Solved: Re: SG300-20 not routing MAC tagged VLANS

chaotikPenguin · ‎05-18-2020

Hi All, I'm not a network guy so please forgive me if I don't grasp some fundamentals.

Objective: Be able to tag a VLAN based on MAC address on SG300 so certain clients get put onto a specific VLAN (and use VLAN groups). Also, I want to retain the ability to tag specific SSIDs with a VLAN so all clients on that SSID will be put on a specific VLAN (working currently with VLAN 99).

Setup: I'm running an Edge Router lite that has 3 VLANs on a single interface. The native untagged VLAN is 1, the two tagged VLANs are 101 and 99.

VLAN1: 192.168.1.0/24, gateway is 192.168.1.1

VLAN99: 10.1.99.0/24, gateway is 10.1.99.1

VLAN101: 10.1.101.0/24, gateway is 10.1.101.1

GE1 is the port connected to the router.

I've been testing VLAN 101 routing on GE7 with MAC 00:e0:97:00:33:b7 (directly connected to SG300 port 7)

I'm running a DHCP server on each one of the gateway interfaces mentioned above (eth1, eth1.99, eth1.101) on the edge router.

As stated earlier, I have a specific SSID tagged for VLAN 99 and when clients connect they get an IP on the right range and internet access works, etc.

I setup MAC based VLAN tagging according to this guide: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb1863-configuration-of-mac-based-groups-to-vlan-on-300-series-swit.html

So the switch is in L2 mode, all ports that I want the VLAN to tag IPs are in "general" mode. I do see when I plug into a port with a device which MAC I have tagged it "sees" that it's on the VLAN101 network as I see DHCP requests being broadcasted via tcpdump to eth1.101 interface. However, even if I manually set the client IP on the VLAN 101 Range, GW (10.1.101.1) I can't ping it. I did test with port 17 being an access port for VLAN99 and that works fine.

Here is my config:

switch10f416#show running brief
config-file-header
switch10f416
v1.4.11.4 / R800_NIK_1_4_219_025
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
spanning-tree loopback-guard
bridge multicast filtering
vlan database
vlan 99,101
exit
vlan database
map mac 00:e0:97:00:33:b7 48 macs-group 101
map mac 84:25:3f:23:a6:4e 48 macs-group 99
exit                                                  
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable
no boot host auto-config
hostname switch10f416
logging host 192.168.1.15
no passwords complexity enable
username REMOVED password encrypted REMOVED privilege 15
username REMOVED password encrypted REMOVED privilege 15
ip ssh server
ip ssh password-auth
ip ssh pubkey-auth auto-login
crypto key pubkey-chain ssh
user-key REMOVED rsa
key-string row AAAAB3NzaC1yc2EAAAADAQABAAABAQDGgxbYprNb
REMOVED
key-string row LOCsMPNIfMmNi9s4F3el
exit
exit
snmp-server server
snmp-server community REMOVED ro view Default
clock timezone " " -6
clock source sntp
clock source browser
clock dhcp timezone
security-suite enable
security-suite dos protect add stacheldraht
security-suite dos protect add invasor-trojan
security-suite dos protect add back-orifice-trojan
!                                                     
interface vlan 1
 ip address 192.168.1.195 255.255.255.0
 no ip address dhcp
!
interface vlan 99
 name IOT
 ip dhcp relay enable
!
interface vlan 101
 name "VLAN101"
 ip dhcp relay enable
!
interface gigabitethernet1
 ip dhcp snooping trust
 switchport mode general
 switchport general allowed vlan add 99,101 tagged
 lldp med disable
!
interface gigabitethernet2
 switchport trunk allowed vlan add 99
 lldp med disable
!                                                     
interface gigabitethernet3
 lldp med disable
!
interface gigabitethernet4
 switchport trunk allowed vlan add 99
 lldp med disable
!
interface gigabitethernet5
 lldp med disable
!
interface gigabitethernet6
 lldp med disable
!
interface gigabitethernet7
 switchport mode general
 switchport general allowed vlan add 99,101 tagged
 switchport general map macs-group 99 vlan 99
 switchport general map macs-group 101 vlan 101
 lldp med disable
!
interface gigabitethernet8
 switchport mode general                              
 switchport general allowed vlan add 99 tagged
 switchport general map macs-group 99 vlan 99
 lldp med disable
!
interface gigabitethernet9
 switchport trunk allowed vlan add 99
 lldp med disable
!
interface gigabitethernet10
 switchport trunk allowed vlan add 99
 lldp med disable
!
interface gigabitethernet11
 switchport trunk allowed vlan add 99
 lldp med disable
!
interface gigabitethernet12
 switchport mode general
 switchport general allowed vlan add 99 tagged
 switchport general map macs-group 99 vlan 99
 lldp med disable
!                                                     
interface gigabitethernet13
 lldp med disable
!
interface gigabitethernet14
 switchport trunk allowed vlan add 99
 lldp med disable
!
interface gigabitethernet15
 lldp med disable
!
interface gigabitethernet16
 lldp med disable
!
interface gigabitethernet17
 switchport mode access
 switchport access vlan 99
 lldp med disable
!
interface gigabitethernet18
 lldp med disable
!
interface gigabitethernet19                           
 lldp med disable
!
interface gigabitethernet20
 switchport trunk allowed vlan add 99
 lldp med disable
!
exit
macro auto processing type router enabled
ip igmp snooping
ip igmp snooping vlan 1
ip igmp snooping vlan 99
ip igmp snooping vlan 101
ip igmp snooping vlan 1 querier
ip igmp snooping vlan 99 querier
ip igmp snooping vlan 101 querier
ip dhcp snooping vlan 99
ip dhcp snooping vlan 101
ip arp inspection vlan 1
ip default-gateway 192.168.1.1

pieterh · ‎05-22-2020

>>> so I would think (and hope) it should be fine to support VLAN tagging. <<<

I'm expecting it will Not! and if it does, it wil not have the result you planned.

