4403.a73b.9a09 DYNAMIC Gi1/0/46

I have configured DHCP for test data and guest networks on the router. Trunked switchports accordingly and connected a pc to interfaces in VLAN's 4 & 2, pulls correct DHCP address for both. Trunked Cisco SG200 is not working as expected.

Thanks for the additional information. The fact that you do find that mac address is further confirmation that the switch and router are successfully communicating over that interface. I am somewhat confused about your comment that you trunked switch ports accordingly. But assume that your comment that you pull correct DHCP is indication that things are working between 2960 and router. Does your comment about the SG200 indicate that you believe that this is the problem and that the 2960 and router are working correctly?

HTH

Rick

Yes I was referring to the lab stack, should not have posted that with the response to your request.

To answer your question;

When I configured a PC with a static IP address, DFG, and DNS (for Guest network) and connected it to the 2960 in a port configured for VLAN 4 it did route traffic to the Guest network but the first hop was the data network. At that time I was using tracert from the PC and did not realize/comprehend that the Guest network was dropping the traffic.

I added interface vlan 4 with IP Address 10.199.53.253, it appears to be routing out the guest network now and I believe the router is dropping the traffic.

SW01#traceroute XX.154.12.24 **DNS statically assigned to Meraki AP's

Type escape sequence to abort.
Tracing the route to XX.154.12.24
VRF info: (vrf in name/id, vrf out name/id)
1 10.199.53.254 !A !A *
SW01#traceroute 10.128.128.128 ***DNS assigned to Wireless clients by Meraki.
Type escape sequence to abort.
Tracing the route to 10.128.128.128
VRF info: (vrf in name/id, vrf out name/id)
1 10.199.53.254 !A !A *

Yes it does appear to be a response from the router interface for guest. And the A does indicates that it was dropped by an ACL.

HTH

Rick

This has been an interesting discussion and I am glad that you have worked it out. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions that have helpful information. The thing that made it so interesting (and that delayed our finding the solution) was the original assumption that the problem was between the 2960 and the router. We looked for problems there and tried to solve it by implementing routing on the switch. Eventually we recognized that both 2960 and router were working ok and that the problem was deeper in the network. If there is a primary lesson that readers may get from this discussion it is the value of testing to verify where the problem is really happening.

HTH

Rick