dynamically assigning the vlan to a port works for the switchport,

Even if the MacBook supports vlan tagging, a vlan configured in the driver will not be changed by vlan assignment on the switch

server-based network drivers support vlan tagging, but desktop-based standard will not.

it may ignore the vlan tag on receiving, but I expect (by default) it will not send any vlan tags, unless you intentionally installed a driver that does.

back to the actual question, you want a single SSID and assign the client a different vlan based on MAC address.

this is possible, but I do not think you can do this with only the switch configuration,

in the switch configuration you may get it to work with directly connected devices (the mac-book gigabit adapter)

when this mac is connected, the switchport wil be assigned the desired vlan

but on an AP it will mean multiple MACs are present on the same switchport facing the AP!

the first mac may be assigned a correct vlan, what about the others ??????

the most common way to do this is using a radius-server for authentication and then do vlan assignment

the switchport wil be configured as trunk to the AP for the matchin vlans allowed.

View solution in original post

pieterh · ‎05-19-2020

if the switch is in L2 mode it will not route (L3 !) between vlan's

as vlan's are designed to separate traffic, packets for vlan 101 will be forwarded in vlan101 only (even so vlan99 and vlan1)

ip dhcp relay enable, will do nothing because the switch needs an ip-addres on the vlan (SVI) to relay

you can remove the command from the switch ,

the dhcp-request is forwarded on the vlan to the edgre router and the edge router will receive the dhcp request and respond if properly configured

your error may lie in the "mode general" setting on the interface connecting the edge router (Gi1 ?), try changing to mode trunk

chaotikPenguin · ‎05-19-2020

Thanks for the reply, I've made your suggestions but the issue still appears unchanged.

interface vlan 99
 name IOT
!
interface vlan 101
 name "VLAN101"
!
interface gigabitethernet1
 ip dhcp snooping trust
 switchport trunk allowed vlan add 99,101
 lldp med disable
!

chaotikPenguin · ‎05-19-2020

Also I'll add the logs I see on the EdgeRouter's DNSMasq service for that VLAN:

May 19 13:12:02 dnsmasq-dhcp[8642]: DHCPDISCOVER(eth1.101) 00:e0:97:00:33:b7
May 19 13:12:02 dnsmasq-dhcp[8642]: DHCPOFFER(eth1.101) 10.1.101.51 00:e0:97:00:33:b7
May 19 13:12:05 dnsmasq-dhcp[8642]: DHCPDISCOVER(eth1.101) 00:e0:97:00:33:b7
May 19 13:12:05 dnsmasq-dhcp[8642]: DHCPOFFER(eth1.101) 10.1.101.51 00:e0:97:00:33:b7
May 19 13:12:05 dnsmasq-dhcp[8642]: DHCPDISCOVER(eth1.101) 00:e0:97:00:33:b7
May 19 13:12:05 dnsmasq-dhcp[8642]: DHCPOFFER(eth1.101) 10.1.101.51 00:e0:97:00:33:b7
May 19 13:12:07 dnsmasq-dhcp[8642]: DHCPDISCOVER(eth1.101) 00:e0:97:00:33:b7
May 19 13:12:07 dnsmasq-dhcp[8642]: DHCPOFFER(eth1.101) 10.1.101.51 00:e0:97:00:33:b7
May 19 13:12:15 dnsmasq-dhcp[8642]: DHCPDISCOVER(eth1.101) 00:e0:97:00:33:b7
May 19 13:12:15 dnsmasq-dhcp[8642]: DHCPOFFER(eth1.101) 10.1.101.51 00:e0:97:00:33:b7

To me that means that the broadcast traffic is making it to the EdgeRouter, but the client device (00:e0:97:00:33:b7) isn't getting the responses back.

pieterh · ‎05-20-2020

>>>

interface gigabitethernet7
switchport mode general
switchport general allowed vlan add 99,101 tagged

<<<

will result in the packets sent as vlan-tagged packets to the client.

Are you sure the client understand those packets?

some clients will ignore the vlan-tag, but other will ignore the whole packet!

but!, it may be your intention is to service both IP-phones and PC's?

is it an option to you use CDP or LLDP and let the IP-phone automatically detect the voice vlan?

chaotikPenguin · ‎05-20-2020

There is only one VOIP phone on this network and currently is untagged and on native VLAN1. I'm attempting to do MAC based tagging here rather than have dedicated SSIDs on the APs that apply the tag at that point. The device I have been testing from is a MacBook with USB gig ethernet adapter, so I would think (and hope) it should be fine to support VLAN tagging.

pieterh · ‎05-22-2020